[OpenSER-Users] anonymous LDAP bind issue

antalsia at free.fr antalsia at free.fr
Mon Feb 4 09:58:04 CET 2008


It's now clear. I'll change my LDAP authentication method.

Thanks again.

Selon Christian Schlatter <cs at unc.edu>:

> antalsia at free.fr wrote:
> > Hi,
> >
> > What I'd like to do is to authenticate SIP users the same way ldap users
> are
> > with the following command: ldapsearch -x -b [...] -D
> uid=user1,ou=xxxxx,dc=yyyy
> > -W. Is it possible with openser 1.3 ?
>
> For performance reasons, the openser ldap module executes bind
> operations only once per ldap connection setup. This happens when
> openser starts and in case an ldap server has terminated an ldap
> connection and the ldap module has to re-connect. The ldap module
> therefor does not support ldap bind operations triggered by openser's
> message routing script, as e.g. by SIP authentication requests. An ldap
> bind operation takes a considerable amount of time which adds to the
> overal SIP session setup delay.
>
> If the ldap user passwords are stored in cleartext (often they are md5
> hashed), you could setup an ldap super user which has access to all user
> passwords. This ldap super user account could then be used by openser to
> read the password for a specific user DN, and use that password for SIP
> authentication.
>
> Something like
>
> ldapsearch -x -b ou=xxx,dc=yyy -W -D uid=superuser,ou=xxx,dc=yyy
> (uid=user1) userPassword
>
> /Christian
>
> >
> >
> > Quoting Christian Schlatter <cs at unc.edu>:
> >
> >> antalsia at free.fr wrote:
> >>> Hi,
> >>>
> >>> I'm trying to implement LDAP authentication with anonymous LDAP bind. I
> set
> >> the
> >>> ldap configuration file without ldap_bind_dn, ldap_bind_password
> >> attributes.
> >>> This step works fine. Unfortunately, I can't figure out how to set the
> >>> openser.cfg file. I need to pass the bind DN and the user password to the
> >>> ldap_search function ; that's ok for the bind DN but I don't know how to
> >> procede
> >>> for the password. Can someone post an example please ?
> >> Why do you need to pass the bind DN and password to ldap_search? An LDAP
> >> search operation doesn't include authentication, this is what the bind
> >> operation is good for. Once an LDAP client authenticates itself through
> >> the bind operation, it can issue a search operation.
> >>
> >> /Christian
> >>
> >>
> >>> Regards,
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.openser.org
> >>> http://lists.openser.org/cgi-bin/mailman/listinfo/users
> >>
> >
> >
>
>






More information about the Users mailing list