Gavin, Actually the modules does use the ldap_sasl_bind() function for binding to LDAP, but I guess the additional params are no passed via ldap config file.
Regards, Bogdan Gavin Henry wrote: > This is why I submitted a feature request for the ldap_sasl_bind > function to be added. Then a sucessful bind is all that is needed by > opensips. The problem is converting the password to plain on the > opensips side to use it to bind with against the ldap directory. Is > this possible? > > That way, we know the digest format in sip, but we don't need to care > about the ldap hash format (most are ssha1) *and* we don't need to > change the directory. > > On 19/06/2009, Bogdan-Andrei Iancu <[email protected]> wrote: > >> Alan, >> >> Could you post the part of the script taking care of the REGISTRATION >> part, just for double checking ? >> >> Also, for the password...does not look ok - not sure how that value is >> computed, but please check the Digest Auth RFC to see the definition of >> HA1 . >> >> Regards, >> Bogdan >> >> >> >> Alan Rubin wrote: >> >>> (reposting to fit the list size limits) >>> >>> Bogdan, >>> >>> 2) I removed the "!" from the REGISTER section. This seems to have at >>> least pushed me on to the next stage of actually doing an LDAP query: >>> >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name >>> [sipaccounts], base [o=ntg], scope [2], filter >>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], >>> scope [2], filter >>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout >>> [5000000] usecs >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:check_nonce: comparing >>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and >>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:build_auth_hf: nonce index= 2 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest >>> realm="155.205.69.126", >>> nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a" ' >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:parse_headers: flags=ffffffffffffffff >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:destroy_avp_list: destroying list (nil) >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:receive_msg: cleaning up >>> ... >>> >>> Still failing, but this time it is code 407: Proxy Authentication >>> Required. Getting closer? >>> >>> 1) Perhaps I mean "encoded" and am just using the wrong term. An >>> example return from our LDAP search: >>> userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== >>> >>> Regards, >>> >>> Alan Rubin >>> >>> -----Original Message----- >>> From: Bogdan-Andrei Iancu [mailto:[email protected]] >>> Sent: Friday, 19 June 2009 10:52 AM >>> To: Alan Rubin >>> Cc: [email protected] >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Alan, >>> >>> 2 points: >>> >>> 1) what you mean by "encrypted" ? the module supports only ha1 encoded >>> passwords. >>> >>> 2) I see you deal with a REGISTER request, but in your script you >>> changed the auth (from DB to LDAP) only for INVITES - check in the >>> script the second auth block (for REGISTERS) and change it in the same >>> time as we did for the INVITEs. >>> >>> Regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>>> Bogdan, >>>> >>>> Thanks for your help. I reset the configuration for calculate_ha1 to >>>> >>>> >>> 0 >>> >>> >>>> (it was set to 1), but I am still getting a "401 - Unauthorized" >>>> >>>> >>> error. >>> >>> >>>> The password returning from the LDAP server should be an encrypted >>>> string. >>>> >>>> # ----- auth_db params ----- >>>> /* uncomment the following lines if you want to enable the DB based >>>> authentication */ >>>> #modparam("auth_db", "calculate_ha1", yes) >>>> #modparam("auth_db", "password_column", "password") >>>> #modparam("auth_db", "db_url", >>>> # "mysql://opensips:<redacted>@localhost/opensips") >>>> #modparam("auth_db", "load_credentials", "") >>>> >>>> # ------ auth params ----- >>>> #modparam("auth", "username_spec", "$var(username)") >>>> #modparam("auth", "password_spec", "$avp(s:password)") >>>> modparam("auth", "nonce_expire", 30) >>>> modparam("auth", "secret", "<redacted>") >>>> modparam("auth", "disable_nonce_check", 0) >>>> modparam("auth", "username_spec", "$var(username)") >>>> modparam("auth", "password_spec", "$avp(s:password)") >>>> modparam("auth", "calculate_ha1", 0) >>>> >>>> Here are the relevant logs from the connection (I think): >>>> >>>> >>>> >>>> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
