[SR-Users] Ldap auth
Slava Bendersky
volga629 at networklab.ca
Tue Mar 25 00:42:33 CET 2014
Hello Daniel,
Thank you for answer,
Regard my last message where Alex is answer me.
Can you please verify that this ldap authentication routing section is should work. Because call between two registered extension not working at all I don't see any attempts of negotiations, always get 404. I am trying don't use mysql for user management.
Error from debug.
7(2668) DEBUG: tm [t_lookup.c:1373]: t_newtran(): DEBUG: t_newtran: msg id=1 , global msg id=1 , T on entrance=(nil)
7(2668) DEBUG: tm [t_lookup.c:527]: t_lookup_request(): t_lookup_request: start searching: hash=24684, isACK=0
7(2668) DEBUG: tm [t_lookup.c:485]: matching_3261(): DEBUG: RFC3261 transaction matching failed
7(2668) DEBUG: tm [t_lookup.c:709]: t_lookup_request(): DEBUG: t_lookup_request: no transaction found
7(2668) DEBUG: tm [t_hooks.c:374]: run_reqin_callbacks_internal(): DBG: trans=0x7f272e75acc0, callback type 1, id 0 entered
7(2668) DEBUG: <core> [md5utils.c:67]: MD5StringArray(): DEBUG: MD5 calculated: 56120e176eec0cd31c62bcba6270de35
7(2668) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio-ldap.cfg] l=697 a=21 n=switch
7(2668) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio-ldap.cfg] l=692 a=26 n=send_reply
7(2668) DEBUG: tm [t_lookup.c:1072]: t_check_msg(): DEBUG: t_check_msg: msg id=1 global id=1 T start=0x7f272e75acc0
7(2668) DEBUG: tm [t_lookup.c:1144]: t_check_msg(): DEBUG: t_check_msg: T already found!
7(2668) DEBUG: <core> [msg_translator.c:204]: check_via_address(): check_via_address(10.237.236.150, 10.237.236.150, 0)
7(2668) DEBUG: <core> [mem/shm_mem.c:111]: _shm_resize(): WARNING:vqm_resize: resize(0) called
7(2668) DEBUG: tm [t_reply.c:1663]: cleanup_uac_timers(): DEBUG: cleanup_uac_timers: RETR/FR timers reset
7(2668) DEBUG: tm [t_hooks.c:288]: run_trans_callbacks_internal(): DBG: trans=0x7f272e75acc0, callback type 512, id 0 entered
7(2668) DEBUG: acc [acc_logic.c:557]: tmcb_func(): acc callback called for t(0x7f272e75acc0) event type 512, reply code 404
7(2668) DEBUG: tm [t_reply.c:728]: _reply_light(): DEBUG: reply sent out. buf=0x7f2738acb530: SIP/2.0 404 Not Foun..., shmem=0x7f272e753128: SIP/2.0 404 Not Foun
7(2668) DEBUG: tm [t_reply.c:738]: _reply_light(): DEBUG: _reply_light: finished
7(2668) DEBUG: sl [sl.c:280]: send_reply(): reply in stateful mode (tm)
#!ifdef WITH_LDAP
route[LDAP] {
if(is_method("REGISTER")) {
if(!(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization"))) {
# no credentials header - send back challenge
auth_challenge("$fd", "1");
exit;
}
# ldap search
ldap_search("ldap://sipaccounts/ou=People,dc=networklab,dc=loc?sipDomain,sipMobileExtension,sipPassword?one?(&(objectClass=phonesipuser)(sipMobileExtension=$fU))");
$var(rc) = $rc;
if ($var(rc)<0) {
switch ($var(rc))
{
case -1:
# no LDAP entry found
sl_send_reply("404", "User Not Found");
exit;
case -2:
# internal error
sl_send_reply("500", "Internal server error");
exit;
default:
sl_send_reply("403", "Not allowed");
exit;
}
}
ldap_result("sipDomain/$avp(domain)");
ldap_result("sipMobileExtension/$avp(s:username)");
if (!ldap_result("sipPassword/$avp(s:password)")) {
sl_send_reply("404", "User Not Found");
exit;
}
if ($fd != $avp(domain)) {
xlog("L_INFO", "Got ldap result $avp(domain). For user $avp(s:username) Not allowed $fd");
sl_send_reply("403","Not allowed $fd");
exit;
}
xlog("L_INFO", "[Extension=$au] have $avp(s:password)\n"); # For test get ha1 from ldap
if (!pv_auth_check("$fd", "$avp(s:password)", "1", "0")) {
#if (!pv_www_authenticate("$fd", "$avp(s:password)", "1")) {
if $rc == -1 xlog("L_WARN", "Authentication: RetVal -1 Invalid Auth User [Extension=$au]\n");
else if $rc == -2 xlog("L_WARN", "Authentication: RetVal -2 Invalid Password [Extension=$au]\n");
else if $rc == -3 xlog("L_INFO", "Authentication: RetVal -3 Stale nonce [Extension=$au]\n");
else if $rc == -5 xlog("L_WARN", "Authentication: RetVal -5 Generic Error [Extension=$au]\n");
# www_challenge("$td", "0");
# exit;
# sl_send_reply("200", "ok");
# exit;
#} else {
# www_challenge("$td", "1");
# exit;
#}
auth_challenge("$fd", "1");
exit;
sl_send_reply("403","Not allowed");
exit;
} else {
sl_send_reply("200", "ok");
exit;
}
if (!is_method("REGISTER|PUBLISH")) {
consume_credentials();
}
}
return;
}
#!endif
Thank you,
Slava.
----- Original Message -----
From: "Daniel-Constantin Mierla" <miconda at gmail.com>
To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.sip-router.org>
Sent: Monday, March 24, 2014 4:47:36 AM
Subject: Re: [SR-Users] Ldap auth
Hello,
remove the double quotes in the IF expressions:
if ("$avp(s:domain)" =~ "$fd") {
Values in between double quotes are strings.
Cheers,
Daniel
On 21/03/14 21:41, Slava Bendersky wrote:
Hello Everyone,
I am trying compare domain part of uri with ldap query result, getting some syntax warning
1.
arn_at(): warning in config file /etc/kamailio/kamailio-ldap.cfg, line 992, column 17-39: constant value in if(...)
2.
3.
4.
ldap_result("sipExtension/$avp(extension)");
5.
ldap_result("sipDomain/$avp(domain)");
6.
ldap_result("password/$avp(password)");
7.
8.
}
9.
10.
if ("$avp(s:domain)" =~ "$fd") {
11.
xlog("L_INFO", "Not alllowed $fd");
12.
sl_send_reply("403","Not allowed $fd");
13.
exit;
14.
}
15.
any help thank you
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users at lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference - April 2-4, 2014, Berlin, Germany http://www.kamailioworld.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users at lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140324/06cec951/attachment-0001.html>
More information about the sr-users
mailing list