Hi,
I'm trying to develop a solution for LDAP authentication in SER, but i have a question. With digest HTTP authentication (RFC 2617) the SIP server doesn't have the plain password, it has a hash of user:realm:password (H(A1)). How could a sip server authenticate the users using a standard LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or store H(A1) in LDAP (not standard in LDAP, you need to modify the stored information). I think both are bad solutions.
Thank you very much.
G.
On Sunday 22 February 2004 00:28, GUSTAVO GARCIA BERNARDO wrote:
I'm trying to develop a solution for LDAP authentication in SER, but i have a question. With digest HTTP authentication (RFC 2617) the SIP server doesn't have the plain password, it has a hash of user:realm:password (H(A1)). How could a sip server authenticate the users using a standard
How do you came to this conclusion? E.g. by default SER stores the plain text password and H(A1) in its database.
LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or
Basic authentication is absolutely insecure! And basic authentication is not allowed according to RFC3261. You will (hopefully) not find any SIP UA which supports basic authentication.
store H(A1) in LDAP (not standard in LDAP, you need to modify the stored information). I think both are bad solutions.
Store the plain text password or H(A1) in LDAP, whatever you prefer. It is easy to generate H(A1) from a given plain text password.
Greetings NO
The best solution would be to have the LDAP server do the authentication for you. You just get the digest credentials from the message, send them to the LDAP server and the LDAP server will tell you if the user is authenticated or not. That's how radius authentication works in ser, for example.
The question is if there is any LDAP implementation that can do this (I am not aware of any such).
Alternatively you can store HA1 in the LDAP server, fetch the string from the LDAP server and do the authentication in ser. Note that HA1 string is not stronger than plaintext password.
Jan.
On 22-02 00:28, GUSTAVO GARCIA BERNARDO wrote:
Hi,
I'm trying to develop a solution for LDAP authentication in SER, but i have a question. With digest HTTP authentication (RFC 2617) the SIP server doesn't have the plain password, it has a hash of user:realm:password (H(A1)). How could a sip server authenticate the users using a standard LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or store H(A1) in LDAP (not standard in LDAP, you need to modify the stored information). I think both are bad solutions.
Thank you very much.
G.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
GUSTAVO GARCIA BERNARDO -
Jan Janak -
Nils Ohlmeier