Juan Jose Lopez Juarez wrote: > At the moment in order to authenticate ussing an ldap server this is > what happen.. > > CLIENT send crecentials to the opensips server. > Opensips get credentials. In order to match the username/password it > connect to the ldap server (ussing no auth) and run a query for > username and password. > > Try to match the values provided by the client with the one retrieved > from the ldap. (either md5 or plain text) .. and if they match the > user is validated. > > This means that the password field have to be available thought a > query (which is not the case always) .. you need an ldap account with > high privileges to do this. > right - this part was clear :) > What you can do to avoid getting that field is this. > > Client send the credentials to the opensips server. > Opensips get crecentials and try to conect to the ldap, but in stead > of ussing no authentication it trys to bind itself to the ldap. This > will require the opensips server to use authentication against the > ldap. the authentication credentials are the same as the one provide > by the client. > If the bind with the ldap is successful means the the username / > password are ok, so the user is validated. If not, validation is not > correct. >
So, opensips is getting (via SIP) from the UAC the credentials, which means opensips has the realm, uri, nonce, ... and the response , according to Digest auth. Now, you are saying that opensips can use the credentials (that were sent via SIP) to login bind against LDAP - it is a way to perform kind of binding (and auth) against a LDAP server by using DIGEST mechanism (as from SIP side, opensips has only the DIGEST info) ? Regards, Bogdan > With this way there is no needed for keeping the password available > thought the ldapsearch query, which in some cases / scenarios this is > not available. > > > 2009/9/24 Bogdan-Andrei Iancu <[email protected]>: > >> Hi Juan, >> >> Actually we are trying to figure it out as none of the guys from our >> team is an LDAP expert. >> >> So, from LDAP interaction point of view, if you could describe how the >> "dynamic binding" should work, we could move on with it. >> >> Thanks and regards, >> Bogdan >> >> Juan Jose Lopez Juarez wrote: >> >>> Anywhere I can read about how the functionality is going to look like. >>> I'm really looking forward testing it. >>> >>> 2009/9/15 Bogdan-Andrei Iancu <[email protected]>: >>> >>> >>>> Hi Juan, >>>> >>>> There is somebody working on that, hopefully will be ready before the >>>> svn freeze (on Thursaday). >>>> >>>> Regards, >>>> Bogdan >>>> >>>> Juan Jose Lopez Juarez wrote: >>>> >>>> >>>>> Hi. >>>>> >>>>> I'm trying to authenticate using dynamic bind to the ldap. >>>>> >>>>> I've seen that the feature it is been requested on: >>>>> >>>>> http://sourceforge.net/tracker/?func=detail&atid=1086413&aid=2822174&group_id=232389 >>>>> >>>>> But it doesn't seem to have any progress. >>>>> >>>>> Any idea if this functionality is going to be implemented? >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>>> >>>> >>>> >>> >>> >>> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > > > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
