Hello,<br><br>We have a LDAP database with many users information and this is the one we use to implement most of our services; on the contrary we have SER working with a SQL data base. Our intention was to make also the authentication against LDAP. After some research, we've seen there's no specific module for SER to work with LDAP and we have considered some alternatives among them there was the <a href="http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap">"module" from ETH world</a>. However, we didn't manage to make it work (if it's an advisable choice we'd appreciate some clues). <br>
<br>So, we decided to make the authentication through the RADIUS server. Nevertheless, we are having some problems with the way data is sent. <br><br>When doing the user authentication there's no problem as it is sent in plain text and we modified to do it against the email attribute as it's this what we want. It makes it perfectly. But it turns out that when we try to make the password authentication, as the data sent from SER comes in a hash (user:realm:password) as long as we know, we don't really know how to make it compare with the password field in LDAP (under MD5 algorithm as well).<br>
<br>When we make a test over Radius by sending plain text it works perfectly so it shouldn't be a problem by searching the attributes over LDAP.<br><br>We have tried to follow instructions to set the digest section properly but there's something we definitely miss. <br>
<br>Attached there's a log from the radius when trying to log with SER and the Register section from SER. <br clear="all"><br>log:<br>03<br> User-Name = "<a href="mailto:my.user@i2cat.net">my.user@i2cat.net</a>"<br>
Digest-Attributes = 0x0a0b7061626c6f2e726f73<br> Digest-Attributes = 0x010b69326361742e6e6574<br> Digest-Attributes = 0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532<br> Digest-Attributes = 0x040f7369703a69326361742e6e6574<br>
Digest-Attributes = 0x030a5245474953544552<br> Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"<br> Service-Type = Sip-Session<br> Sip-Uri-User = "my.user"<br> NAS-Port = 5060<br> NAS-IP-Address = 127.0.0.1<br>
+- entering group authorize<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>rlm_digest: Adding Auth-Type = DIGEST<br>++[digest] returns ok<br> rlm_realm: Looking up realm "<a href="http://i2cat.net">i2cat.net</a>" for User-Name = "<a href="mailto:my.user@i2cat.net">my.user@i2cat.net</a>"<br>
rlm_realm: No such realm "<a href="http://i2cat.net">i2cat.net</a>"<br>++[suffix] returns noop<br> rlm_eap: No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>++[files] returns noop<br>
rlm_ldap: - authorize<br>rlm_ldap: performing user authorization for <a href="mailto:my.user@i2cat.net">my.user@i2cat.net</a><br>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=<a href="mailto:my.user@i2cat.net">my.user@i2cat.net</a>)<br> expand: ou=activat,ou=personal,dc=i2cat,dc=net -> ou=activat,ou=personal,dc=i2cat,dc=net<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: attempting LDAP reconnection<br>rlm_ldap: (re)connect to <a href="http://ldap.i2cat.net:389">ldap.i2cat.net:389</a>, authentication 0<br>
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to <a href="http://ldap.i2cat.net:389">ldap.i2cat.net:389</a><br>rlm_ldap: waiting for bind result ...<br>rlm_ldap: Bind was successful<br>rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with filter (mail=<a href="mailto:pablo.ros@i2cat.net">pablo.ros@i2cat.net</a>)<br>
rlm_ldap: No default NMAS login sequence<br>rlm_ldap: looking for check items in directory...<br>rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 == "{md5}nCK4tZ5NNP48oT0wlXX+Jw=="<br>rlm_ldap: looking for reply items in directory...<br>
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>rlm_ldap: user <a href="mailto:pablo.ros@i2cat.net">pablo.ros@i2cat.net</a> authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br> rad_check_password: Found Auth-Type DIGEST<br>auth: type "digest"<br>+- entering group authenticate<br>rlm_digest: Digest-HA1 has invalid length, authentication failed.<br>++[digest] returns invalid<br>
auth: Failed to validate the user.<br>Login incorrect: [<a href="http://my.user@i2cat.net/">my.user@i2cat.net/</a><via Auth-Type = DIGEST>] (from client localhost port 5060)<br> Found Post-Auth-Type Reject<br>+- entering group REJECT<br>
expand: %{User-Name} -> <a href="mailto:my.user@i2cat.net">my.user@i2cat.net</a><br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>Delaying reject of request 0 for 1 seconds<br>
<br><br>SER register -> User Authentication part<br><br>#------------------------------------------------------------------------<br> # Comprovacio de credencials per als usuaris.<br> #------------------------------------------------------------------------<br>
if (!is_user_in("From", "noauth"))<br> {<br> xlog("L_NOTICE", "SER-INFO: challenging user...\n");<br> # IMPORTANTE: radius_www_authorize solo toma un parámetro!<br>
if(!radius_www_authorize(""))<br> {<br> # L'usuari NO esta registrat correctament o les<br> # credencials no son valides!<br><br> www_challenge("<a href="http://i2cat.net">i2cat.net</a>","0");<br>
xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from <%fu>:(%is) [403 Forbiden]\n");<br> sl_send_reply("403", "Forbiden!, Bad Credentials");<br>
break; #tallem la comunicacio<br> };<br> #--------------------------------------------------------------------<br> # check_to<br> #--------------------------------------------------------------------<br>
if(!check_to())<br> {<br> xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed attempt <%fu>:(%is)\n");<br> sl_send_reply("403", "Use To=id la proxima vegada :@");<br>
consume_credentials(); # fem que caduqui la sessio<br> break;<br> };<br> }<br><br>-- <br>Pablo Ros<br>