[OpenSER-Users] anonymous LDAP bind issue

Christian Schlatter cs at unc.edu
Sat Feb 2 22:47:52 CET 2008


antalsia at free.fr wrote:
> Hi,
> 
> What I'd like to do is to authenticate SIP users the same way ldap users are
> with the following command: ldapsearch -x -b [...] -D uid=user1,ou=xxxxx,dc=yyyy
> -W. Is it possible with openser 1.3 ?

For performance reasons, the openser ldap module executes bind 
operations only once per ldap connection setup. This happens when 
openser starts and in case an ldap server has terminated an ldap 
connection and the ldap module has to re-connect. The ldap module 
therefor does not support ldap bind operations triggered by openser's 
message routing script, as e.g. by SIP authentication requests. An ldap 
bind operation takes a considerable amount of time which adds to the 
overal SIP session setup delay.

If the ldap user passwords are stored in cleartext (often they are md5 
hashed), you could setup an ldap super user which has access to all user 
passwords. This ldap super user account could then be used by openser to 
read the password for a specific user DN, and use that password for SIP 
authentication.

Something like

ldapsearch -x -b ou=xxx,dc=yyy -W -D uid=superuser,ou=xxx,dc=yyy 
(uid=user1) userPassword

/Christian

> 
> 
> Quoting Christian Schlatter <cs at unc.edu>:
> 
>> antalsia at free.fr wrote:
>>> Hi,
>>>
>>> I'm trying to implement LDAP authentication with anonymous LDAP bind. I set
>> the
>>> ldap configuration file without ldap_bind_dn, ldap_bind_password
>> attributes.
>>> This step works fine. Unfortunately, I can't figure out how to set the
>>> openser.cfg file. I need to pass the bind DN and the user password to the
>>> ldap_search function ; that's ok for the bind DN but I don't know how to
>> procede
>>> for the password. Can someone post an example please ?
>> Why do you need to pass the bind DN and password to ldap_search? An LDAP
>> search operation doesn't include authentication, this is what the bind
>> operation is good for. Once an LDAP client authenticates itself through
>> the bind operation, it can issue a search operation.
>>
>> /Christian
>>
>>
>>> Regards,
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.openser.org
>>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
>>
> 
> 





More information about the sr-users mailing list