Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe -- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules
Jan.
On 10-11-2005 09:57, Felipe Louback wrote:
Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe
Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Thanx for pointing that out Jan...
I took a look at their website, but it seems that the LDAP module does not authenticate users, it just search for numbers or a uri...
Text from their website:
Exported Module Functions ldaps_lookup Perform an LDAPS lookup and if an entry is found, replace target uri.
What I was looking for, was something to substitute the www_radius_authorize(). Maybe I misunderstood the information on the site, but I think that module does not authenticate users... If it does authenticate, could someone post or send me an example of use of this module? There is no documentation on their website and nothing on their README file...
Regards,
Felipe Louback
On 11/10/05, Jan Janak jan@iptel.org wrote:
http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules
Jan.
On 10-11-2005 09:57, Felipe Louback wrote:
Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe
Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
I did some search on their website and it seems that they also use radius for user authentication: http://www.ethworld.ethz.ch/technologies/sipeth/notes
Felipe
On 11/10/05, Felipe Louback louback@gmail.com wrote:
Thanx for pointing that out Jan...
I took a look at their website, but it seems that the LDAP module does not authenticate users, it just search for numbers or a uri...
Text from their website:
Exported Module Functions ldaps_lookup Perform an LDAPS lookup and if an entry is found, replace target uri.
What I was looking for, was something to substitute the www_radius_authorize(). Maybe I misunderstood the information on the site, but I think that module does not authenticate users... If it does authenticate, could someone post or send me an example of use of this module? There is no documentation on their website and nothing on their README file...
Regards,
Felipe Louback
On 11/10/05, Jan Janak jan@iptel.org wrote:
http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules
Jan.
On 10-11-2005 09:57, Felipe Louback wrote:
Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe
Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
-- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Yes, that module does not do authentication. g-) ----- Original Message ----- From: "Felipe Louback" louback@gmail.com To: "Felipe Louback" louback@gmail.com; serusers@lists.iptel.org Sent: Thursday, November 10, 2005 1:18 PM Subject: Re: [Serusers] SER and LDAP
Thanx for pointing that out Jan...
I took a look at their website, but it seems that the LDAP module does not authenticate users, it just search for numbers or a uri...
Text from their website:
Exported Module Functions ldaps_lookup Perform an LDAPS lookup and if an entry is found, replace target uri.
What I was looking for, was something to substitute the www_radius_authorize(). Maybe I misunderstood the information on the site, but I think that module does not authenticate users... If it does authenticate, could someone post or send me an example of use of this module? There is no documentation on their website and nothing on their README file...
Regards,
Felipe Louback
On 11/10/05, Jan Janak jan@iptel.org wrote:
http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules
Jan.
On 10-11-2005 09:57, Felipe Louback wrote:
Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe
Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
An LDAP module based on the module Jan sent a link to will (probably) be submitted to the experimental directory shortly... g-) ----- Original Message ----- From: "Felipe Louback" louback@gmail.com To: serusers@lists.iptel.org Sent: Thursday, November 10, 2005 12:57 PM Subject: [Serusers] SER and LDAP
Is there any way to authenticate SER users in LDAP without the use of RADIUS? If there is, could anyone point out where I could find information about it?
I've searched some documents but found nothing about authentication with LDAP without using RADIUS....
Regards,
Felipe
Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil
"Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Yes it will. Plizz wait!
Grrr.... ;-))
;-D
-- Arek,
Greger V. Teigre wrote:
An LDAP module based on the module Jan sent a link to will (probably) be submitted to the experimental directory shortly... g-) ----- Original Message ----- From: "Felipe Louback" louback@gmail.com To: serusers@lists.iptel.org Sent: Thursday, November 10, 2005 12:57 PM Subject: [Serusers] SER and LDAP
Great, I am looking forward to it and hopefuly we can get it to the main tree soon.
Jan.
On 10-11-2005 16:33, Arek Bekiersz wrote:
Yes it will. Plizz wait!
Grrr.... ;-))
;-D
-- Arek,
Greger V. Teigre wrote:
An LDAP module based on the module Jan sent a link to will (probably) be submitted to the experimental directory shortly... g-) ----- Original Message ----- From: "Felipe Louback" louback@gmail.com To: serusers@lists.iptel.org Sent: Thursday, November 10, 2005 12:57 PM Subject: [Serusers] SER and LDAP
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Jan,
As I said to Greger, there are many many changes that will have to be made to the module. But as they will be going on parallel to my current work, I hope I can correct them quickly. If I find time to actually DO my current work.
Imagine group handling - I made a wrong design requirement, I've put group membership inside every Ldap object. That is: if somebody is member of some group, he has special attribute (let's say 'memberOf') set to name of this group.
This is wrong, as proper approach is to have groupOfNames (or groupOfUniqueNames) object and just put DN's of members into this. That is for example how LDAP groups are used in Radius, when working with LDAP backend...
... but according to Greger V.Teigre there is an issue with groupOfNames (thanks Greger). Some LDAP servers do not have built-in functions for efficiently checking group membership (i.e. OpenLDAP). We will have to make sure that the future implementation of group check algorithm will works across LDAP servers.
What is more, from my experience I know we could have schema violations in some users when using empty 'groupOfNames' (without any 'member' attribute value - like if group has no members :-) ). This attribute is mandatory according to various schemas. However it is perfectly possible to enter empty value inside 'member' attribute'.
So as you see plenty of work is to be done.
-- Arek
Jan Janak wrote:
Great, I am looking forward to it and hopefuly we can get it to the main tree soon.
Jan.
I am no LDAP expert, but I would like to propose that we do group membership checking in SER instead (in the configuration file).
other authentication modules (radius and database) make it possible to load a set of name-value pairs during authentication. Those pairs will be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety of functions to process them.
Thus we could have an attribute named "Group" which will contain all groups the user belongs to. So, in my opinion, all that the LDAP authentication module has to do is to verify the authenticity of the user and return a set of attributes associated with the authententicated user.
What do you think ? This way we can have group checking independent of the authentication method. You could also store additional data atttributes in LDAP that can be later used by SER, such as call forwarding rules (call forward on busy, call forward on no answer, and so on).
Jan.
On 10-11-2005 16:47, Arek Bekiersz wrote:
Jan,
As I said to Greger, there are many many changes that will have to be made to the module. But as they will be going on parallel to my current work, I hope I can correct them quickly. If I find time to actually DO my current work.
Imagine group handling - I made a wrong design requirement, I've put group membership inside every Ldap object. That is: if somebody is member of some group, he has special attribute (let's say 'memberOf') set to name of this group.
This is wrong, as proper approach is to have groupOfNames (or groupOfUniqueNames) object and just put DN's of members into this. That is for example how LDAP groups are used in Radius, when working with LDAP backend...
... but according to Greger V.Teigre there is an issue with groupOfNames (thanks Greger). Some LDAP servers do not have built-in functions for efficiently checking group membership (i.e. OpenLDAP). We will have to make sure that the future implementation of group check algorithm will works across LDAP servers.
What is more, from my experience I know we could have schema violations in some users when using empty 'groupOfNames' (without any 'member' attribute value - like if group has no members :-) ). This attribute is mandatory according to various schemas. However it is perfectly possible to enter empty value inside 'member' attribute'.
So as you see plenty of work is to be done.
-- Arek
Jan Janak wrote:
Great, I am looking forward to it and hopefuly we can get it to the main tree soon.
Jan.
Jan,
This is how I do it now. Consider this fragment of my cfg that I use on daily basis:
# Busy redirection if( p_ldap_is_user_in("Request-URI", "divert_busy") ) { xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" ); setflag(4); };
I was just proposing to change group handling in particular - that is: to migrate from storing Group in User profile to storing Users (their DNs) in Groups.
Generally functions present in module can be used to verify the authenticity of the user or group membership. Other functions return a state of specific attribute (like boolean group membership above) or process SIP request according to specific attribute value (like prefix functions or alias functions).
The thing I was discussing with Greger is that not all functions are meaningful for everybody; some of them were developed for specific purposes and generally no one will find them useful... However I have decided to leave them for historical reasons as I can imagine somebody could use them, possibly after modifications.
So I have nothing against developing a <new> set of more <generic> functions. To be discussed.
-- Arek
Jan Janak wrote:
I am no LDAP expert, but I would like to propose that we do group membership checking in SER instead (in the configuration file).
other authentication modules (radius and database) make it possible to load a set of name-value pairs during authentication. Those pairs will be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety of functions to process them.
Thus we could have an attribute named "Group" which will contain all groups the user belongs to. So, in my opinion, all that the LDAP authentication module has to do is to verify the authenticity of the user and return a set of attributes associated with the authententicated user.
What do you think ? This way we can have group checking independent of the authentication method. You could also store additional data atttributes in LDAP that can be later used by SER, such as call forwarding rules (call forward on busy, call forward on no answer, and so on).
Jan.
Only usage will show what people really use... I suggest that the ldap_is_user_in function is used for now (which is basically what is used for sql and radius). However, I suggest adding a parameter that will control whether an "attribute in object" or "groupOfNames" search is done (modparam("ldap","group_method","1/0") ). Using the "attribute in object" approach is not exploiting the efficiency of LDAP as a directory server (and provisioning of an account in a group requires touching the account). Using groupOfNames (with an LDAP server having implemented an efficient lookup functionality) combines speed with data model soundness. g-)
----- Original Message ----- From: "Arek Bekiersz" sip@perceval.net To: "Jan Janak" jan@iptel.org Cc: serusers@lists.iptel.org Sent: Thursday, November 10, 2005 5:23 PM Subject: Re: [Serusers] SER and LDAP
Jan,
This is how I do it now. Consider this fragment of my cfg that I use on daily basis:
# Busy redirection if( p_ldap_is_user_in("Request-URI", "divert_busy") ) { xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" ); setflag(4); };
I was just proposing to change group handling in particular - that is: to migrate from storing Group in User profile to storing Users (their DNs) in Groups.
Generally functions present in module can be used to verify the authenticity of the user or group membership. Other functions return a state of specific attribute (like boolean group membership above) or process SIP request according to specific attribute value (like prefix functions or alias functions).
The thing I was discussing with Greger is that not all functions are meaningful for everybody; some of them were developed for specific purposes and generally no one will find them useful... However I have decided to leave them for historical reasons as I can imagine somebody could use them, possibly after modifications.
So I have nothing against developing a <new> set of more <generic> functions. To be discussed.
-- Arek
Jan Janak wrote:
I am no LDAP expert, but I would like to propose that we do group membership checking in SER instead (in the configuration file).
other authentication modules (radius and database) make it possible to load a set of name-value pairs during authentication. Those pairs will be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety of functions to process them.
Thus we could have an attribute named "Group" which will contain all groups the user belongs to. So, in my opinion, all that the LDAP authentication module has to do is to verify the authenticity of the user and return a set of attributes associated with the authententicated user.
What do you think ? This way we can have group checking independent of the authentication method. You could also store additional data atttributes in LDAP that can be later used by SER, such as call forwarding rules (call forward on busy, call forward on no answer, and so on).
Jan.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers