You want to get the password (in clear text??) using an external script to check it using pv_www_authenticate?
You can use the following function from exec module: http://kamailio.org/docs/modules/stable/modules_k/exec.html#id2552128
The output of your command (shell script, php, ...) can be stored in an avp passed to pv_www_authenticate. Example to get the password: exec_avp("auth.sh '$au' ", "$avp(s:password)")
$au=authentication username the output of auth.sh will be stored in $avp(s:password)
Now this was how to use an external script and get its return values. How will you proceed knowing that password are hashed using SHA1 in your database and password+username+realm hashed using MD5 in SIP header?
Reda
On Mon, May 7, 2012 at 4:52 PM, Saul Waizer saulwaizer@gmail.com wrote:
Thank you Reda,
Is there a way to utilize external scripts for authentication? Like bash, php etc? I cannot change the format of the LDAP but I am thinking about other methods that could possibly work too utilizing the same pv_www_authenticate logic, however these would require some external script processing.
Example: SSO Authentication.
SIP user ----> SIP server ----> external auth script ----> OpenSSO server
Thank you
On Fri, May 4, 2012 at 5:56 PM, Reda Aouad reda.aouad@gmail.com wrote:
Sorry didn't reply to mailing list before. Emails are below.
SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm + username + password), so the problem may be here. I suggest you store your passwords as clear text in LDAP for testing first.
Reda
On Fri, May 4, 2012 at 11:14 PM, Saul Waizer saulwaizer@gmail.comwrote:
with the variations I get different results: 4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8= 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28 n=pv_www_authenticate 4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 4(24126) DEBUG: auth [api.c:210]: check_response: Our result = '3839aa4cae572f5f8b23601a2bb1178f' 4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
On Fri, May 4, 2012 at 3:11 PM, Saul Waizer saulwaizer@gmail.comwrote:
Also: i used xlog to print out the password and I get the same exact password I have on my LDAP server, so it seems something with the decoding
On Fri, May 4, 2012 at 3:01 PM, Saul Waizer saulwaizer@gmail.comwrote:
Now i got it down to this:
2(23003) INFO: <script>: ldap_search: found [1] entries for (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=759 a=17 n=if 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28 n=pv_www_authenticate 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated: c69622bbd922ec9321ab1293c226b703 2(23003) DEBUG: auth [api.c:210]: check_response: Our result = '939676a5591165f1da8ba04562d446b2' 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=27 n=www_challenge 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf: realm='23.22.35.43' 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: Digest realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
I have changed the values of:
if (!pv_www_authenticate("$td", "$avp(password)", "0")) { www_challenge("$td", "0");
to:
if (!pv_www_authenticate("$td", "$avp(password)", "1")) { www_challenge("$td", "0");
because of the password in LDAP is stored as SHA1, and according to the docs, it should be 1. I'm so close it seems :)
*flags* - the value of this parameter can be a bitmask of following:
*1* - the value of password parameter is HA1 format
On Fri, May 4, 2012 at 2:47 PM, Reda Aouad reda.aouad@gmail.comwrote:
can you also print the avp(s:password) to log to see what its value is? use: xlog('Password=$avp(s:password)') after ldap_search and you'll see its output in the log file maybe you're not correctly getting the password from the ldap search url, avp(s:password) is then null and you get the error that it can't be converted to string
Reda
On Fri, May 4, 2012 at 8:40 PM, Reda Aouad reda.aouad@gmail.comwrote:
> in the line > if (!pv_www_authenticate("$td", "$avp(password)", "0")) { > > write avp(s:password) instead of avp(password) > not sure it will solve it though.. if it doesn't, maybe others can > help you more on this. > > Reda > > > > On Fri, May 4, 2012 at 5:50 PM, Saul Waizer saulwaizer@gmail.comwrote: > >> Hello Reda, >> >> Thank you for your feedback, after some further research and >> testing I got the LDAP search working, I am just having one issue with the >> password variable: >> >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 >> a=28 n=pv_www_authenticate >> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to >> str >> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value >> >> My relevant configuration: >> >> route[AUTH] { >> #!ifdef WITH_AUTH >> if (is_method("REGISTER")) >> { >> if(is_present_hf("Authorization")) >> { >> # ldap search >> >> if >> (!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?")) >> >> { >> switch ($retcode) >> { >> case -1: >> # no LDAP entry found >> sl_send_reply("404", "User Not Found"); >> exit; >> case -2: >> # internal error >> sl_send_reply("500", "Internal server >> error"); >> exit; >> default: >> exit; >> } >> } >> ldap_result("uid/$avp(s:username)"); >> ldap_result("userPassword/$avp(s:password)"); >> xlog("L_INFO", "ldap_search: found [$retcode] entries >> for (uid=$fU)"); >> if (!pv_www_authenticate("$td", "$avp(password)", "0")) { >> www_challenge("$td", "1"); >> exit; >> } >> sl_send_reply("200", "ok"); >> exit; >> } else { >> www_challenge("$td", "1"); >> exit; >> } >> } else { >> >> And the error message: >> >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735 >> a=26 n=ldap_search >> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into >> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter [] >> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP >> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)], >> client_timeout [5000000] usecs >> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries >> found >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752 >> a=26 n=ldap_result >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753 >> a=26 n=ldap_result >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754 >> a=27 n=xlog >> 3(22487) INFO: <script>: ldap_search: found [-1] entries for >> (uid=mmiller) 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] >> l=759 a=17 n=if >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 >> a=28 n=pv_www_authenticate >> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to >> str >> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value >> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 >> a=27 n=www_challenge >> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf: >> realm='ip.of.sip.server' >> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf: >> qop='auth' >> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: >> Digest realm="ip.of.sip.server", nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l", >> qop="auth" >> >> Any help is greatly appreciated! >> Thanks >> >> >> >> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad reda.aouad@gmail.comwrote: >> >>> Hi Saul, >>> >>> username_avp_spec was previously a AUTH module parameter to >>> specify a variable that was passed to pv_www_authorize implicitly (the >>> function doesn't take arguments). Now you should use the new >>> pv_www_authenticate and pass to it explicitly the credentials as arguments. >>> >>> So forget about username_avp_spec since it doesn't exist as module >>> param anymore (this is why you are getting the error). Store the result of >>> ldap_search in the avps as in the tutorial using ldap_result, and pass them >>> to pv_www_authenticate as parameters. pv_www_authenticate takes the >>> following arguments: >>> - realm: which you can get from "to domain" using $td >>> - password: $avp(s:password) >>> - flag: set it to 0 as a first test >>> >>> example: >>> pv_www_authorize("$td", "$avp(s:password)", 0) >>> >>> This function takes the username from the authentication header, >>> so no need to pass it anymore as argument. >>> >>> Reda >>> >>> >>> >>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer saulwaizer@gmail.comwrote: >>> >>>> Hello List, >>>> >>>> I am trying to incorporate an existing LDAP directory with our >>>> Kamailio installation for SIP authentication. A good friend suggested to >>>> checkout this tutorial and adapt it to fit my needs (and current version) >>>> >>>> >>>> http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap >>>> >>>> It seems like the AUTH module does not contain the function >>>> username_spec (which I believe is not used anymore) but the >>>> username_avp_spec which is not part of the AUTH module but the H350 module >>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html >>>> >>>> I enabled the h350 module and tried setting the params as >>>> described in the documentation: >>>> >>>> modparam("auth", "username_spec", "$avp(s:username)") >>>> modparam("auth", "password_spec", "$avp(s:password)") >>>> modparam("auth", "calculate_ha1", 1) >>>> >>>> I got the following error after checking the configuration: >>>> >>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter >>>> <username_spec> not found in module <auth> >>>> >>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu >>>> >>>> Thank you in advance! >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users >>>> mailing list >>>> sr-users@lists.sip-router.org >>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>> >>>> >>> >> >