<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<META content="MSHTML 6.00.2900.2668" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Dear all,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I'm new in SER and i have a serius problem about
implementing the authentication system from LDAP;</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>SER<->freeRADIUS<->LDAP(user/pass(encrypted));</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>We have installed SER + Freeradius + LDAP system,
the SER parts of configuration works fine. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>if any SIP client coming into the
SER the auth_radius modul forward the request correctly to the
freeradius:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>the problem is the following:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>rad_recv: Access-Request packet from host
127.0.0.1:50272, id=36, length=197<BR>
User-Name = "test<A
href="mailto:test@test.hu">@test.hu</A>"<BR>
Digest-Attributes =
0x0a076779656269<BR> Digest-Attributes
= 0x010d667265656d61696c2e6875<BR>
Digest-Attributes =
0x022a34326337353933653330366534626363613836343837343332646635383363366139636364383038<BR>
Digest-Attributes =
0x04117369703a667265656d61696c2e6875<BR>
Digest-Attributes =
0x030a5245474953544552<BR>
Digest-Response =
"204aea65f72efb70b809ed425bec099c"<BR>
Service-Type = Sip-Session<BR>
Sip-Uri-User = "test"<BR>
NAS-IP-Address = 127.0.0.1<BR>
NAS-Port = 5060<BR> Processing the authorize section of
radiusd.conf<BR>modcall: entering group authorize for request 4<BR>
modcall[authorize]: module "preprocess" returns ok for request 4<BR>
modcall[authorize]: module "chap" returns noop for request 4<BR> rlm_eap:
No EAP-Message, not doing EAP<BR> modcall[authorize]: module "eap" returns
noop for request 4<BR> rlm_digest: Converting
Digest-Attributes to something
sane...<BR> Digest-User-Name =
"test"<BR> Digest-Realm =
"test.hu"<BR> Digest-Nonce =
"42c7593e306e4bcca86487432df583c6a9ccd808"<BR>
Digest-URI = "sip:test.hu"<BR>
Digest-Method = "REGISTER"<BR>rlm_digest: Adding Auth-Type = DIGEST<BR>
modcall[authorize]: module "digest" returns ok for request
4<BR> rlm_realm: Looking up realm "test.hu" for User-Name = <A
href="mailto:test@test.hu">test@test.hu</A><BR> rlm_realm: No
such realm "test.hu"<BR> modcall[authorize]: module "suffix" returns noop
for request 4<BR> users: Matched entry DEFAULT at line
160<BR> modcall[authorize]: module "files" returns ok for request
4<BR> modcall[authorize]: module "mschap" returns noop for request
4<BR>modcall: group authorize returns ok for request 4<BR>
rad_check_password: Found Auth-Type LDAP<BR>auth: type "LDAP"<BR>
Processing the authenticate section of radiusd.conf<BR>modcall: entering group
Auth-Type for request 4<BR>rlm_ldap: - authenticate<BR>rlm_ldap: Attribute
"User-Password" is required for authentication.<BR> modcall[authenticate]:
module "ldap" returns invalid for request 4<BR>modcall: group Auth-Type returns
invalid for request 4<BR>auth: Failed to validate the user.<BR>Login incorrect:
[test@test.hu/<no User-Password attribute>] (from client localhost port
5060)<BR>Delaying request 4 for 1 seconds<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>so the ldap modul expect the "User-Password"
attribute from radius client, but because of DIGEST authentication only get
"DIGEST-ATTRIBUTES" from the SIP router,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Anyway, how to possible to authenticate the users
with DIGEST authentication, if the RADIUS can not see cleartext passwords in
LDAP ?. </FONT></DIV>
<DIV><FONT face=Arial size=2>I'm not expert in password math and
calculations, and also</FONT><FONT face=Arial size=2> read the sterman
draft to explain this to me.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So i suppose the following method:</FONT></DIV>
<DIV><FONT face=Arial size=2>Radius get the
RADIUS request.--></FONT><FONT face=Arial size=2>Convert the
DIGEST-ATTRIBUTES to readable format.-->to calculate the DIGEST
AUTH. values the RADIUS have to do LDAP lookup for the PASSWORD->
Calculate the DIGEST AUTH. value and comapare it with the recieved one, if match
the user authenticated.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It's right ?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The radius authentication system works fine with
DIGEST authentication, if I store the user/pass on local file system (in users
file) and also works</FONT><FONT face=Arial size=2> authenticate from LDAP
without DIGEST auth (try with radtest).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Has anybody experience with this problem, DIGEST
auth with LDAP ?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>THX</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Krisztián</FONT></DIV>
<DIV> </DIV></BODY></HTML>