[OpenSIPS-Users] LDAP Authentication

Gavin Henry gavin.henry at gmail.com
Thu Jul 2 10:17:32 CEST 2009


Depends is a select would be faster than an LDAP bind.

Probably OpenLDAP would be faster and you have much more to gain by
having it in centrally in OpenLDAP (replication, standards based
access etc.)

Gavin.

On 01/07/2009, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> Hi Alan,
>
> Got your point! Theoretically, dynamic ldap binding can be done, but the
> question is how efficient will be (to bind for each auth)..Think that
> you may process thousands of requests per second!
>
> Wouldn't be more reasonable to import the data into mysql?
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>> Bogdan,
>>
>> I'm not an LDAP expert either, but I will try to explain the scenario
>> better.  As you said, the LDAP bind is static - done once in the
>> beginning and sourced from the ldap.cfg file.  Unfortunately, we have a
>> filter on our LDAP server that prevents ordinary users from seeing the
>> password field in the LDAP entry.  The way we verify authentication in
>> our environment is by dynamically substituting the LDAP bind DN with the
>> client's uid (and password) and making a simple LDAP query using that
>> uid.  If that bind is successful, then we know that the password is
>> correct.  It doesn't seem like there is anyway to configure opensips in
>> that manner.
>>
>> The aim, with LDAP, was to have a single-signon environment for our LAN
>> and SIP accounts.  This doesn't seem possible, unless you or anyone else
>> on the list has any further suggestions.  We could use kerberos/AD
>> authentication from the client if that is a possibility.
>>
>> Regards,
>>
>>
>> Alan Rubin
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Monday, 29 June 2009 10:13 PM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> I'm not an LDAP expert to get into details about how ldap should be
>> configured or so....What I can tell is that the bind is static (only
>> once done at the beginning at that's it)....Can you send me a link or
>> something to read more about what this dynamic bind means in LDAP ?
>>
>> Thanks and regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>
>>> Bogdan,
>>>
>>> Apparently the email administrator had a regex on the SMTP gateway to
>>> reject messages with pass (and) word (combined) because of previous
>>> users succumbing to phishing exercises.  It may work now, but I will
>>> continue to check the archives. Oh well.
>>>
>>> Regarding:
>>> "Now, going to the actual issue, the problem is related to password -
>>> about how the client and server (ldap) are keeping the password - do
>>> they both keep it same format (like plain text) ?
>>>
>>> Regards,
>>> Bogdan"
>>>
>>> I think I've figured out the issue, although I don't believe there is
>>>
>> a
>>
>>> solution.  Hopefully you can verify, either way.
>>>
>>> The bind user in the ldap.cfg file does not have the privilege to
>>> retrieve the pass  word field from our LDAP directory.  The only way
>>>
>> our
>>
>>> LDAP setup is supposed to work is by binding using the
>>> user-to-be-authenticated directly with the LDAP directory server.  It
>>>
>> is
>>
>>> my understanding, and this is where you can verify or correct me, that
>>> opensips and the LDAP module can not change the bind user dynamically.
>>>
>>> Regards,
>>>
>>> Alan Rubin
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com



More information about the Users mailing list