[Serusers] SER and LDAP

Arek Bekiersz sip at perceval.net
Thu Nov 10 17:23:47 CET 2005 

Jan,


This is how I do it now. Consider this fragment of my cfg that I use on 
daily basis:

# Busy redirection
if( p_ldap_is_user_in("Request-URI", "divert_busy") ) {
   xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" );
   setflag(4);
};

I was just proposing to change group handling in particular - that is: 
to migrate from storing Group in User profile to storing Users (their 
DNs) in Groups.

Generally functions present in module can be used to verify the 
authenticity of the user or group membership. Other functions return a 
state of specific attribute (like boolean group membership above) or 
process SIP request according to specific attribute value (like prefix 
functions or alias functions).

The thing I was discussing with Greger is that not all functions are 
meaningful for everybody; some of them were developed for specific 
purposes and generally no one will find them useful...
However I have decided to leave them for historical reasons as I can 
imagine somebody could use them, possibly after modifications.

So I have nothing against developing a <new> set of more <generic> 
functions. To be discussed.


--
Arek



Jan Janak wrote:
> I am no LDAP expert, but I would like to propose that we do group
> membership checking in SER instead (in the configuration file).
> 
> other authentication modules (radius and database) make it possible to
> load a set of name-value pairs during authentication. Those pairs will
> be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety
> of functions to process them.
> 
> Thus we could have an attribute named "Group" which will contain all
> groups the user belongs to. So, in my opinion, all that the LDAP
> authentication module has to do is to verify the authenticity of the
> user and return a set of attributes associated with the authententicated
> user.
> 
> What do you think ? This way we can have group checking independent of
> the authentication method. You could also store additional data
> atttributes in LDAP that can be later used by SER, such as call forwarding
> rules (call forward on busy, call forward on no answer, and so on).
> 
>   Jan.

More information about the sr-users mailing list