[OpenSIPS-Users] LDAP Authentication

Gavin Henry gavin.henry at gmail.com
Sat Jul 4 01:20:23 CEST 2009


You can easily get >300 auth binds per second with Ldap depending type
of auth and >15k per second indexed searches.

On 03/07/2009, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>
> But Alan, you will need to re-bind each time you do an Authentication.
> So, even on a system with 1000 online subscribers, registering each 30
> minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds
> per day -> 36 binds per minute.
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>> Bogdan,
>>
>> If one request equals one user authentication/registration, then I don't
>> think it would hit 1000 binds per week (small environment).  If it has
>> to bind each time a packet is sent, then that is pretty inefficient.
>>
>> Regards,
>>
>> Alan Rubin
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Thursday, 2 July 2009 12:34 AM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> Got your point! Theoretically, dynamic ldap binding can be done, but the
>>
>> question is how efficient will be (to bind for each auth)..Think that
>> you may process thousands of requests per second!
>>
>> Wouldn't be more reasonable to import the data into mysql?
>>
>> Regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>
>>> Bogdan,
>>>
>>> I'm not an LDAP expert either, but I will try to explain the scenario
>>> better.  As you said, the LDAP bind is static - done once in the
>>> beginning and sourced from the ldap.cfg file.  Unfortunately, we have
>>>
>> a
>>
>>> filter on our LDAP server that prevents ordinary users from seeing the
>>> password field in the LDAP entry.  The way we verify authentication in
>>> our environment is by dynamically substituting the LDAP bind DN with
>>>
>> the
>>
>>> client's uid (and password) and making a simple LDAP query using that
>>> uid.  If that bind is successful, then we know that the password is
>>> correct.  It doesn't seem like there is anyway to configure opensips
>>>
>> in
>>
>>> that manner.
>>>
>>> The aim, with LDAP, was to have a single-signon environment for our
>>>
>> LAN
>>
>>> and SIP accounts.  This doesn't seem possible, unless you or anyone
>>>
>> else
>>
>>> on the list has any further suggestions.  We could use kerberos/AD
>>> authentication from the client if that is a possibility.
>>>
>>> Regards,
>>>
>>>
>>> Alan Rubin
>>>
>>> -----Original Message-----
>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>>> Sent: Monday, 29 June 2009 10:13 PM
>>> To: Alan Rubin
>>> Cc: users at lists.opensips.org
>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>
>>> Hi Alan,
>>>
>>> I'm not an LDAP expert to get into details about how ldap should be
>>> configured or so....What I can tell is that the bind is static (only
>>> once done at the beginning at that's it)....Can you send me a link or
>>> something to read more about what this dynamic bind means in LDAP ?
>>>
>>> Thanks and regards,
>>> Bogdan
>>>
>>> Alan Rubin wrote:
>>>
>>>
>>>> Bogdan,
>>>>
>>>> Apparently the email administrator had a regex on the SMTP gateway to
>>>> reject messages with pass (and) word (combined) because of previous
>>>> users succumbing to phishing exercises.  It may work now, but I will
>>>> continue to check the archives. Oh well.
>>>>
>>>> Regarding:
>>>> "Now, going to the actual issue, the problem is related to password -
>>>>
>>
>>
>>>> about how the client and server (ldap) are keeping the password - do
>>>> they both keep it same format (like plain text) ?
>>>>
>>>> Regards,
>>>> Bogdan"
>>>>
>>>> I think I've figured out the issue, although I don't believe there is
>>>>
>>>>
>>> a
>>>
>>>
>>>> solution.  Hopefully you can verify, either way.
>>>>
>>>> The bind user in the ldap.cfg file does not have the privilege to
>>>> retrieve the pass  word field from our LDAP directory.  The only way
>>>>
>>>>
>>> our
>>>
>>>
>>>> LDAP setup is supposed to work is by binding using the
>>>> user-to-be-authenticated directly with the LDAP directory server.  It
>>>>
>>>>
>>> is
>>>
>>>
>>>> my understanding, and this is where you can verify or correct me,
>>>>
>> that
>>
>>>> opensips and the LDAP module can not change the bind user
>>>>
>> dynamically.
>>
>>>> Regards,
>>>>
>>>> Alan Rubin
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com



More information about the Users mailing list