[OpenSIPS-Users] Dynamic Binding on ldap module

Bogdan-Andrei Iancu bogdan at voice-system.ro
Thu Sep 24 13:15:40 CEST 2009


Juan Jose Lopez Juarez wrote:
> At the moment in order to authenticate ussing an ldap server this is
> what happen..
>
> CLIENT send crecentials to the opensips server.
> Opensips get credentials. In order to match the username/password it
> connect to the ldap server (ussing no auth) and run a query for
> username and password.
>
> Try to match the values provided by the client with the one retrieved
> from the ldap. (either md5 or plain text) .. and if they match the
> user is validated.
>
> This means that the password field have to be available thought a
> query (which is not the case always) .. you need an ldap account with
> high privileges to do this.
>   
right - this part was clear :)
> What you can do to avoid getting that field is this.
>
> Client send the credentials to the opensips server.
> Opensips get crecentials and try to conect to the ldap, but in stead
> of ussing no authentication it trys to bind itself to the ldap. This
> will require the opensips server to use authentication against the
> ldap. the authentication credentials are the same as the one provide
> by the client.
> If the bind with the ldap is successful means the the username /
> password are ok, so the user is validated. If not, validation is not
> correct.
>   

So, opensips is getting (via SIP) from the UAC the credentials, which 
means opensips has the realm, uri, nonce, ... and the response , 
according to Digest auth.

Now, you are saying that opensips can use the credentials (that were 
sent via SIP) to login bind against LDAP - it is a way to perform kind 
of binding (and auth) against a LDAP server by using DIGEST mechanism 
(as from SIP side, opensips has only the DIGEST info) ?

Regards,
Bogdan

> With this way there is no needed for keeping the password available
> thought the ldapsearch query, which in some cases / scenarios this is
> not available.
>
>
> 2009/9/24 Bogdan-Andrei Iancu <bogdan at voice-system.ro>:
>   
>> Hi Juan,
>>
>> Actually we are trying to figure it out as none of the guys from our
>> team is an LDAP expert.
>>
>> So, from LDAP interaction point of view, if you could describe how the
>> "dynamic binding" should work, we could move on with it.
>>
>> Thanks and regards,
>> Bogdan
>>
>> Juan Jose Lopez Juarez wrote:
>>     
>>> Anywhere I can read about how the functionality is going to look like.
>>> I'm really looking forward testing it.
>>>
>>> 2009/9/15 Bogdan-Andrei Iancu <bogdan at voice-system.ro>:
>>>
>>>       
>>>> Hi Juan,
>>>>
>>>> There is somebody working on that, hopefully will be ready before the
>>>> svn freeze (on Thursaday).
>>>>
>>>> Regards,
>>>> Bogdan
>>>>
>>>> Juan Jose Lopez Juarez wrote:
>>>>
>>>>         
>>>>> Hi.
>>>>>
>>>>> I'm trying to authenticate using dynamic bind to the ldap.
>>>>>
>>>>> I've seen that the feature it is been requested on:
>>>>>
>>>>> http://sourceforge.net/tracker/?func=detail&atid=1086413&aid=2822174&group_id=232389
>>>>>
>>>>> But it doesn't seem to have any progress.
>>>>>
>>>>> Any idea if this functionality is going to be implemented?
>>>>>
>>>>>
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>>         
>>>
>>>
>>>       
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>     
>
>
>
>   




More information about the Users mailing list