5 May
2012
5 May
'12
2:56 a.m.
Sorry didn't reply to mailing list before. Emails are below.
SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm +
username + password), so the problem may be here.
I suggest you store your passwords as clear text in LDAP for testing first.
Reda
On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
with the variations I get different results:
4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8=
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28
n=pv_www_authenticate
4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
4(24126) DEBUG: auth [api.c:210]: check_response: Our result =
'3839aa4cae572f5f8b23601a2bb1178f'
4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
Also: i used xlog to print out the password and I
get the same exact
password I have on my LDAP server, so it seems something with the decoding
On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
Now i got it down to this:
2(23003) INFO: <script>: ldap_search: found [1] entries for
(uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
l=759 a=17 n=if
2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28
n=pv_www_authenticate
2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated:
c69622bbd922ec9321ab1293c226b703
2(23003) DEBUG: auth [api.c:210]: check_response: Our result =
'939676a5591165f1da8ba04562d446b2'
2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed
2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=27
n=www_challenge
2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf:
realm='23.22.35.43'
2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: Digest
realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
I have changed the values of:
if (!pv_www_authenticate("$td", "$avp(password)", "0"))
{
www_challenge("$td", "0");
to:
if (!pv_www_authenticate("$td", "$avp(password)", "1"))
{
www_challenge("$td", "0");
because of the password in LDAP is stored as SHA1, and according to
the docs, it should be 1. I'm so close it seems :)
*flags* - the value of this parameter can be a bitmask of following:
-
*1* - the value of password parameter is HA1 format
On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <reda.aouad(a)gmail.com> wrote:
can you also print the avp(s:password) to log to
see what its value is?
use:
xlog('Password=$avp(s:password)')
after ldap_search and you'll see its output in the log file
maybe you're not correctly getting the password from the ldap search
url, avp(s:password) is then null and you get the error that it can't be
converted to string
Reda
On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
> in the line
> if (!pv_www_authenticate("$td", "$avp(password)", "0"))
{
>
> write avp(s:password) instead of avp(password)
> not sure it will solve it though.. if it doesn't, maybe others can
> help you more on this.
>
> Reda
>
>
>
> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
>
>> Hello Reda,
>>
>> Thank you for your feedback, after some further research and testing
>> I got the LDAP search working, I am just having one issue with the password
>> variable:
>>
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>> a=28 n=pv_www_authenticate
>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>> str
>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>
>> My relevant configuration:
>>
>> route[AUTH] {
>> #!ifdef WITH_AUTH
>> if (is_method("REGISTER"))
>> {
>> if(is_present_hf("Authorization"))
>> {
>> # ldap search
>>
>> if
>>
(!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?"))
>>
>> {
>> switch ($retcode)
>> {
>> case -1:
>> # no LDAP entry found
>> sl_send_reply("404", "User Not
Found");
>> exit;
>> case -2:
>> # internal error
>> sl_send_reply("500", "Internal server
error");
>> exit;
>> default:
>> exit;
>> }
>> }
>> ldap_result("uid/$avp(s:username)");
>> ldap_result("userPassword/$avp(s:password)");
>> xlog("L_INFO", "ldap_search: found [$retcode] entries
for
>> (uid=$fU)");
>> if (!pv_www_authenticate("$td", "$avp(password)",
"0")) {
>> www_challenge("$td", "1");
>> exit;
>> }
>> sl_send_reply("200", "ok");
>> exit;
>> } else {
>> www_challenge("$td", "1");
>> exit;
>> }
>> } else {
>>
>> And the error message:
>>
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735
>> a=26 n=ldap_search
>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into
>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter []
>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP
>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)],
>> client_timeout [5000000] usecs
>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries
>> found
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752
>> a=26 n=ldap_result
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753
>> a=26 n=ldap_result
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754
>> a=27 n=xlog
>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for
>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
>> l=759 a=17 n=if
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>> a=28 n=pv_www_authenticate
>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>> str
>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>> a=27 n=www_challenge
>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>> realm='ip.of.sip.server'
>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf:
>> qop='auth'
>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>> Digest realm="ip.of.sip.server",
nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l",
>> qop="auth"
>>
>> Any help is greatly appreciated!
>> Thanks
>>
>>
>>
>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
>>
>>> Hi Saul,
>>>
>>> username_avp_spec was previously a AUTH module parameter to specify
>>> a variable that was passed to pv_www_authorize implicitly (the function
>>> doesn't take arguments). Now you should use the new
>>> pv_www_authenticate and pass to it explicitly the credentials as arguments.
>>>
>>> So forget about username_avp_spec since it doesn't exist as module
>>> param anymore (this is why you are getting the error). Store the result of
>>> ldap_search in the avps as in the tutorial using ldap_result, and pass them
>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the
>>> following arguments:
>>> - realm: which you can get from "to domain" using $td
>>> - password: $avp(s:password)
>>> - flag: set it to 0 as a first test
>>>
>>> example:
>>> pv_www_authorize("$td", "$avp(s:password)", 0)
>>>
>>> This function takes the username from the authentication header, so
>>> no need to pass it anymore as argument.
>>>
>>> Reda
>>>
>>>
>>>
>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer
<saulwaizer(a)gmail.com>wrote;wrote:
>>>
>>>> Hello List,
>>>>
>>>> I am trying to incorporate an existing LDAP directory with our
>>>> Kamailio installation for SIP authentication. A good friend suggested to
>>>> checkout this tutorial and adapt it to fit my needs (and current
version)
>>>>
>>>>
>>>> http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap
>>>>
>>>> It seems like the AUTH module does not contain the function
>>>> username_spec (which I believe is not used anymore) but the
>>>> username_avp_spec which is not part of the AUTH module but the H350
module
>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html
>>>>
>>>> I enabled the h350 module and tried setting the params as described
>>>> in the documentation:
>>>>
>>>> modparam("auth", "username_spec",
"$avp(s:username)")
>>>> modparam("auth", "password_spec",
"$avp(s:password)")
>>>> modparam("auth", "calculate_ha1", 1)
>>>>
>>>> I got the following error after checking the configuration:
>>>>
>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter
>>>> <username_spec> not found in module <auth>
>>>>
>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu
>>>>
>>>> Thank you in advance!
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>> list
>>>> sr-users(a)lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>
>>
>
7 May
7 May
7:52 p.m.
New subject: Kamailio LDAP integration
Thank you Reda,
Is there a way to utilize external scripts for authentication? Like bash,
php etc? I cannot change the format of the LDAP but I am thinking about
other methods that could possibly work too utilizing the same
pv_www_authenticate logic, however these would require some external script
processing.
Example: SSO Authentication.
SIP user ----> SIP server ----> external auth script ----> OpenSSO server
Thank you
On Fri, May 4, 2012 at 5:56 PM, Reda Aouad <reda.aouad(a)gmail.com> wrote:
Sorry didn't reply to mailing list before. Emails
are below.
SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm +
username + password), so the problem may be here.
I suggest you store your passwords as clear text in LDAP for testing first.
Reda
On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
with the variations I get different results:
4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8=
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28
n=pv_www_authenticate
4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
4(24126) DEBUG: auth [api.c:210]: check_response: Our result =
'3839aa4cae572f5f8b23601a2bb1178f'
4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
Also: i used xlog to print out the password and I
get the same exact
password I have on my LDAP server, so it seems something with the decoding
On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
Now i got it down to this:
2(23003) INFO: <script>: ldap_search: found [1] entries for
(uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
l=759 a=17 n=if
2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
a=28 n=pv_www_authenticate
2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated:
c69622bbd922ec9321ab1293c226b703
2(23003) DEBUG: auth [api.c:210]: check_response: Our result =
'939676a5591165f1da8ba04562d446b2'
2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed
2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
a=27 n=www_challenge
2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf:
realm='23.22.35.43'
2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
Digest realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
I have changed the values of:
if (!pv_www_authenticate("$td", "$avp(password)", "0"))
{
www_challenge("$td", "0");
to:
if (!pv_www_authenticate("$td", "$avp(password)", "1"))
{
www_challenge("$td", "0");
because of the password in LDAP is stored as SHA1, and according to
the docs, it should be 1. I'm so close it seems :)
*flags* - the value of this parameter can be a bitmask of following:
-
*1* - the value of password parameter is HA1 format
On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
> can you also print the avp(s:password) to log to see what its value is?
> use:
> xlog('Password=$avp(s:password)')
> after ldap_search and you'll see its output in the log file
> maybe you're not correctly getting the password from the ldap search
> url, avp(s:password) is then null and you get the error that it can't be
> converted to string
>
> Reda
>
>
>
> On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
>
>> in the line
>> if (!pv_www_authenticate("$td", "$avp(password)",
"0")) {
>>
>> write avp(s:password) instead of avp(password)
>> not sure it will solve it though.. if it doesn't, maybe others can
>> help you more on this.
>>
>> Reda
>>
>>
>>
>> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
>>
>>> Hello Reda,
>>>
>>> Thank you for your feedback, after some further research and testing
>>> I got the LDAP search working, I am just having one issue with the password
>>> variable:
>>>
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>> a=28 n=pv_www_authenticate
>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>> str
>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>
>>> My relevant configuration:
>>>
>>> route[AUTH] {
>>> #!ifdef WITH_AUTH
>>> if (is_method("REGISTER"))
>>> {
>>> if(is_present_hf("Authorization"))
>>> {
>>> # ldap search
>>>
>>> if
>>>
(!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?"))
>>>
>>> {
>>> switch ($retcode)
>>> {
>>> case -1:
>>> # no LDAP entry found
>>> sl_send_reply("404", "User Not
Found");
>>> exit;
>>> case -2:
>>> # internal error
>>> sl_send_reply("500", "Internal server
error");
>>> exit;
>>> default:
>>> exit;
>>> }
>>> }
>>> ldap_result("uid/$avp(s:username)");
>>> ldap_result("userPassword/$avp(s:password)");
>>> xlog("L_INFO", "ldap_search: found [$retcode]
entries
>>> for (uid=$fU)");
>>> if (!pv_www_authenticate("$td",
"$avp(password)", "0")) {
>>> www_challenge("$td", "1");
>>> exit;
>>> }
>>> sl_send_reply("200", "ok");
>>> exit;
>>> } else {
>>> www_challenge("$td", "1");
>>> exit;
>>> }
>>> } else {
>>>
>>> And the error message:
>>>
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735
>>> a=26 n=ldap_search
>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into
>>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter []
>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP
>>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)],
>>> client_timeout [5000000] usecs
>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries
>>> found
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752
>>> a=26 n=ldap_result
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753
>>> a=26 n=ldap_result
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754
>>> a=27 n=xlog
>>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for
>>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
>>> l=759 a=17 n=if
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>> a=28 n=pv_www_authenticate
>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>> str
>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>> a=27 n=www_challenge
>>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>> realm='ip.of.sip.server'
>>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf:
>>> qop='auth'
>>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>> Digest realm="ip.of.sip.server",
nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l",
>>> qop="auth"
>>>
>>> Any help is greatly appreciated!
>>> Thanks
>>>
>>>
>>>
>>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad
<reda.aouad(a)gmail.com>wrote;wrote:
>>>
>>>> Hi Saul,
>>>>
>>>> username_avp_spec was previously a AUTH module parameter to specify
>>>> a variable that was passed to pv_www_authorize implicitly (the function
>>>> doesn't take arguments). Now you should use the new
>>>> pv_www_authenticate and pass to it explicitly the credentials as
arguments.
>>>>
>>>> So forget about username_avp_spec since it doesn't exist as module
>>>> param anymore (this is why you are getting the error). Store the result
of
>>>> ldap_search in the avps as in the tutorial using ldap_result, and pass
them
>>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the
>>>> following arguments:
>>>> - realm: which you can get from "to domain" using $td
>>>> - password: $avp(s:password)
>>>> - flag: set it to 0 as a first test
>>>>
>>>> example:
>>>> pv_www_authorize("$td", "$avp(s:password)", 0)
>>>>
>>>> This function takes the username from the authentication header, so
>>>> no need to pass it anymore as argument.
>>>>
>>>> Reda
>>>>
>>>>
>>>>
>>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer
<saulwaizer(a)gmail.com>wrote;wrote:
>>>>
>>>>> Hello List,
>>>>>
>>>>> I am trying to incorporate an existing LDAP directory with our
>>>>> Kamailio installation for SIP authentication. A good friend suggested
to
>>>>> checkout this tutorial and adapt it to fit my needs (and current
version)
>>>>>
>>>>>
>>>>>
http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap
>>>>>
>>>>> It seems like the AUTH module does not contain the function
>>>>> username_spec (which I believe is not used anymore) but the
>>>>> username_avp_spec which is not part of the AUTH module but the H350
module
>>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html
>>>>>
>>>>> I enabled the h350 module and tried setting the params as
>>>>> described in the documentation:
>>>>>
>>>>> modparam("auth", "username_spec",
"$avp(s:username)")
>>>>> modparam("auth", "password_spec",
"$avp(s:password)")
>>>>> modparam("auth", "calculate_ha1", 1)
>>>>>
>>>>> I got the following error after checking the configuration:
>>>>>
>>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter
>>>>> <username_spec> not found in module <auth>
>>>>>
>>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu
>>>>>
>>>>> Thank you in advance!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>> list
>>>>> sr-users(a)lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>
>>>
>>
>
9:24 p.m.
New subject: Kamailio LDAP integration
You want to get the password (in clear text??) using an external script to
check it using pv_www_authenticate?
You can use the following function from exec module:
http://kamailio.org/docs/modules/stable/modules_k/exec.html#id2552128
The output of your command (shell script, php, ...) can be stored in an avp
passed to pv_www_authenticate.
Example to get the password: exec_avp("auth.sh '$au' ",
"$avp(s:password)")
$au=authentication username
the output of auth.sh will be stored in $avp(s:password)
Now this was how to use an external script and get its return values. How
will you proceed knowing that password are hashed using SHA1 in your
database and password+username+realm hashed using MD5 in SIP header?
Reda
On Mon, May 7, 2012 at 4:52 PM, Saul Waizer <saulwaizer(a)gmail.com> wrote:
Thank you Reda,
Is there a way to utilize external scripts for authentication? Like bash,
php etc? I cannot change the format of the LDAP but I am thinking about
other methods that could possibly work too utilizing the same
pv_www_authenticate logic, however these would require some external script
processing.
Example: SSO Authentication.
SIP user ----> SIP server ----> external auth script ----> OpenSSO server
Thank you
On Fri, May 4, 2012 at 5:56 PM, Reda Aouad <reda.aouad(a)gmail.com> wrote:
Sorry didn't reply to mailing list before.
Emails are below.
SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm +
username + password), so the problem may be here.
I suggest you store your passwords as clear text in LDAP for testing
first.
Reda
On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
with the variations I get different results:
4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8=
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if
4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28
n=pv_www_authenticate
4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
4(24126) DEBUG: auth [api.c:210]: check_response: Our result =
'3839aa4cae572f5f8b23601a2bb1178f'
4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
Also: i used xlog to print out the password and I
get the same exact
password I have on my LDAP server, so it seems something with the decoding
On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <saulwaizer(a)gmail.com>wrote;wrote:
> Now i got it down to this:
>
> 2(23003) INFO: <script>: ldap_search: found [1] entries for
> (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
> l=759 a=17 n=if
> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
> a=28 n=pv_www_authenticate
> 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value:
> 1
> 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated:
> c69622bbd922ec9321ab1293c226b703
> 2(23003) DEBUG: auth [api.c:210]: check_response: Our result =
> '939676a5591165f1da8ba04562d446b2'
> 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed
> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
> a=27 n=www_challenge
> 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf:
> realm='23.22.35.43'
> 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
> Digest realm="23.22.35.43",
nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
>
> I have changed the values of:
>
> if (!pv_www_authenticate("$td", "$avp(password)",
"0")) {
> www_challenge("$td", "0");
>
> to:
>
> if (!pv_www_authenticate("$td", "$avp(password)",
"1")) {
> www_challenge("$td", "0");
>
> because of the password in LDAP is stored as SHA1, and according to
> the docs, it should be 1. I'm so close it seems :)
>
> *flags* - the value of this parameter can be a bitmask of following:
>
> -
>
> *1* - the value of password parameter is HA1 format
>
>
>
> On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
>
>> can you also print the avp(s:password) to log to see what its value
>> is?
>> use:
>> xlog('Password=$avp(s:password)')
>> after ldap_search and you'll see its output in the log file
>> maybe you're not correctly getting the password from the ldap search
>> url, avp(s:password) is then null and you get the error that it can't be
>> converted to string
>>
>> Reda
>>
>>
>>
>> On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <reda.aouad(a)gmail.com>wrote;wrote:
>>
>>> in the line
>>> if (!pv_www_authenticate("$td", "$avp(password)",
"0")) {
>>>
>>> write avp(s:password) instead of avp(password)
>>> not sure it will solve it though.. if it doesn't, maybe others can
>>> help you more on this.
>>>
>>> Reda
>>>
>>>
>>>
>>> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer
<saulwaizer(a)gmail.com>wrote;wrote:
>>>
>>>> Hello Reda,
>>>>
>>>> Thank you for your feedback, after some further research and
>>>> testing I got the LDAP search working, I am just having one issue with
the
>>>> password variable:
>>>>
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>> a=28 n=pv_www_authenticate
>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV
to
>>>> str
>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>>
>>>> My relevant configuration:
>>>>
>>>> route[AUTH] {
>>>> #!ifdef WITH_AUTH
>>>> if (is_method("REGISTER"))
>>>> {
>>>> if(is_present_hf("Authorization"))
>>>> {
>>>> # ldap search
>>>>
>>>> if
>>>>
(!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?"))
>>>>
>>>> {
>>>> switch ($retcode)
>>>> {
>>>> case -1:
>>>> # no LDAP entry found
>>>> sl_send_reply("404", "User Not
Found");
>>>> exit;
>>>> case -2:
>>>> # internal error
>>>> sl_send_reply("500", "Internal
server
>>>> error");
>>>> exit;
>>>> default:
>>>> exit;
>>>> }
>>>> }
>>>> ldap_result("uid/$avp(s:username)");
>>>> ldap_result("userPassword/$avp(s:password)");
>>>> xlog("L_INFO", "ldap_search: found [$retcode]
entries
>>>> for (uid=$fU)");
>>>> if (!pv_www_authenticate("$td",
"$avp(password)", "0")) {
>>>> www_challenge("$td", "1");
>>>> exit;
>>>> }
>>>> sl_send_reply("200", "ok");
>>>> exit;
>>>> } else {
>>>> www_challenge("$td", "1");
>>>> exit;
>>>> }
>>>> } else {
>>>>
>>>> And the error message:
>>>>
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735
>>>> a=26 n=ldap_search
>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into
>>>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter
[]
>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP
>>>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)],
>>>> client_timeout [5000000] usecs
>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries
>>>> found
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752
>>>> a=26 n=ldap_result
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753
>>>> a=26 n=ldap_result
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754
>>>> a=27 n=xlog
>>>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for
>>>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace:
c=[/etc/kamailio/kamailio.cfg]
>>>> l=759 a=17 n=if
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>> a=28 n=pv_www_authenticate
>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV
to
>>>> str
>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>>> a=27 n=www_challenge
>>>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>> realm='ip.of.sip.server'
>>>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf:
>>>> qop='auth'
>>>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>> Digest realm="ip.of.sip.server",
nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l",
>>>> qop="auth"
>>>>
>>>> Any help is greatly appreciated!
>>>> Thanks
>>>>
>>>>
>>>>
>>>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad
<reda.aouad(a)gmail.com>wrote;wrote:
>>>>
>>>>> Hi Saul,
>>>>>
>>>>> username_avp_spec was previously a AUTH module parameter to
>>>>> specify a variable that was passed to pv_www_authorize implicitly
(the
>>>>> function doesn't take arguments). Now you should use the new
>>>>> pv_www_authenticate and pass to it explicitly the credentials as
arguments.
>>>>>
>>>>> So forget about username_avp_spec since it doesn't exist as
module
>>>>> param anymore (this is why you are getting the error). Store the
result of
>>>>> ldap_search in the avps as in the tutorial using ldap_result, and
pass them
>>>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the
>>>>> following arguments:
>>>>> - realm: which you can get from "to domain" using $td
>>>>> - password: $avp(s:password)
>>>>> - flag: set it to 0 as a first test
>>>>>
>>>>> example:
>>>>> pv_www_authorize("$td", "$avp(s:password)", 0)
>>>>>
>>>>> This function takes the username from the authentication header,
>>>>> so no need to pass it anymore as argument.
>>>>>
>>>>> Reda
>>>>>
>>>>>
>>>>>
>>>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer
<saulwaizer(a)gmail.com>wrote;wrote:
>>>>>
>>>>>> Hello List,
>>>>>>
>>>>>> I am trying to incorporate an existing LDAP directory with our
>>>>>> Kamailio installation for SIP authentication. A good friend
suggested to
>>>>>> checkout this tutorial and adapt it to fit my needs (and current
version)
>>>>>>
>>>>>>
>>>>>>
http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap
>>>>>>
>>>>>> It seems like the AUTH module does not contain the function
>>>>>> username_spec (which I believe is not used anymore) but the
>>>>>> username_avp_spec which is not part of the AUTH module but the
H350 module
>>>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html
>>>>>>
>>>>>> I enabled the h350 module and tried setting the params as
>>>>>> described in the documentation:
>>>>>>
>>>>>> modparam("auth", "username_spec",
"$avp(s:username)")
>>>>>> modparam("auth", "password_spec",
"$avp(s:password)")
>>>>>> modparam("auth", "calculate_ha1", 1)
>>>>>>
>>>>>> I got the following error after checking the configuration:
>>>>>>
>>>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex:
parameter
>>>>>> <username_spec> not found in module <auth>
>>>>>>
>>>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu
>>>>>>
>>>>>> Thank you in advance!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>> mailing list
>>>>>> sr-users(a)lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
4391
days inactive
4394
days old
2 comments
2 participants
participants (2)
-
Reda Aouad -
Saul Waizer