[SR-Users] sr-users Digest, Vol 60, Issue 6
Rothe, Marcus, D22-WHV
Marcus.Rothe at bertelsmann.de
Wed May 5 11:28:23 CEST 2010
"sr-users-request at lists.sip-router.org"
<sr-users-request at lists.sip-router.org> schrieb:
Send sr-users mailing list submissions to
sr-users at lists.sip-router.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
or, via email, send a message with subject or body 'help' to
sr-users-request at lists.sip-router.org
You can reach the person managing the list at
sr-users-owner at lists.sip-router.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sr-users digest..."
Today's Topics:
1. Authentication SER + RADIUS + LDAP (Pablo Ros)
2. Kamailio SCTP support (Francisco Jos? M?ndez Cirera)
3. Re: NAT Traversal IPTel example (Daniel-Constantin Mierla)
4. Re: Kamailio SCTP support (Daniel-Constantin Mierla)
----------------------------------------------------------------------
Message: 1
Date: Tue, 4 May 2010 10:03:26 +0200
From: Pablo Ros <prf1987 at gmail.com>
Subject: [SR-Users] Authentication SER + RADIUS + LDAP
To: sr-users at lists.sip-router.org
Message-ID:
<m2i46878ffc1005040103m27d01ccfo9c84d8bba7dc7896 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
We have a LDAP database with many users information and this is the one we
use to implement most of our services; on the contrary we have SER working
with a SQL data base. Our intention was to make also the authentication
against LDAP. After some research, we've seen there's no specific module
for
SER to work with LDAP and we have considered some alternatives among them
there was the "module" from ETH
world<http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>.
However, we didn't manage to make it work (if it's an advisable choice
we'd
appreciate some clues).
So, we decided to make the authentication through the RADIUS server.
Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in
plain
text and we modified to do it against the email attribute as it's this
what
we want. It makes it perfectly. But it turns out that when we try to make
the password authentication, as the data sent from SER comes in a hash
(user:realm:password) as long as we know, we don't really know how to make
it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly
so
it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly
but
there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the
Register section from SER.
log:
03
User-Name = "my.user at i2cat.net"
Digest-Attributes = 0x0a0b7061626c6f2e726f73
Digest-Attributes = 0x010b69326361742e6e6574
Digest-Attributes =
0x022a34626466643065343837303734363630626261366134363437663730313034343639
663532306532
Digest-Attributes = 0x040f7369703a69326361742e6e6574
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
Service-Type = Sip-Session
Sip-Uri-User = "my.user"
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
rlm_realm: Looking up realm "i2cat.net" for User-Name = "
my.user at i2cat.net"
rlm_realm: No such realm "i2cat.net"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my.user at i2cat.net
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=
my.user at i2cat.net)
expand: ou=activat,ou=personal,dc=i2cat,dc=net ->
ou=activat,ou=personal,dc=i2cat,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net,
with
filter (mail=pablo.ros at i2cat.net)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 ==
"{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the
user is configured correctly?
rlm_ldap: user pablo.ros at i2cat.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
rlm_digest: Digest-HA1 has invalid length, authentication failed.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [my.user at i2cat.net/<via Auth-Type = DIGEST>] (from client
localhost port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> my.user at i2cat.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------
# Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------
if (!is_user_in("From", "noauth"))
{
xlog("L_NOTICE", "SER-INFO: challenging user...\n");
# IMPORTANTE: radius_www_authorize solo toma un par?metro!
if(!radius_www_authorize(""))
{
# L'usuari NO esta registrat correctament o les
# credencials no son valides!
www_challenge("i2cat.net","0");
xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from
<%fu>:(%is) [403 Forbiden]\n");
sl_send_reply("403", "Forbiden!, Bad
Credentials");
break; #tallem la comunicacio
};
#--------------------------------------------------------------------
# check_to
#--------------------------------------------------------------------
if(!check_to())
{
xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed
attempt <%fu>:(%is)\n");
sl_send_reply("403", "Use To=id la proxima vegada
:@");
consume_credentials(); # fem que caduqui la sessio
break;
};
}
--
Pablo Ros
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.sip-router.org/pipermail/sr-users/attachments/20100504/bacbf
dd1/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 5 May 2010 09:52:53 +0200
From: Francisco Jos? M?ndez Cirera <mendezirera at gmail.com>
Subject: [SR-Users] Kamailio SCTP support
To: sr-users at lists.sip-router.org
Message-ID:
<p2i5522bed91005050052ra51f50bcr9b134241a8c200c4 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I've downloaded Kamailio 3.0.0 (the last release) and I?ve seen it?s
possible downloading a "binary tar.gz" or the source to compile directly.
I
would like to know if the binary has enabled support for SCTP by default.
If it?s enabled by default, how can I activate it (I can?t find any option
related to sctp in kamailio.cfg) ?
If it isn?t enabled by default, which are the dependencies? Is there a
document or something with at least the main dependencies?
Thank you very much. Bye!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.sip-router.org/pipermail/sr-users/attachments/20100505/e4998
1e4/attachment-0001.htm>
------------------------------
Message: 3
Date: Wed, 05 May 2010 10:58:56 +0200
From: Daniel-Constantin Mierla <miconda at gmail.com>
Subject: Re: [SR-Users] NAT Traversal IPTel example
To: Andy Savage <andy at bluewire.net.nz>
Cc: serusers at iptel.org
Message-ID: <4BE13350.7000505 at gmail.com>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Hello
On 5/5/10 9:00 AM, Andy Savage wrote:
> Hi there,
>
> I've been setting up SER for a testing server on the local network
> behind a NAT. I'm having problems understanding how to setup the NAT
> routing in the configuration file.
>
> My understanding is that IPTel has already setup advanced NAT routing
> on the free service (as per the website).
>
> Is it possible to get a copy of the configuration file (atleast the
> part that has the NAT routing stuff). This would help me immensely in
> getting proper nat traversal setup as it already works great on the
> IPTel server.
>
> Not sure who I would contact in regards to this, but this seemed like
> a good place to start.
in the etc directory of sources you have several configuration files,
oob.cfg should be pretty much what iptel.org has, afaik. also, kamailio
flavour config, kamailio.cfg has nat traversal guidelines.
Cheers,
Daniel
>
> Kind regards,
> Andy Savage
>
> --
> "The greatest challenge to any thinker is stating the problem in a way
> that will allow a solution"
> - Bertrand Russell
>
> Andy Savage
> Cell Phone: +852 936 34341
> Skype ID: andy_savage
> Linked In: http://www.linkedin.com/in/andysavage
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
--
Daniel-Constantin Mierla
* http://www.asipto.com/
* http://twitter.com/miconda
* http://www.linkedin.com/in/danielconstantinmierla
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.sip-router.org/pipermail/sr-users/attachments/20100505/76310
ae3/attachment-0001.htm>
------------------------------
Message: 4
Date: Wed, 05 May 2010 11:04:41 +0200
From: Daniel-Constantin Mierla <miconda at gmail.com>
Subject: Re: [SR-Users] Kamailio SCTP support
To: Francisco Jos? M?ndez Cirera <mendezirera at gmail.com>
Cc: sr-users at lists.sip-router.org
Message-ID: <4BE134A9.1060106 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello,
On 5/5/10 9:52 AM, Francisco Jos? M?ndez Cirera wrote:
> Hello,
>
> I've downloaded Kamailio 3.0.0 (the last release) and I?ve seen it?s
> possible downloading a "binary tar.gz" or the source to compile
> directly. I would like to know if the binary has enabled support for
> SCTP by default.
>
> If it?s enabled by default, how can I activate it (I can?t find any
> option related to sctp in kamailio.cfg) ?
>
> If it isn?t enabled by default, which are the dependencies? Is there a
> document or something with at least the main dependencies?
>
> Thank you very much. Bye!
I think the binaries don't have SCTP built, you can check with 'kamailio
-V', if you see SCTP use flag, then it is otherwise is not.
Cheers,
Daniel
--
Daniel-Constantin Mierla
* http://www.asipto.com/
* http://twitter.com/miconda
* http://www.linkedin.com/in/danielconstantinmierla
------------------------------
_______________________________________________
sr-users mailing list
sr-users at lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
End of sr-users Digest, Vol 60, Issue 6
***************************************
More information about the sr-users
mailing list