Thanx for pointing that out Jan... I took a look at their website, but it seems that the LDAP module does not authenticate users, it just search for numbers or a uri... Text from their website: Exported Module Functions ldaps_lookup Perform an LDAPS lookup and if an entry is found, replace target uri. What I was looking for, was something to substitute the www_radius_authorize(). Maybe I misunderstood the information on the site, but I think that module does not authenticate users... If it does authenticate, could someone post or send me an example of use of this module? There is no documentation on their website and nothing on their README file... Regards, Felipe Louback On 11/10/05, Jan Janak <jan(a)iptel.org> wrote: -- Master Student - Electrical Engineering Department Computer Engineering and Telecommunications Research Group Universidade Federal de Minas Gerais - Brazil "Humanly speaking it is impossible; but with God anything is possible!" Jesus Christ in Matthews 19:26

Yes it will. Plizz wait! Grrr.... ;-)) ;-D -- Arek, Greger V. Teigre wrote: _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Jan, As I said to Greger, there are many many changes that will have to be made to the module. But as they will be going on parallel to my current work, I hope I can correct them quickly. If I find time to actually DO my current work. Imagine group handling - I made a wrong design requirement, I've put group membership inside every Ldap object. That is: if somebody is member of some group, he has special attribute (let's say 'memberOf') set to name of this group. This is wrong, as proper approach is to have groupOfNames (or groupOfUniqueNames) object and just put DN's of members into this. That is for example how LDAP groups are used in Radius, when working with LDAP backend... ... but according to Greger V.Teigre there is an issue with groupOfNames (thanks Greger). Some LDAP servers do not have built-in functions for efficiently checking group membership (i.e. OpenLDAP). We will have to make sure that the future implementation of group check algorithm will works across LDAP servers. What is more, from my experience I know we could have schema violations in some users when using empty 'groupOfNames' (without any 'member' attribute value - like if group has no members :-) ). This attribute is mandatory according to various schemas. However it is perfectly possible to enter empty value inside 'member' attribute'. So as you see plenty of work is to be done. -- Arek Jan Janak wrote: >Great, I am looking forward to it and hopefuly we can get it to the main >tree soon. > > Jan.

Jan, This is how I do it now. Consider this fragment of my cfg that I use on daily basis: # Busy redirection if( p_ldap_is_user_in("Request-URI", "divert_busy") ) { xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" ); setflag(4); }; I was just proposing to change group handling in particular - that is: to migrate from storing Group in User profile to storing Users (their DNs) in Groups. Generally functions present in module can be used to verify the authenticity of the user or group membership. Other functions return a state of specific attribute (like boolean group membership above) or process SIP request according to specific attribute value (like prefix functions or alias functions). The thing I was discussing with Greger is that not all functions are meaningful for everybody; some of them were developed for specific purposes and generally no one will find them useful... However I have decided to leave them for historical reasons as I can imagine somebody could use them, possibly after modifications. So I have nothing against developing a <new> set of more <generic> functions. To be discussed. -- Arek Jan Janak wrote: _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers