You can easily get >300 auth binds per second with Ldap depending type of auth and >15k per second indexed searches.
On 03/07/2009, Bogdan-Andrei Iancu <[email protected]> wrote: > > But Alan, you will need to re-bind each time you do an Authentication. > So, even on a system with 1000 online subscribers, registering each 30 > minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds > per day -> 36 binds per minute. > > Regards, > Bogdan > > Alan Rubin wrote: >> Bogdan, >> >> If one request equals one user authentication/registration, then I don't >> think it would hit 1000 binds per week (small environment). If it has >> to bind each time a packet is sent, then that is pretty inefficient. >> >> Regards, >> >> Alan Rubin >> >> -----Original Message----- >> From: Bogdan-Andrei Iancu [mailto:[email protected]] >> Sent: Thursday, 2 July 2009 12:34 AM >> To: Alan Rubin >> Cc: [email protected] >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but the >> >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have >>> >> a >> >>> filter on our LDAP server that prevents ordinary users from seeing the >>> password field in the LDAP entry. The way we verify authentication in >>> our environment is by dynamically substituting the LDAP bind DN with >>> >> the >> >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips >>> >> in >> >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our >>> >> LAN >> >>> and SIP accounts. This doesn't seem possible, unless you or anyone >>> >> else >> >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -----Original Message----- >>> From: Bogdan-Andrei Iancu [mailto:[email protected]] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: [email protected] >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or so....What I can tell is that the bind is static (only >>> once done at the beginning at that's it)....Can you send me a link or >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway to >>>> reject messages with pass (and) word (combined) because of previous >>>> users succumbing to phishing exercises. It may work now, but I will >>>> continue to check the archives. Oh well. >>>> >>>> Regarding: >>>> "Now, going to the actual issue, the problem is related to password - >>>> >> >> >>>> about how the client and server (ldap) are keeping the password - do >>>> they both keep it same format (like plain text) ? >>>> >>>> Regards, >>>> Bogdan" >>>> >>>> I think I've figured out the issue, although I don't believe there is >>>> >>>> >>> a >>> >>> >>>> solution. Hopefully you can verify, either way. >>>> >>>> The bind user in the ldap.cfg file does not have the privilege to >>>> retrieve the pass word field from our LDAP directory. The only way >>>> >>>> >>> our >>> >>> >>>> LDAP setup is supposed to work is by binding using the >>>> user-to-be-authenticated directly with the LDAP directory server. It >>>> >>>> >>> is >>> >>> >>>> my understanding, and this is where you can verify or correct me, >>>> >> that >> >>>> opensips and the LDAP module can not change the bind user >>>> >> dynamically. >> >>>> Regards, >>>> >>>> Alan Rubin >>>> >>>> >>>> >>> >>> >> >> >> > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
