[SR-Users] Authentication SER + RADIUS + LDAP

Daniel-Constantin Mierla miconda at gmail.com
Wed May 5 11:09:09 CEST 2010 

Hello,

On 5/4/10 10:03 AM, Pablo Ros wrote:
> Hello,
>
> We have a LDAP database with many users information and this is the 
> one we use to implement most of our services; on the contrary we have 
> SER working with a SQL data base. Our intention was to make also the 
> authentication against LDAP. After some research, we've seen there's 
> no specific module for SER to work with LDAP and we have considered 
> some alternatives among them there was the "module" from ETH world 
> <http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>. 
> However, we didn't manage to make it work (if it's an advisable choice 
> we'd appreciate some clues).

but you have ldap support in ser:
http://sip-router.org/docbook/sip-router/branch/master/modules_s/ldap/ldap.html

Afaik, you can use it instead of db driver.

With version 3.0 you have one more option that came from kamailio (openser):
http://sip-router.org/docbook/sip-router/branch/master/modules_k/ldap/ldap.html

This one you can use to query LDAP and get password in config file from 
where you can do authentication via auth module (from modules_k).

Cheers,
Daniel

>
> So, we decided to make the authentication through the RADIUS server. 
> Nevertheless, we are having some problems with the way data is sent.
>
> When doing the user authentication there's no problem as it is sent in 
> plain text and we modified to do it against the email attribute as 
> it's this what we want. It makes it perfectly. But it turns out that 
> when we try to make the password authentication, as the data sent from 
> SER comes in a hash (user:realm:password) as long as we know, we don't 
> really know how to make it compare with the password field in LDAP 
> (under MD5 algorithm as well).
>
> When we make a test over Radius by sending plain text it works 
> perfectly so it shouldn't be a problem by searching the attributes 
> over LDAP.
>
> We have tried to follow instructions to set the digest section 
> properly but there's something we definitely miss.
>
> Attached there's a log from the radius when trying to log with SER and 
> the Register section from SER.
>
> log:
> 03
>     User-Name = "my.user at i2cat.net <mailto:my.user at i2cat.net>"
>     Digest-Attributes = 0x0a0b7061626c6f2e726f73
>     Digest-Attributes = 0x010b69326361742e6e6574
>     Digest-Attributes = 
> 0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532
>     Digest-Attributes = 0x040f7369703a69326361742e6e6574
>     Digest-Attributes = 0x030a5245474953544552
>     Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
>     Service-Type = Sip-Session
>     Sip-Uri-User = "my.user"
>     NAS-Port = 5060
>     NAS-IP-Address = 127.0.0.1
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_digest: Adding Auth-Type = DIGEST
> ++[digest] returns ok
>     rlm_realm: Looking up realm "i2cat.net <http://i2cat.net>" for 
> User-Name = "my.user at i2cat.net <mailto:my.user at i2cat.net>"
>     rlm_realm: No such realm "i2cat.net <http://i2cat.net>"
> ++[suffix] returns noop
>   rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for my.user at i2cat.net 
> <mailto:my.user at i2cat.net>
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
> details
>     expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> 
> (mail=my.user at i2cat.net <mailto:my.user at i2cat.net>)
>     expand: ou=activat,ou=personal,dc=i2cat,dc=net -> 
> ou=activat,ou=personal,dc=i2cat,dc=net
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.i2cat.net:389 
> <http://ldap.i2cat.net:389>, authentication 0
> rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to 
> ldap.i2cat.net:389 <http://ldap.i2cat.net:389>
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, 
> with filter (mail=pablo.ros at i2cat.net <mailto:pablo.ros at i2cat.net>)
> rlm_ldap: No default NMAS login sequence
> rlm_ldap: looking for check items in directory...
> rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 
> == "{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
> rlm_ldap: looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure 
> that the user is configured correctly?
> rlm_ldap: user pablo.ros at i2cat.net <mailto:pablo.ros at i2cat.net> 
> authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> rlm_pap: WARNING! No "known good" password found for the user.  
> Authentication may fail because of this.
> ++[pap] returns noop
>   rad_check_password:  Found Auth-Type DIGEST
> auth: type "digest"
> +- entering group authenticate
> rlm_digest: Digest-HA1 has invalid length, authentication failed.
> ++[digest] returns invalid
> auth: Failed to validate the user.
> Login incorrect: [my.user at i2cat.net/ <http://my.user@i2cat.net/><via 
> Auth-Type = DIGEST>] (from client localhost port 5060)
>   Found Post-Auth-Type Reject
> +- entering group REJECT
>     expand: %{User-Name} -> my.user at i2cat.net <mailto:my.user at i2cat.net>
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
>
>
> SER register -> User Authentication part
>
> #------------------------------------------------------------------------
>         # Comprovacio de credencials per als usuaris.
>         
> #------------------------------------------------------------------------
>         if (!is_user_in("From", "noauth"))
>         {
>                 xlog("L_NOTICE", "SER-INFO: challenging user...\n");
>                 # IMPORTANTE: radius_www_authorize solo toma un parámetro!
>                 if(!radius_www_authorize(""))
>                 {
>                         # L'usuari NO esta registrat correctament o les
>                         # credencials no son valides!
>
>                         www_challenge("i2cat.net <http://i2cat.net>","0");
>                         xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from 
> <%fu>:(%is) [403 Forbiden]\n");
>                         sl_send_reply("403", "Forbiden!, Bad 
> Credentials");
>                         break; #tallem la comunicacio
>                 };
>                 
> #--------------------------------------------------------------------
>                 # check_to
>                 
> #--------------------------------------------------------------------
>                 if(!check_to())
>                 {
>                         xlog("L_ALERT","SER-ALERT: check_to(): REG 
> Spoofed attempt <%fu>:(%is)\n");
>                         sl_send_reply("403", "Use To=id la proxima 
> vegada :@");
>                         consume_credentials(); # fem que caduqui la sessio
>                         break;
>                 };
>         }
>
> -- 
> Pablo Ros
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>    

-- 
Daniel-Constantin Mierla
* http://www.asipto.com/
* http://twitter.com/miconda
* http://www.linkedin.com/in/danielconstantinmierla

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100505/f480f284/attachment.htm>

More information about the sr-users mailing list