<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<META content="MSHTML 6.00.2900.2668" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>Krisztián,</DIV>
<DIV>It depends on the hash you store in LDAP. If the hash is MD5, you can use
it directly in the digest algorithm. If its SSHA1 or something, you are
basically stuck. Either store clear-text in LDAP, or forget about
it. Of course, what you can do is to implement a conversion of SSHA when
users are logging in. But this is only possible if you at one point actually has
the clear-text password...</DIV>
<DIV>g-)</DIV>
<DIV> </DIV>
<DIV>---- Original Message ----<BR>From: Gyebnár Krisztián<BR>To:
serusers@lists.iptel.org<BR>Sent: Sunday, July 03, 2005 06:09 AM<BR>Subject:
[Serusers] SER+RADIUS+LDAP with encrypted passwords<BR><BR>> Dear
all,<BR>> <BR>> I'm new in SER and i have a serius problem about
implementing the<BR>> authentication system from LDAP; <BR>> <BR>>
SER<->freeRADIUS<->LDAP(user/pass(encrypted));<BR>> <BR>> We
have installed SER + Freeradius + LDAP system, the SER parts of<BR>>
configuration works fine. <BR>> <BR>> if any SIP client coming into the
SER the auth_radius modul forward<BR>> the request correctly to the
freeradius: <BR>> <BR>> <BR>> the problem is the following:<BR>>
<BR>> rad_recv: Access-Request packet from host 127.0.0.1:50272,
id=36,<BR>> length=197
<BR>> User-Name =
"test@test.hu"<BR>>
Digest-Attributes =
0x0a076779656269<BR>>
Digest-Attributes =
0x010d667265656d61696c2e6875<BR>>
Digest-Attributes =<BR>>
0x022a34326337353933653330366534626363613836343837343332646635383363366139636364383038<BR>>
Digest-Attributes =
0x04117369703a667265656d61696c2e6875<BR>>
Digest-Attributes =
0x030a5245474953544552<BR>>
Digest-Response =
"204aea65f72efb70b809ed425bec099c"<BR>>
Service-Type =
Sip-Session<BR>> Sip-Uri-User
= "test"<BR>> NAS-IP-Address
= 127.0.0.1<BR>> NAS-Port =
5060<BR>> Processing the authorize section of
radiusd.conf<BR>> modcall: entering group authorize for request
4<BR>> modcall[authorize]: module "preprocess" returns ok for
request 4<BR>> modcall[authorize]: module "chap" returns noop for
request 4<BR>> rlm_eap: No EAP-Message, not doing
EAP<BR>> modcall[authorize]: module "eap" returns noop for
request 4<BR>> rlm_digest: Converting
Digest-Attributes to something
sane...<BR>> Digest-User-Name
= "test"<BR>> Digest-Realm =
"test.hu"<BR>> Digest-Nonce =
"42c7593e306e4bcca86487432df583c6a9ccd808"<BR>>
Digest-URI =
"sip:test.hu"<BR>>
Digest-Method = "REGISTER"<BR>> rlm_digest: Adding Auth-Type =
DIGEST<BR>> modcall[authorize]: module "digest" returns ok for
request 4<BR>> rlm_realm: Looking up realm "test.hu"
for User-Name = test@test.hu<BR>> rlm_realm: No such
realm "test.hu"<BR>> modcall[authorize]: module "suffix" returns
noop for request 4<BR>> users: Matched entry DEFAULT
at line 160<BR>> modcall[authorize]: module "files" returns ok
for request 4<BR>> modcall[authorize]: module "mschap" returns
noop for request 4<BR>> modcall: group authorize returns ok for request
4<BR>> rad_check_password: Found Auth-Type LDAP<BR>>
auth: type "LDAP"<BR>> Processing the authenticate section of
radiusd.conf<BR>> modcall: entering group Auth-Type for request 4<BR>>
rlm_ldap: - authenticate<BR>> rlm_ldap: Attribute "User-Password" is required
for authentication.<BR>> modcall[authenticate]: module "ldap"
returns invalid for request 4<BR>> modcall: group Auth-Type returns invalid
for request 4<BR>> auth: Failed to validate the user.<BR>> Login
incorrect: [test@test.hu/<no User-Password attribute>] (from<BR>>
client localhost port 5060) <BR>> Delaying request 4 for 1 seconds<BR>>
<BR>> so the ldap modul expect the "User-Password" attribute from
radius<BR>> client, but because of DIGEST authentication only get<BR>>
"DIGEST-ATTRIBUTES" from the SIP router, <BR>> <BR>> Anyway, how to
possible to authenticate the users with DIGEST<BR>> authentication, if the
RADIUS can not see cleartext passwords in LDAP<BR>> ?. <BR>> I'm not
expert in password math and calculations, and also read the<BR>> sterman
draft to explain this to me. <BR>> <BR>> So i suppose the following
method:<BR>> Radius get the RADIUS request.-->Convert the
DIGEST-ATTRIBUTES to<BR>> readable format.-->to calculate the DIGEST AUTH.
values the RADIUS<BR>> have to do LDAP lookup for the PASSWORD-> Calculate
the DIGEST AUTH.<BR>> value and comapare it with the recieved one, if match
the user<BR>> authenticated. <BR>> <BR>> It's right
?<BR>> <BR>> The radius authentication system works fine with
DIGEST<BR>> authentication, if I store the user/pass on local file system
(in<BR>> users file) and also works authenticate from LDAP without DIGEST
auth<BR>> (try with radtest). <BR>> <BR>> Has anybody
experience with this problem, DIGEST auth with LDAP ?<BR>> <BR>>
THX<BR>> <BR>> Krisztián<BR>> <BR>> <BR>> <BR>> <BR>>
_______________________________________________<BR>> Serusers mailing
list<BR>> serusers@lists.iptel.org<BR>>
http://lists.iptel.org/mailman/listinfo/serusers</DIV></BODY></HTML>