Hello,
We have a LDAP database with many users information and this is the one we use to implement most of our services; on the contrary we have SER working with a SQL data base. Our intention was to make also the authentication against LDAP. After some research, we've seen there's no specific module for SER to work with LDAP and we have considered some alternatives among them there was the "module" from ETH worldhttp://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap. However, we didn't manage to make it work (if it's an advisable choice we'd appreciate some clues).
So, we decided to make the authentication through the RADIUS server. Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in plain text and we modified to do it against the email attribute as it's this what we want. It makes it perfectly. But it turns out that when we try to make the password authentication, as the data sent from SER comes in a hash (user:realm:password) as long as we know, we don't really know how to make it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly so it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly but there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the Register section from SER.
log: 03 User-Name = "my.user@i2cat.net" Digest-Attributes = 0x0a0b7061626c6f2e726f73 Digest-Attributes = 0x010b69326361742e6e6574 Digest-Attributes = 0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532 Digest-Attributes = 0x040f7369703a69326361742e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4" Service-Type = Sip-Session Sip-Uri-User = "my.user" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "i2cat.net" for User-Name = " my.user@i2cat.net" rlm_realm: No such realm "i2cat.net" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for my.user@i2cat.net WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail= my.user@i2cat.net) expand: ou=activat,ou=personal,dc=i2cat,dc=net -> ou=activat,ou=personal,dc=i2cat,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0 rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with filter (mail=pablo.ros@i2cat.net) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 == "{md5}nCK4tZ5NNP48oT0wlXX+Jw==" rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user pablo.ros@i2cat.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type DIGEST auth: type "digest" +- entering group authenticate rlm_digest: Digest-HA1 has invalid length, authentication failed. ++[digest] returns invalid auth: Failed to validate the user. Login incorrect: [my.user@i2cat.net/<via Auth-Type = DIGEST>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> my.user@i2cat.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------ # Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------ if (!is_user_in("From", "noauth")) { xlog("L_NOTICE", "SER-INFO: challenging user...\n"); # IMPORTANTE: radius_www_authorize solo toma un parámetro! if(!radius_www_authorize("")) { # L'usuari NO esta registrat correctament o les # credencials no son valides!
www_challenge("i2cat.net","0"); xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from <%fu>:(%is) [403 Forbiden]\n"); sl_send_reply("403", "Forbiden!, Bad Credentials"); break; #tallem la comunicacio };
#-------------------------------------------------------------------- # check_to
#-------------------------------------------------------------------- if(!check_to()) { xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed attempt <%fu>:(%is)\n"); sl_send_reply("403", "Use To=id la proxima vegada :@"); consume_credentials(); # fem que caduqui la sessio break; }; }
Hello,
On 5/4/10 10:03 AM, Pablo Ros wrote:
Hello,
We have a LDAP database with many users information and this is the one we use to implement most of our services; on the contrary we have SER working with a SQL data base. Our intention was to make also the authentication against LDAP. After some research, we've seen there's no specific module for SER to work with LDAP and we have considered some alternatives among them there was the "module" from ETH world http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap. However, we didn't manage to make it work (if it's an advisable choice we'd appreciate some clues).
but you have ldap support in ser: http://sip-router.org/docbook/sip-router/branch/master/modules_s/ldap/ldap.h...
Afaik, you can use it instead of db driver.
With version 3.0 you have one more option that came from kamailio (openser): http://sip-router.org/docbook/sip-router/branch/master/modules_k/ldap/ldap.h...
This one you can use to query LDAP and get password in config file from where you can do authentication via auth module (from modules_k).
Cheers, Daniel
So, we decided to make the authentication through the RADIUS server. Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in plain text and we modified to do it against the email attribute as it's this what we want. It makes it perfectly. But it turns out that when we try to make the password authentication, as the data sent from SER comes in a hash (user:realm:password) as long as we know, we don't really know how to make it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly so it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly but there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the Register section from SER.
log: 03 User-Name = "my.user@i2cat.net mailto:my.user@i2cat.net" Digest-Attributes = 0x0a0b7061626c6f2e726f73 Digest-Attributes = 0x010b69326361742e6e6574 Digest-Attributes = 0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532 Digest-Attributes = 0x040f7369703a69326361742e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4" Service-Type = Sip-Session Sip-Uri-User = "my.user" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "i2cat.net http://i2cat.net" for User-Name = "my.user@i2cat.net mailto:my.user@i2cat.net" rlm_realm: No such realm "i2cat.net http://i2cat.net" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for my.user@i2cat.net mailto:my.user@i2cat.net WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=my.user@i2cat.net mailto:my.user@i2cat.net) expand: ou=activat,ou=personal,dc=i2cat,dc=net -> ou=activat,ou=personal,dc=i2cat,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.i2cat.net:389 http://ldap.i2cat.net:389, authentication 0 rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389 http://ldap.i2cat.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with filter (mail=pablo.ros@i2cat.net mailto:pablo.ros@i2cat.net) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 == "{md5}nCK4tZ5NNP48oT0wlXX+Jw==" rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user pablo.ros@i2cat.net mailto:pablo.ros@i2cat.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type DIGEST auth: type "digest" +- entering group authenticate rlm_digest: Digest-HA1 has invalid length, authentication failed. ++[digest] returns invalid auth: Failed to validate the user. Login incorrect: [my.user@i2cat.net/ http://my.user@i2cat.net/<via Auth-Type = DIGEST>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> my.user@i2cat.net mailto:my.user@i2cat.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------ # Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------ if (!is_user_in("From", "noauth")) { xlog("L_NOTICE", "SER-INFO: challenging user...\n"); # IMPORTANTE: radius_www_authorize solo toma un parámetro! if(!radius_www_authorize("")) { # L'usuari NO esta registrat correctament o les # credencials no son valides!
www_challenge("i2cat.net <http://i2cat.net>","0"); xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from<%fu>:(%is) [403 Forbiden]\n"); sl_send_reply("403", "Forbiden!, Bad Credentials"); break; #tallem la comunicacio };
#-------------------------------------------------------------------- # check_to
#-------------------------------------------------------------------- if(!check_to()) { xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed attempt <%fu>:(%is)\n"); sl_send_reply("403", "Use To=id la proxima vegada :@"); consume_credentials(); # fem que caduqui la sessio break; }; }
-- Pablo Ros
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Pablo Ros