[SR-Users] Kamailio LDAP integration
Reda Aouad
reda.aouad at gmail.com
Mon May 7 18:24:38 CEST 2012
You want to get the password (in clear text??) using an external script to
check it using pv_www_authenticate?
You can use the following function from exec module:
http://kamailio.org/docs/modules/stable/modules_k/exec.html#id2552128
The output of your command (shell script, php, ...) can be stored in an avp
passed to pv_www_authenticate.
Example to get the password: exec_avp("auth.sh '$au' ", "$avp(s:password)")
$au=authentication username
the output of auth.sh will be stored in $avp(s:password)
Now this was how to use an external script and get its return values. How
will you proceed knowing that password are hashed using SHA1 in your
database and password+username+realm hashed using MD5 in SIP header?
Reda
On Mon, May 7, 2012 at 4:52 PM, Saul Waizer <saulwaizer at gmail.com> wrote:
> Thank you Reda,
>
> Is there a way to utilize external scripts for authentication? Like bash,
> php etc? I cannot change the format of the LDAP but I am thinking about
> other methods that could possibly work too utilizing the same
> pv_www_authenticate logic, however these would require some external script
> processing.
>
> Example: SSO Authentication.
>
> SIP user ----> SIP server ----> external auth script ----> OpenSSO server
>
> Thank you
>
>
> On Fri, May 4, 2012 at 5:56 PM, Reda Aouad <reda.aouad at gmail.com> wrote:
>
>> Sorry didn't reply to mailing list before. Emails are below.
>>
>> SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm +
>> username + password), so the problem may be here.
>> I suggest you store your passwords as clear text in LDAP for testing
>> first.
>>
>> Reda
>>
>>
>>
>> On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <saulwaizer at gmail.com>wrote:
>>
>>> with the variations I get different results:
>>> 4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8=
>>> 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if
>>> 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28
>>> n=pv_www_authenticate
>>> 4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>>> 4(24126) DEBUG: auth [api.c:210]: check_response: Our result =
>>> '3839aa4cae572f5f8b23601a2bb1178f'
>>> 4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
>>>
>>> On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <saulwaizer at gmail.com>wrote:
>>>
>>>> Also: i used xlog to print out the password and I get the same exact
>>>> password I have on my LDAP server, so it seems something with the decoding
>>>>
>>>>
>>>> On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <saulwaizer at gmail.com>wrote:
>>>>
>>>>> Now i got it down to this:
>>>>>
>>>>> 2(23003) INFO: <script>: ldap_search: found [1] entries for
>>>>> (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
>>>>> l=759 a=17 n=if
>>>>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>>> a=28 n=pv_www_authenticate
>>>>> 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value:
>>>>> 1
>>>>> 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated:
>>>>> c69622bbd922ec9321ab1293c226b703
>>>>> 2(23003) DEBUG: auth [api.c:210]: check_response: Our result =
>>>>> '939676a5591165f1da8ba04562d446b2'
>>>>> 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed
>>>>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>>>> a=27 n=www_challenge
>>>>> 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>>> realm='23.22.35.43'
>>>>> 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>>> Digest realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
>>>>>
>>>>> I have changed the values of:
>>>>>
>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>>> www_challenge("$td", "0");
>>>>>
>>>>> to:
>>>>>
>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "1")) {
>>>>> www_challenge("$td", "0");
>>>>>
>>>>> because of the password in LDAP is stored as SHA1, and according to
>>>>> the docs, it should be 1. I'm so close it seems :)
>>>>>
>>>>> *flags* - the value of this parameter can be a bitmask of following:
>>>>>
>>>>> -
>>>>>
>>>>> *1* - the value of password parameter is HA1 format
>>>>>
>>>>>
>>>>>
>>>>> On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <reda.aouad at gmail.com>wrote:
>>>>>
>>>>>> can you also print the avp(s:password) to log to see what its value
>>>>>> is?
>>>>>> use:
>>>>>> xlog('Password=$avp(s:password)')
>>>>>> after ldap_search and you'll see its output in the log file
>>>>>> maybe you're not correctly getting the password from the ldap search
>>>>>> url, avp(s:password) is then null and you get the error that it can't be
>>>>>> converted to string
>>>>>>
>>>>>> Reda
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <reda.aouad at gmail.com>wrote:
>>>>>>
>>>>>>> in the line
>>>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>>>>>
>>>>>>> write avp(s:password) instead of avp(password)
>>>>>>> not sure it will solve it though.. if it doesn't, maybe others can
>>>>>>> help you more on this.
>>>>>>>
>>>>>>> Reda
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <saulwaizer at gmail.com>wrote:
>>>>>>>
>>>>>>>> Hello Reda,
>>>>>>>>
>>>>>>>> Thank you for your feedback, after some further research and
>>>>>>>> testing I got the LDAP search working, I am just having one issue with the
>>>>>>>> password variable:
>>>>>>>>
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>>>>>> a=28 n=pv_www_authenticate
>>>>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>>>>>>> str
>>>>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>>>>>>
>>>>>>>> My relevant configuration:
>>>>>>>>
>>>>>>>> route[AUTH] {
>>>>>>>> #!ifdef WITH_AUTH
>>>>>>>> if (is_method("REGISTER"))
>>>>>>>> {
>>>>>>>> if(is_present_hf("Authorization"))
>>>>>>>> {
>>>>>>>> # ldap search
>>>>>>>>
>>>>>>>> if
>>>>>>>> (!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?"))
>>>>>>>>
>>>>>>>> {
>>>>>>>> switch ($retcode)
>>>>>>>> {
>>>>>>>> case -1:
>>>>>>>> # no LDAP entry found
>>>>>>>> sl_send_reply("404", "User Not Found");
>>>>>>>> exit;
>>>>>>>> case -2:
>>>>>>>> # internal error
>>>>>>>> sl_send_reply("500", "Internal server
>>>>>>>> error");
>>>>>>>> exit;
>>>>>>>> default:
>>>>>>>> exit;
>>>>>>>> }
>>>>>>>> }
>>>>>>>> ldap_result("uid/$avp(s:username)");
>>>>>>>> ldap_result("userPassword/$avp(s:password)");
>>>>>>>> xlog("L_INFO", "ldap_search: found [$retcode] entries
>>>>>>>> for (uid=$fU)");
>>>>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>>>>>> www_challenge("$td", "1");
>>>>>>>> exit;
>>>>>>>> }
>>>>>>>> sl_send_reply("200", "ok");
>>>>>>>> exit;
>>>>>>>> } else {
>>>>>>>> www_challenge("$td", "1");
>>>>>>>> exit;
>>>>>>>> }
>>>>>>>> } else {
>>>>>>>>
>>>>>>>> And the error message:
>>>>>>>>
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735
>>>>>>>> a=26 n=ldap_search
>>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into
>>>>>>>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter []
>>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP
>>>>>>>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)],
>>>>>>>> client_timeout [5000000] usecs
>>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries
>>>>>>>> found
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752
>>>>>>>> a=26 n=ldap_result
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753
>>>>>>>> a=26 n=ldap_result
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754
>>>>>>>> a=27 n=xlog
>>>>>>>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for
>>>>>>>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
>>>>>>>> l=759 a=17 n=if
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>>>>>> a=28 n=pv_www_authenticate
>>>>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>>>>>>> str
>>>>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>>>>>>> a=27 n=www_challenge
>>>>>>>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>>>>>> realm='ip.of.sip.server'
>>>>>>>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf:
>>>>>>>> qop='auth'
>>>>>>>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>>>>>> Digest realm="ip.of.sip.server", nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l",
>>>>>>>> qop="auth"
>>>>>>>>
>>>>>>>> Any help is greatly appreciated!
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad <reda.aouad at gmail.com>wrote:
>>>>>>>>
>>>>>>>>> Hi Saul,
>>>>>>>>>
>>>>>>>>> username_avp_spec was previously a AUTH module parameter to
>>>>>>>>> specify a variable that was passed to pv_www_authorize implicitly (the
>>>>>>>>> function doesn't take arguments). Now you should use the new
>>>>>>>>> pv_www_authenticate and pass to it explicitly the credentials as arguments.
>>>>>>>>>
>>>>>>>>> So forget about username_avp_spec since it doesn't exist as module
>>>>>>>>> param anymore (this is why you are getting the error). Store the result of
>>>>>>>>> ldap_search in the avps as in the tutorial using ldap_result, and pass them
>>>>>>>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the
>>>>>>>>> following arguments:
>>>>>>>>> - realm: which you can get from "to domain" using $td
>>>>>>>>> - password: $avp(s:password)
>>>>>>>>> - flag: set it to 0 as a first test
>>>>>>>>>
>>>>>>>>> example:
>>>>>>>>> pv_www_authorize("$td", "$avp(s:password)", 0)
>>>>>>>>>
>>>>>>>>> This function takes the username from the authentication header,
>>>>>>>>> so no need to pass it anymore as argument.
>>>>>>>>>
>>>>>>>>> Reda
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer <saulwaizer at gmail.com>wrote:
>>>>>>>>>
>>>>>>>>>> Hello List,
>>>>>>>>>>
>>>>>>>>>> I am trying to incorporate an existing LDAP directory with our
>>>>>>>>>> Kamailio installation for SIP authentication. A good friend suggested to
>>>>>>>>>> checkout this tutorial and adapt it to fit my needs (and current version)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap
>>>>>>>>>>
>>>>>>>>>> It seems like the AUTH module does not contain the function
>>>>>>>>>> username_spec (which I believe is not used anymore) but the
>>>>>>>>>> username_avp_spec which is not part of the AUTH module but the H350 module
>>>>>>>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html
>>>>>>>>>>
>>>>>>>>>> I enabled the h350 module and tried setting the params as
>>>>>>>>>> described in the documentation:
>>>>>>>>>>
>>>>>>>>>> modparam("auth", "username_spec", "$avp(s:username)")
>>>>>>>>>> modparam("auth", "password_spec", "$avp(s:password)")
>>>>>>>>>> modparam("auth", "calculate_ha1", 1)
>>>>>>>>>>
>>>>>>>>>> I got the following error after checking the configuration:
>>>>>>>>>>
>>>>>>>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter
>>>>>>>>>> <username_spec> not found in module <auth>
>>>>>>>>>>
>>>>>>>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu
>>>>>>>>>>
>>>>>>>>>> Thank you in advance!
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>>>>>> mailing list
>>>>>>>>>> sr-users at lists.sip-router.org
>>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120507/4d6374d9/attachment-0001.htm>
More information about the sr-users
mailing list