[SR-Users] Authentication SER + RADIUS + LDAP
Pablo Ros
prf1987 at gmail.com
Tue May 4 10:03:26 CEST 2010
Hello,
We have a LDAP database with many users information and this is the one we
use to implement most of our services; on the contrary we have SER working
with a SQL data base. Our intention was to make also the authentication
against LDAP. After some research, we've seen there's no specific module for
SER to work with LDAP and we have considered some alternatives among them
there was the "module" from ETH
world<http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>.
However, we didn't manage to make it work (if it's an advisable choice we'd
appreciate some clues).
So, we decided to make the authentication through the RADIUS server.
Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in plain
text and we modified to do it against the email attribute as it's this what
we want. It makes it perfectly. But it turns out that when we try to make
the password authentication, as the data sent from SER comes in a hash
(user:realm:password) as long as we know, we don't really know how to make
it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly so
it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly but
there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the
Register section from SER.
log:
03
User-Name = "my.user at i2cat.net"
Digest-Attributes = 0x0a0b7061626c6f2e726f73
Digest-Attributes = 0x010b69326361742e6e6574
Digest-Attributes =
0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532
Digest-Attributes = 0x040f7369703a69326361742e6e6574
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
Service-Type = Sip-Session
Sip-Uri-User = "my.user"
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
rlm_realm: Looking up realm "i2cat.net" for User-Name = "
my.user at i2cat.net"
rlm_realm: No such realm "i2cat.net"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my.user at i2cat.net
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=
my.user at i2cat.net)
expand: ou=activat,ou=personal,dc=i2cat,dc=net ->
ou=activat,ou=personal,dc=i2cat,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with
filter (mail=pablo.ros at i2cat.net)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 ==
"{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user pablo.ros at i2cat.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
rlm_digest: Digest-HA1 has invalid length, authentication failed.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [my.user at i2cat.net/<via Auth-Type = DIGEST>] (from client
localhost port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> my.user at i2cat.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------
# Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------
if (!is_user_in("From", "noauth"))
{
xlog("L_NOTICE", "SER-INFO: challenging user...\n");
# IMPORTANTE: radius_www_authorize solo toma un parámetro!
if(!radius_www_authorize(""))
{
# L'usuari NO esta registrat correctament o les
# credencials no son valides!
www_challenge("i2cat.net","0");
xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from
<%fu>:(%is) [403 Forbiden]\n");
sl_send_reply("403", "Forbiden!, Bad Credentials");
break; #tallem la comunicacio
};
#--------------------------------------------------------------------
# check_to
#--------------------------------------------------------------------
if(!check_to())
{
xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed
attempt <%fu>:(%is)\n");
sl_send_reply("403", "Use To=id la proxima vegada
:@");
consume_credentials(); # fem que caduqui la sessio
break;
};
}
--
Pablo Ros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100504/bacbfdd1/attachment.htm>
More information about the sr-users
mailing list