Bogdan, I'm not an LDAP expert either, but I will try to explain the scenario better. As you said, the LDAP bind is static - done once in the beginning and sourced from the ldap.cfg file. Unfortunately, we have a filter on our LDAP server that prevents ordinary users from seeing the password field in the LDAP entry. The way we verify authentication in our environment is by dynamically substituting the LDAP bind DN with the client's uid (and password) and making a simple LDAP query using that uid. If that bind is successful, then we know that the password is correct. It doesn't seem like there is anyway to configure opensips in that manner.
The aim, with LDAP, was to have a single-signon environment for our LAN and SIP accounts. This doesn't seem possible, unless you or anyone else on the list has any further suggestions. We could use kerberos/AD authentication from the client if that is a possibility. Regards, Alan Rubin -----Original Message----- From: Bogdan-Andrei Iancu [mailto:[email protected]] Sent: Monday, 29 June 2009 10:13 PM To: Alan Rubin Cc: [email protected] Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, I'm not an LDAP expert to get into details about how ldap should be configured or so....What I can tell is that the bind is static (only once done at the beginning at that's it)....Can you send me a link or something to read more about what this dynamic bind means in LDAP ? Thanks and regards, Bogdan Alan Rubin wrote: > Bogdan, > > Apparently the email administrator had a regex on the SMTP gateway to > reject messages with pass (and) word (combined) because of previous > users succumbing to phishing exercises. It may work now, but I will > continue to check the archives. Oh well. > > Regarding: > "Now, going to the actual issue, the problem is related to password - > about how the client and server (ldap) are keeping the password - do > they both keep it same format (like plain text) ? > > Regards, > Bogdan" > > I think I've figured out the issue, although I don't believe there is a > solution. Hopefully you can verify, either way. > > The bind user in the ldap.cfg file does not have the privilege to > retrieve the pass word field from our LDAP directory. The only way our > LDAP setup is supposed to work is by binding using the > user-to-be-authenticated directly with the LDAP directory server. It is > my understanding, and this is where you can verify or correct me, that > opensips and the LDAP module can not change the bind user dynamically. > > Regards, > > Alan Rubin > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
