22 Feb
2004
22 Feb
'04
1:28 a.m.
Hi,
I'm trying to develop a solution for LDAP authentication in SER, but i have a
question. With digest HTTP authentication (RFC 2617) the SIP server doesn't have the
plain password, it has a hash of user:realm:password (H(A1)). How could a sip server
authenticate the users using a standard LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or store H(A1) in
LDAP (not standard in LDAP, you need to modify the stored information). I think both are
bad solutions.
Thank you very much.
G.
22 Feb
22 Feb
1:53 a.m.
On Sunday 22 February 2004 00:28, GUSTAVO GARCIA BERNARDO wrote:
I'm trying to develop a solution for LDAP
authentication in SER, but i have
a question. With digest HTTP authentication (RFC 2617) the SIP server
doesn't have the plain password, it has a hash of user:realm:password
(H(A1)). How could a sip server authenticate the users using a standard
How do you came to this conclusion? E.g. by default SER stores the plain text
password and H(A1) in its database.
LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or
Basic authentication is absolutely insecure! And basic authentication is not
allowed according to RFC3261. You will (hopefully) not find any SIP UA which
supports basic authentication.
store H(A1) in LDAP (not standard in LDAP, you need to
modify the stored
information). I think both are bad solutions.
Store the plain text password or H(A1) in LDAP, whatever you prefer. It is
easy to generate H(A1) from a given plain text password.
Greetings
NO
23 Feb
23 Feb
11:59 a.m.
The best solution would be to have the LDAP server do the authentication
for you. You just get the digest credentials from the message, send them
to the LDAP server and the LDAP server will tell you if the user is
authenticated or not. That's how radius authentication works in ser, for
example.
The question is if there is any LDAP implementation that can do this (I
am not aware of any such).
Alternatively you can store HA1 in the LDAP server, fetch the string
from the LDAP server and do the authentication in ser. Note that HA1
string is not stronger than plaintext password.
Jan.
On 22-02 00:28, GUSTAVO GARCIA BERNARDO wrote:
Hi,
I'm trying to develop a solution for LDAP authentication in SER, but i have a
question. With digest HTTP authentication (RFC 2617) the SIP server doesn't have the
plain password, it has a hash of user:realm:password (H(A1)). How could a sip server
authenticate the users using a standard LDAP database with this information?
Somebody knows a solution for this?
My ideas are to use HTTP basic authentication (not standard with SIP) or store H(A1) in
LDAP (not standard in LDAP, you need to modify the stored information). I think both are
bad solutions.
Thank you very much.
G.
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7579
days inactive
7581
days old
2 comments
3 participants
participants (3)
-
GUSTAVO GARCIA BERNARDO -
Jan Janak -
Nils Ohlmeier