These are my points too and how I thought the auth should work. But you need some kind of mapping here for user dns etc. ?
On 30/06/2009, Alan Rubin <[email protected]> wrote: > Bogdan, > > I'm not an LDAP expert either, but I will try to explain the scenario > better. As you said, the LDAP bind is static - done once in the > beginning and sourced from the ldap.cfg file. Unfortunately, we have a > filter on our LDAP server that prevents ordinary users from seeing the > password field in the LDAP entry. The way we verify authentication in > our environment is by dynamically substituting the LDAP bind DN with the > client's uid (and password) and making a simple LDAP query using that > uid. If that bind is successful, then we know that the password is > correct. It doesn't seem like there is anyway to configure opensips in > that manner. > > The aim, with LDAP, was to have a single-signon environment for our LAN > and SIP accounts. This doesn't seem possible, unless you or anyone else > on the list has any further suggestions. We could use kerberos/AD > authentication from the client if that is a possibility. > > Regards, > > > Alan Rubin > > -----Original Message----- > From: Bogdan-Andrei Iancu [mailto:[email protected]] > Sent: Monday, 29 June 2009 10:13 PM > To: Alan Rubin > Cc: [email protected] > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > I'm not an LDAP expert to get into details about how ldap should be > configured or so....What I can tell is that the bind is static (only > once done at the beginning at that's it)....Can you send me a link or > something to read more about what this dynamic bind means in LDAP ? > > Thanks and regards, > Bogdan > > Alan Rubin wrote: >> Bogdan, >> >> Apparently the email administrator had a regex on the SMTP gateway to >> reject messages with pass (and) word (combined) because of previous >> users succumbing to phishing exercises. It may work now, but I will >> continue to check the archives. Oh well. >> >> Regarding: >> "Now, going to the actual issue, the problem is related to password - >> about how the client and server (ldap) are keeping the password - do >> they both keep it same format (like plain text) ? >> >> Regards, >> Bogdan" >> >> I think I've figured out the issue, although I don't believe there is > a >> solution. Hopefully you can verify, either way. >> >> The bind user in the ldap.cfg file does not have the privilege to >> retrieve the pass word field from our LDAP directory. The only way > our >> LDAP setup is supposed to work is by binding using the >> user-to-be-authenticated directly with the LDAP directory server. It > is >> my understanding, and this is where you can verify or correct me, that >> opensips and the LDAP module can not change the bind user dynamically. >> >> Regards, >> >> Alan Rubin >> > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
