Hi Alan, It is not OpenSIPS requiring it, it is how SIP works if you want to do it in a secure way :).
But feel free and upload a feature request on the tracker for having dynamic binding. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > My site would actually be smaller than that, but that doesn't really > address the argument. Is there basically no way, then, to have a single > signon-type environment because OpenSIPS requires so much > authentication/registration traffic? > > Regards, > > Alan Rubin > > -----Original Message----- > From: Bogdan-Andrei Iancu [mailto:[email protected]] > Sent: Friday, 3 July 2009 8:46 PM > To: Alan Rubin > Cc: [email protected] > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > > But Alan, you will need to re-bind each time you do an Authentication. > So, even on a system with 1000 online subscribers, registering each 30 > minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds > per day -> 36 binds per minute. > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> If one request equals one user authentication/registration, then I >> > don't > >> think it would hit 1000 binds per week (small environment). If it has >> to bind each time a packet is sent, then that is pretty inefficient. >> >> Regards, >> >> Alan Rubin >> >> -----Original Message----- >> From: Bogdan-Andrei Iancu [mailto:[email protected]] >> Sent: Thursday, 2 July 2009 12:34 AM >> To: Alan Rubin >> Cc: [email protected] >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but >> > the > >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have >>> >>> >> a >> >> >>> filter on our LDAP server that prevents ordinary users from seeing >>> > the > >>> password field in the LDAP entry. The way we verify authentication >>> > in > >>> our environment is by dynamically substituting the LDAP bind DN with >>> >>> >> the >> >> >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips >>> >>> >> in >> >> >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our >>> >>> >> LAN >> >> >>> and SIP accounts. This doesn't seem possible, unless you or anyone >>> >>> >> else >> >> >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -----Original Message----- >>> From: Bogdan-Andrei Iancu [mailto:[email protected]] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: [email protected] >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or so....What I can tell is that the bind is static (only >>> once done at the beginning at that's it)....Can you send me a link or >>> > > >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway >>>> > to > >>>> reject messages with pass (and) word (combined) because of previous >>>> users succumbing to phishing exercises. It may work now, but I will >>>> continue to check the archives. Oh well. >>>> >>>> Regarding: >>>> "Now, going to the actual issue, the problem is related to password >>>> > - > >>>> >>>> >> >> >>>> about how the client and server (ldap) are keeping the password - do >>>> > > >>>> they both keep it same format (like plain text) ? >>>> >>>> Regards, >>>> Bogdan" >>>> >>>> I think I've figured out the issue, although I don't believe there >>>> > is > >>>> >>>> >>>> >>> a >>> >>> >>> >>>> solution. Hopefully you can verify, either way. >>>> >>>> The bind user in the ldap.cfg file does not have the privilege to >>>> retrieve the pass word field from our LDAP directory. The only way >>>> >>>> >>>> >>> our >>> >>> >>> >>>> LDAP setup is supposed to work is by binding using the >>>> user-to-be-authenticated directly with the LDAP directory server. >>>> > It > >>>> >>>> >>>> >>> is >>> >>> >>> >>>> my understanding, and this is where you can verify or correct me, >>>> >>>> >> that >> >> >>>> opensips and the LDAP module can not change the bind user >>>> >>>> >> dynamically. >> >> >>>> Regards, >>>> >>>> Alan Rubin >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > > > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
