[Serusers] Help:SER-RADIUS-LDAP

Arek Bekiersz sip at perceval.net
Tue Apr 11 17:27:53 CEST 2006


Hi,


Did you add password_attribute in your raddb.conf? Put there the name of 
attribute that stores user password.


Apart from this here is my working configuration (it worked long ago).
Hope it helps.


FILE raddb/raddb.conf
----------
modules section:
...
ldap {
                 filter = "(someAttrib=%{User-Name})"
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
                 ldap_connections_number = 5
                 password_attribute = someOtherAttrib
                 groupmembership_filter = "(objectClass=*)"
                 groupmembership_attribute = someYetAnotherAttrib
}
..
authenticate section:
         Auth-Type LDAP {
                 ok
         }
...



FILE raddb/users
------
# Default for INVITEs, REGISTERs and so on
DEFAULT Service-Type == "Sip-Session"
         Auth-Type := Digest


# Group membership checking - we always accept, ldap will check groups
anyway
DEFAULT Service-Type == "Group-Check",  Sip-Group == "divert_busy"
         Auth-Type := Accept

DEFAULT Service-Type == "Group-Check",  Sip-Group == "divert_unav"
         Auth-Type := Accept

DEFAULT Service-Type == "Group-Check",  Sip-Group == "divert_timeout"
         Auth-Type := Accept

DEFAULT Service-Type == "Group-Check",  Sip-Group == "allow_outbound"
         Auth-Type := Accept


# User presence - we always accept, ldap will check anyway
DEFAULT Service-Type == "Call-Check"
         Auth-Type := Accept


# Deny all the rest
DEFAULT Auth-Type := Reject








Ivan Turcin wrote:
> Hi,
> 
> I'm using SER 0.9.6 as my SIP proxy, and free RADIUS 1.1.0 for accounting,
> authorization and authentication. Users are in open LDAP 2.3.20. For
> connecting to RADIUS I'm using auth_radius module which uses radusclient-ng.
> 
> Everything works fine when digest is used for authentication and
> authorization but when I try to use LDAP for authentication and
> authorization i get this from RADIUS:
> 
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for 201 at 192.168.19.2
> radius_xlat:  '(uid=201 at 192.168.19.2)'
> radius_xlat:  'ou=People,dc=sips,dc=tel,dc=fer,dc=hr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.19.2:389, authentication 0
> rlm_ldap: bind as cn=root,dc=sips,dc=tel,dc=fer,dc=hr/topsct to
> 192.168.19.2:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=sips,dc=tel,dc=fer,dc=hr, with
> filter (uid=201 at 192.168.19.2)
> rlm_ldap: checking if remote access for 201 at 192.168.19.2 is allowed by
> employeeType
> rlm_ldap: Added password 201 in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding userPassword as User-Password, value 201 & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user 201 at 192.168.19.2 authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type Ldap
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
>   modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: leaving group LDAP (returns invalid) for request 0
> auth: Failed to validate the user.
> 
> I think this is the problem:
>      Attribute "User-Password" is required for authentication.
> 
> In users file I have added:a
>     DFAULT Auth-Type:=LDAP
> to force using LDAP for authentication and authorization.
> 
> When i try to connect remotly using radius client from command
> line, authorization and authentication works fine. When I capture packets
> when using SER i can't see User-Password attribute.
> 
> Is there any way to solve this problem. May be to say in RADIUS that some of
> digest attributes is actually User-Password attribute, or some other module
> which enables using of RADIUS and LDAP.
> 
> Thanks in advance.
> 
> Best regards,
> 
> --
>   Ivan Turcin
> Student at University of Zagreb, Faculty of Electricalengeniring and
> Computing, Branch of Telecomunications and Informatics
> Unska 3
> HR-10000 Zagreb
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
>




More information about the sr-users mailing list