Thank you Reda,<div><br></div><div>Is there a way to utilize external scripts for authentication? Like bash, php etc? I cannot change the format of the LDAP but I am thinking about other methods that could possibly work too utilizing the same pv_www_authenticate logic, however these would require some external script processing.</div>
<div><br></div><div>Example: SSO Authentication.</div><div><br></div><div> SIP user ----> SIP server ----> external auth script ----> OpenSSO server</div><div><br></div><div>Thank you</div><div><br><br><div class="gmail_quote">
On Fri, May 4, 2012 at 5:56 PM, Reda Aouad <span dir="ltr"><<a href="mailto:reda.aouad@gmail.com" target="_blank">reda.aouad@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><font color="#3366ff"><font><font face="tahoma,sans-serif">Sorry didn't reply to mailing list before. Emails are below.</font></font></font><div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br>
</font></font></font></div><div><span style="color:rgb(51,102,255);font-family:tahoma,sans-serif">SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm + username + password), so the problem may be here.</span>
</div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">I suggest you store your passwords as clear text in LDAP for testing first.</font></font></font></div><span class="HOEnZb"><font color="#888888"><div>
<font color="#3366ff" face="tahoma, sans-serif"><br>
</font></div></font></span><div><span class="HOEnZb"><font color="#888888"><div dir="ltr"><div><font color="#3366ff" face="tahoma, sans-serif">Reda</font></div></div></font></span><div><div class="h5"><br>
<br><br><div class="gmail_quote">On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <span dir="ltr"><<a href="mailto:saulwaizer@gmail.com" target="_blank">saulwaizer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
with the variations I get different results:<div><div> 4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8= 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if</div><div> 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28 n=pv_www_authenticate</div>
<div> 4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1</div><div> 4(24126) DEBUG: auth [api.c:210]: check_response: Our result = '3839aa4cae572f5f8b23601a2bb1178f'</div><div> 4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed</div>
<div><div>
<br><div class="gmail_quote">On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <span dir="ltr"><<a href="mailto:saulwaizer@gmail.com" target="_blank">saulwaizer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also: i used xlog to print out the password and I get the same exact password I have on my LDAP server, so it seems something with the decoding<div><div><br><br><div class="gmail_quote">On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <span dir="ltr"><<a href="mailto:saulwaizer@gmail.com" target="_blank">saulwaizer@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Now i got it down to this:<div><br></div><div><div> 2(23003) INFO: <script>: ldap_search: found [1] entries for (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=759 a=17 n=if</div>
<div> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28 n=pv_www_authenticate</div>
<div> 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1</div><div> 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated: c69622bbd922ec9321ab1293c226b703</div><div> 2(23003) DEBUG: auth [api.c:210]: check_response: Our result = '939676a5591165f1da8ba04562d446b2'</div>
<div> 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed</div><div> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=27 n=www_challenge</div><div> 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf: realm='23.22.35.43'</div>
<div> 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: Digest realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"</div><div><br></div><div>I have changed the values of:</div>
<div><br></div><div><div><div> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {</div></div><div> www_challenge("$td", "0");</div></div>
<div><br></div><div>to: </div>
<div><br></div><div><div><div> if (!pv_www_authenticate("$td", "$avp(password)", "1")) {</div><div> www_challenge("$td", "0");</div></div></div><div><br>
</div>
<div>because of the password in LDAP is stored as SHA1, and according to the docs, it should be 1. I'm so close it seems :)</div><div><br></div><div><p style="text-align:justify;font-size:12px;font-family:Helvetica,Arial">
<span><em>flags</em></span> - the value of this parameter can be a bitmask of following:</p><div style="font-size:medium;font-family:Helvetica,Arial">
<ul><li><p style="font-size:12px;text-align:justify"><span><em>1</em></span> - the value of password parameter is HA1 format</p></li></ul></div></div><div><div><div><br></div><br><div class="gmail_quote">On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <span dir="ltr"><<a href="mailto:reda.aouad@gmail.com" target="_blank">reda.aouad@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><font color="#3366ff"><font><font face="tahoma,sans-serif">can you also print the avp(s:password) to log to see what its value is?</font></font></font><div>
<font color="#3366ff"><font><font face="tahoma,sans-serif">use:</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">xlog('Password=$avp(s:password)')</font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">after ldap_search and you'll see its output in the log file</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">maybe you're not correctly getting the password from the ldap search url, avp(s:password) is then null and you get the error that it can't be converted to string<span><font color="#888888"><br clear="all">
</font></span></font></font></font><span><font color="#888888"><div dir="ltr"><font color="#3366ff" face="tahoma, sans-serif"><br></font><div><font color="#3366ff" face="tahoma, sans-serif">Reda</font></div>
</div></font></span><div><div><br>
<br><br><div class="gmail_quote">On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <span dir="ltr"><<a href="mailto:reda.aouad@gmail.com" target="_blank">reda.aouad@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><font color="#3366ff"><font><font face="tahoma,sans-serif">in the line</font></font></font><div><div><span>if (!pv_www_authenticate("$td", "$avp(password)", "0")) {</span>
</div><div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br></font></font></font></div></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">write avp(s:password) instead of avp(password)</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">not sure it will solve it though.. if it doesn't, maybe others can help you more on this.</font></font></font></div><div><span><font color="#888888"><div dir="ltr">
<font color="#3366ff" face="tahoma, sans-serif"><br>
</font><div><font color="#3366ff" face="tahoma, sans-serif">Reda</font></div></div></font></span><div><div><br>
<br><br><div class="gmail_quote">On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <span dir="ltr"><<a href="mailto:saulwaizer@gmail.com" target="_blank">saulwaizer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Reda,<div><br></div><div>Thank you for your feedback, after some further research and testing I got the LDAP search working, I am just having one issue with the password variable:</div><div><br></div><div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28 n=pv_www_authenticate</div>
<div> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to str</div><div> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value</div></div><div><br></div><div>My relevant configuration:</div>
<div><br></div><div><div>route[AUTH] {</div><div>#!ifdef WITH_AUTH</div><div> if (is_method("REGISTER"))</div><div> {</div><div>if(is_present_hf("Authorization"))</div><div> {</div>
<div> # ldap search</div><div> </div><div> if (!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?"))</div><div><br></div><div>{</div><div> switch ($retcode)</div>
<div> {</div><div> case -1:</div><div> # no LDAP entry found</div><div> sl_send_reply("404", "User Not Found");</div><div>
exit;</div>
<div> case -2:</div><div> # internal error</div><div> sl_send_reply("500", "Internal server error");</div><div> exit;</div>
<div> default:</div><div> exit;</div><div> }</div><div> }</div><div>ldap_result("uid/$avp(s:username)");</div><div>ldap_result("userPassword/$avp(s:password)");</div>
<div> xlog("L_INFO", "ldap_search: found [$retcode] entries for (uid=$fU)");</div><div> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {</div>
<div> www_challenge("$td", "1");</div><div> exit;</div><div> }</div><div> sl_send_reply("200", "ok");</div><div> exit;</div>
<div> } else {</div><div> www_challenge("$td", "1");</div><div> exit;</div><div> }</div><div> } else {</div></div><div><br></div><div>And the error message:</div>
<div><br></div><div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735 a=26 n=ldap_search</div><div> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], filter []</div>
<div> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)], client_timeout [5000000] usecs</div><div> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries found</div>
<div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752 a=26 n=ldap_result</div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753 a=26 n=ldap_result</div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754 a=27 n=xlog</div>
<div> 3(22487) INFO: <script>: ldap_search: found [-1] entries for (uid=mmiller) 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=759 a=17 n=if</div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28 n=pv_www_authenticate</div>
<div> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to str</div><div> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value</div><div> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=27 n=www_challenge</div>
<div> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf: realm='ip.of.sip.server'</div><div> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf: qop='auth'</div><div> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: Digest realm="ip.of.sip.server", nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l", qop="auth"</div>
</div><div><br></div><div>Any help is greatly appreciated!</div><div>Thanks</div><div><div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Thu, May 3, 2012 at 4:22 PM, Reda Aouad <span dir="ltr"><<a href="mailto:reda.aouad@gmail.com" target="_blank">reda.aouad@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><font color="#3366ff"><font><font face="tahoma,sans-serif">Hi Saul,</font></font></font><div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br>
</font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">username_avp_spec was previously a AUTH module parameter to specify a variable that was passed to pv_www_authorize implicitly (the function doesn't take arguments). </font></font></font><span style="font-family:tahoma,sans-serif;color:rgb(51,102,255)">Now you should use the new pv_www_authenticate and pass to it explicitly the credentials as arguments.</span></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br></font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">So forget about username_avp_spec since it doesn't exist as module param anymore (this is why you are getting the error). Store the result of ldap_search in the avps as in the tutorial using ldap_result, and pass them to pv_www_authenticate as parameters. pv_www_authenticate takes the following arguments:</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">- realm: which you can get from "to domain" using $td</font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">- password: $avp(s:password)</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">- flag: set it to 0 as a first test</font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br></font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif">example:</font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">pv_www_authorize("$td", "$avp(s:password)", 0)</font></font></font></div>
<div><font color="#3366ff"><font><font face="tahoma,sans-serif"><br></font></font></font></div><div><font color="#3366ff"><font><font face="tahoma,sans-serif">This function takes the username from the authentication header, so no need to pass it anymore as argument.</font></font></font></div>
<div dir="ltr"><font color="#3366ff" face="tahoma, sans-serif"><br>
</font><div><font color="#3366ff" face="tahoma, sans-serif">Reda</font></div></div><br>
<br><br><div class="gmail_quote"><div><div>On Thu, May 3, 2012 at 8:47 PM, Saul Waizer <span dir="ltr"><<a href="mailto:saulwaizer@gmail.com" target="_blank">saulwaizer@gmail.com</a>></span> wrote:<br></div>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
Hello List,<div><br></div><div>I am trying to incorporate an existing LDAP directory with our Kamailio installation for SIP authentication. A good friend suggested to checkout this tutorial and adapt it to fit my needs (and current version)</div>
<div><br></div><div><a href="http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap" target="_blank">http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap</a></div><div><br></div><div><div>
It seems like the AUTH module does not contain the function username_spec (which I believe is not used anymore) but the username_avp_spec which is not part of the AUTH module but the H350 module <a href="http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html" style="color:rgb(17,85,204)" target="_blank">http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html</a></div>
<div><br></div><div>I enabled the h350 module and tried setting the params as described in the documentation:</div><div><br></div><div><div>modparam("auth", "username_spec", "$avp(s:username)")</div>
<div>modparam("auth", "password_spec", "$avp(s:password)")</div><div>modparam("auth", "calculate_ha1", 1)</div></div><div><br></div><div>I got the following error after checking the configuration:</div>
<div><br></div><div>ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter <username_spec> not found in module <auth></div></div><div><br></div><div>I am running kamailio 3.2.3 (i386/linux) Ubuntu</div>
<div><br></div><div><font color="#222222" face="arial, sans-serif">Thank you in advance!</font></div><div><font color="#222222" face="arial, sans-serif"><br></font></div><div><font color="#222222" face="arial, sans-serif"><br>
</font></div><div><font color="#222222" face="arial, sans-serif"> </font></div><div><br></div><div><br></div>
<br></div></div>_______________________________________________<br>
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<br>
<a href="mailto:sr-users@lists.sip-router.org" target="_blank">sr-users@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>