[OpenSIPS-Users] LDAP Authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jun 19 09:25:16 CEST 2009


Alan,

Could you post the part of the script taking care of the REGISTRATION 
part, just for double checking ?

Also, for the password...does not look ok - not sure how that value is 
computed, but please check the Digest Auth RFC to see the definition of 
HA1 .

Regards,
Bogdan



Alan Rubin wrote:
> (reposting to fit the list size limits)
>
> Bogdan,
>
> 2) I removed the "!" from the REGISTER section.  This seems to have at
> least pushed me on to the next stage of actually doing an LDAP query:
>
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
> [sipaccounts], base [o=ntg], scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
> scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
> [5000000] usecs
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:check_nonce: comparing
> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and
> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a]
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1,  index= 2
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:build_auth_hf: nonce index= 2
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
> realm="155.205.69.126",
> nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a"  '
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:destroy_avp_list: destroying list (nil)
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:receive_msg: cleaning up
> ...
>
> Still failing, but this time it is code 407: Proxy Authentication
> Required.  Getting closer?
>
> 1) Perhaps I mean "encoded" and am just using the wrong term.  An
> example return from our LDAP search:
>  userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
>
> Regards,
>
> Alan Rubin
>  
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Friday, 19 June 2009 10:52 AM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Alan,
>
> 2 points:
>
> 1) what you mean by "encrypted" ? the module supports only ha1 encoded 
> passwords.
>
> 2) I see you deal with a REGISTER request, but in your script you 
> changed the auth (from DB to LDAP) only for INVITES - check in the 
> script the second auth block (for REGISTERS) and change it in the same 
> time as we did for the INVITEs.
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>   
>> Bogdan,
>>
>> Thanks for your help.  I reset the configuration for calculate_ha1 to
>>     
> 0
>   
>> (it was set to 1), but I am still getting a "401 - Unauthorized"
>>     
> error.
>   
>> The password returning from the LDAP server should be an encrypted
>> string.
>>
>> # ----- auth_db params -----
>> /* uncomment the following lines if you want to enable the DB based
>>    authentication */
>> #modparam("auth_db", "calculate_ha1", yes)
>> #modparam("auth_db", "password_column", "password")
>> #modparam("auth_db", "db_url",
>> #       "mysql://opensips:<redacted>@localhost/opensips")
>> #modparam("auth_db", "load_credentials", "")
>>
>> # ------ auth params -----
>> #modparam("auth", "username_spec", "$var(username)")
>> #modparam("auth", "password_spec", "$avp(s:password)")
>> modparam("auth", "nonce_expire",  30)
>> modparam("auth", "secret", "<redacted>")
>> modparam("auth", "disable_nonce_check", 0)
>> modparam("auth", "username_spec", "$var(username)")
>> modparam("auth", "password_spec", "$avp(s:password)")
>> modparam("auth", "calculate_ha1", 0)
>>
>> Here are the relevant logs from the connection (I think):
>>
>>
>>     




More information about the Users mailing list