[Serusers] SER and LDAP

Greger V. Teigre greger at teigre.com
Fri Nov 11 08:32:59 CET 2005


Only usage will show what people really use...
I suggest that the ldap_is_user_in function is used for now (which is 
basically what is used for sql and radius).  However, I suggest adding a 
parameter that will control whether an "attribute in object" or 
"groupOfNames" search is done (modparam("ldap","group_method","1/0") ). 
Using the "attribute in object" approach is not exploiting the efficiency of 
LDAP as a directory server (and provisioning of an account in a group 
requires touching the account). Using groupOfNames (with an LDAP server 
having implemented an efficient lookup functionality) combines speed with 
data model soundness.
g-)

----- Original Message ----- 
From: "Arek Bekiersz" <sip at perceval.net>
To: "Jan Janak" <jan at iptel.org>
Cc: <serusers at lists.iptel.org>
Sent: Thursday, November 10, 2005 5:23 PM
Subject: Re: [Serusers] SER and LDAP


> Jan,
>
>
> This is how I do it now. Consider this fragment of my cfg that I use on 
> daily basis:
>
> # Busy redirection
> if( p_ldap_is_user_in("Request-URI", "divert_busy") ) {
>   xlog( "L_DBG", "DEBUG: User wishes Busy divert\n" );
>   setflag(4);
> };
>
> I was just proposing to change group handling in particular - that is: to 
> migrate from storing Group in User profile to storing Users (their DNs) in 
> Groups.
>
> Generally functions present in module can be used to verify the 
> authenticity of the user or group membership. Other functions return a 
> state of specific attribute (like boolean group membership above) or 
> process SIP request according to specific attribute value (like prefix 
> functions or alias functions).
>
> The thing I was discussing with Greger is that not all functions are 
> meaningful for everybody; some of them were developed for specific 
> purposes and generally no one will find them useful...
> However I have decided to leave them for historical reasons as I can 
> imagine somebody could use them, possibly after modifications.
>
> So I have nothing against developing a <new> set of more <generic> 
> functions. To be discussed.
>
>
> --
> Arek
>
>
>
> Jan Janak wrote:
>> I am no LDAP expert, but I would like to propose that we do group
>> membership checking in SER instead (in the configuration file).
>>
>> other authentication modules (radius and database) make it possible to
>> load a set of name-value pairs during authentication. Those pairs will
>> be stored in AVPs (Attribute-Value pairs) in SER and SER has a variety
>> of functions to process them.
>>
>> Thus we could have an attribute named "Group" which will contain all
>> groups the user belongs to. So, in my opinion, all that the LDAP
>> authentication module has to do is to verify the authenticity of the
>> user and return a set of attributes associated with the authententicated
>> user.
>>
>> What do you think ? This way we can have group checking independent of
>> the authentication method. You could also store additional data
>> atttributes in LDAP that can be later used by SER, such as call 
>> forwarding
>> rules (call forward on busy, call forward on no answer, and so on).
>>
>>   Jan.
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
> 




More information about the sr-users mailing list