[OpenSIPS-Users] LDAP Authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jul 3 13:15:34 CEST 2009


But Alan, you will need to re-bind each time you do an Authentication. 
So, even on a system with 1000 online subscribers, registering each 30 
minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds 
per day -> 36 binds per minute.

Regards,
Bogdan

Alan Rubin wrote:
> Bogdan,
>
> If one request equals one user authentication/registration, then I don't
> think it would hit 1000 binds per week (small environment).  If it has
> to bind each time a packet is sent, then that is pretty inefficient.
>
> Regards,
>
> Alan Rubin
>  
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Thursday, 2 July 2009 12:34 AM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> Got your point! Theoretically, dynamic ldap binding can be done, but the
>
> question is how efficient will be (to bind for each auth)..Think that 
> you may process thousands of requests per second!
>
> Wouldn't be more reasonable to import the data into mysql?
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>   
>> Bogdan,
>>
>> I'm not an LDAP expert either, but I will try to explain the scenario
>> better.  As you said, the LDAP bind is static - done once in the
>> beginning and sourced from the ldap.cfg file.  Unfortunately, we have
>>     
> a
>   
>> filter on our LDAP server that prevents ordinary users from seeing the
>> password field in the LDAP entry.  The way we verify authentication in
>> our environment is by dynamically substituting the LDAP bind DN with
>>     
> the
>   
>> client's uid (and password) and making a simple LDAP query using that
>> uid.  If that bind is successful, then we know that the password is
>> correct.  It doesn't seem like there is anyway to configure opensips
>>     
> in
>   
>> that manner.
>>
>> The aim, with LDAP, was to have a single-signon environment for our
>>     
> LAN
>   
>> and SIP accounts.  This doesn't seem possible, unless you or anyone
>>     
> else
>   
>> on the list has any further suggestions.  We could use kerberos/AD
>> authentication from the client if that is a possibility.
>>
>> Regards,  
>>
>>
>> Alan Rubin
>>  
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>> Sent: Monday, 29 June 2009 10:13 PM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> I'm not an LDAP expert to get into details about how ldap should be 
>> configured or so....What I can tell is that the bind is static (only 
>> once done at the beginning at that's it)....Can you send me a link or 
>> something to read more about what this dynamic bind means in LDAP ?
>>
>> Thanks and regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>   
>>     
>>> Bogdan,
>>>
>>> Apparently the email administrator had a regex on the SMTP gateway to
>>> reject messages with pass (and) word (combined) because of previous
>>> users succumbing to phishing exercises.  It may work now, but I will
>>> continue to check the archives. Oh well.
>>>
>>> Regarding: 
>>> "Now, going to the actual issue, the problem is related to password -
>>>       
>
>   
>>> about how the client and server (ldap) are keeping the password - do 
>>> they both keep it same format (like plain text) ?
>>>
>>> Regards,
>>> Bogdan"
>>>
>>> I think I've figured out the issue, although I don't believe there is
>>>     
>>>       
>> a
>>   
>>     
>>> solution.  Hopefully you can verify, either way.  
>>>
>>> The bind user in the ldap.cfg file does not have the privilege to
>>> retrieve the pass  word field from our LDAP directory.  The only way
>>>     
>>>       
>> our
>>   
>>     
>>> LDAP setup is supposed to work is by binding using the
>>> user-to-be-authenticated directly with the LDAP directory server.  It
>>>     
>>>       
>> is
>>   
>>     
>>> my understanding, and this is where you can verify or correct me,
>>>       
> that
>   
>>> opensips and the LDAP module can not change the bind user
>>>       
> dynamically.
>   
>>> Regards,
>>>
>>> Alan Rubin
>>>  
>>>     
>>>       
>>   
>>     
>
>
>   




More information about the Users mailing list