[OpenSIPS-Users] LDAP Authentication

Alan Rubin Alan.Rubin at nt.gov.au
Tue Jun 30 02:17:52 CEST 2009


Bogdan,

I'm not an LDAP expert either, but I will try to explain the scenario
better.  As you said, the LDAP bind is static - done once in the
beginning and sourced from the ldap.cfg file.  Unfortunately, we have a
filter on our LDAP server that prevents ordinary users from seeing the
password field in the LDAP entry.  The way we verify authentication in
our environment is by dynamically substituting the LDAP bind DN with the
client's uid (and password) and making a simple LDAP query using that
uid.  If that bind is successful, then we know that the password is
correct.  It doesn't seem like there is anyway to configure opensips in
that manner.

The aim, with LDAP, was to have a single-signon environment for our LAN
and SIP accounts.  This doesn't seem possible, unless you or anyone else
on the list has any further suggestions.  We could use kerberos/AD
authentication from the client if that is a possibility.

Regards,  


Alan Rubin
 
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Monday, 29 June 2009 10:13 PM
To: Alan Rubin
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication

Hi Alan,

I'm not an LDAP expert to get into details about how ldap should be 
configured or so....What I can tell is that the bind is static (only 
once done at the beginning at that's it)....Can you send me a link or 
something to read more about what this dynamic bind means in LDAP ?

Thanks and regards,
Bogdan

Alan Rubin wrote:
> Bogdan,
>
> Apparently the email administrator had a regex on the SMTP gateway to
> reject messages with pass (and) word (combined) because of previous
> users succumbing to phishing exercises.  It may work now, but I will
> continue to check the archives. Oh well.
>
> Regarding: 
> "Now, going to the actual issue, the problem is related to password - 
> about how the client and server (ldap) are keeping the password - do 
> they both keep it same format (like plain text) ?
>
> Regards,
> Bogdan"
>
> I think I've figured out the issue, although I don't believe there is
a
> solution.  Hopefully you can verify, either way.  
>
> The bind user in the ldap.cfg file does not have the privilege to
> retrieve the pass  word field from our LDAP directory.  The only way
our
> LDAP setup is supposed to work is by binding using the
> user-to-be-authenticated directly with the LDAP directory server.  It
is
> my understanding, and this is where you can verify or correct me, that
> opensips and the LDAP module can not change the bind user dynamically.
>
> Regards,
>
> Alan Rubin
>  



More information about the Users mailing list