Sorry didn't reply to mailing list before. Emails are below. SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm + username + password), so the problem may be here. I suggest you store your passwords as clear text in LDAP for testing first.
Reda On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <[email protected]> wrote: > with the variations I get different results: > 4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8= > 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if > 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28 > n=pv_www_authenticate > 4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 > 4(24126) DEBUG: auth [api.c:210]: check_response: Our result = > '3839aa4cae572f5f8b23601a2bb1178f' > 4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed > > On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <[email protected]> wrote: > >> Also: i used xlog to print out the password and I get the same exact >> password I have on my LDAP server, so it seems something with the decoding >> >> >> On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <[email protected]> wrote: >> >>> Now i got it down to this: >>> >>> 2(23003) INFO: <script>: ldap_search: found [1] entries for >>> (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] >>> l=759 a=17 n=if >>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 a=28 >>> n=pv_www_authenticate >>> 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 >>> 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated: >>> c69622bbd922ec9321ab1293c226b703 >>> 2(23003) DEBUG: auth [api.c:210]: check_response: Our result = >>> '939676a5591165f1da8ba04562d446b2' >>> 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed >>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=27 >>> n=www_challenge >>> 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf: >>> realm='23.22.35.43' >>> 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: Digest >>> realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida" >>> >>> I have changed the values of: >>> >>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) { >>> www_challenge("$td", "0"); >>> >>> to: >>> >>> if (!pv_www_authenticate("$td", "$avp(password)", "1")) { >>> www_challenge("$td", "0"); >>> >>> because of the password in LDAP is stored as SHA1, and according to >>> the docs, it should be 1. I'm so close it seems :) >>> >>> *flags* - the value of this parameter can be a bitmask of following: >>> >>> - >>> >>> *1* - the value of password parameter is HA1 format >>> >>> >>> >>> On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <[email protected]> wrote: >>> >>>> can you also print the avp(s:password) to log to see what its value is? >>>> use: >>>> xlog('Password=$avp(s:password)') >>>> after ldap_search and you'll see its output in the log file >>>> maybe you're not correctly getting the password from the ldap search >>>> url, avp(s:password) is then null and you get the error that it can't be >>>> converted to string >>>> >>>> Reda >>>> >>>> >>>> >>>> On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <[email protected]>wrote: >>>> >>>>> in the line >>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) { >>>>> >>>>> write avp(s:password) instead of avp(password) >>>>> not sure it will solve it though.. if it doesn't, maybe others can >>>>> help you more on this. >>>>> >>>>> Reda >>>>> >>>>> >>>>> >>>>> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <[email protected]>wrote: >>>>> >>>>>> Hello Reda, >>>>>> >>>>>> Thank you for your feedback, after some further research and testing >>>>>> I got the LDAP search working, I am just having one issue with the >>>>>> password >>>>>> variable: >>>>>> >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 >>>>>> a=28 n=pv_www_authenticate >>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to >>>>>> str >>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value >>>>>> >>>>>> My relevant configuration: >>>>>> >>>>>> route[AUTH] { >>>>>> #!ifdef WITH_AUTH >>>>>> if (is_method("REGISTER")) >>>>>> { >>>>>> if(is_present_hf("Authorization")) >>>>>> { >>>>>> # ldap search >>>>>> >>>>>> if >>>>>> (!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?";)) >>>>>> >>>>>> { >>>>>> switch ($retcode) >>>>>> { >>>>>> case -1: >>>>>> # no LDAP entry found >>>>>> sl_send_reply("404", "User Not Found"); >>>>>> exit; >>>>>> case -2: >>>>>> # internal error >>>>>> sl_send_reply("500", "Internal server error"); >>>>>> exit; >>>>>> default: >>>>>> exit; >>>>>> } >>>>>> } >>>>>> ldap_result("uid/$avp(s:username)"); >>>>>> ldap_result("userPassword/$avp(s:password)"); >>>>>> xlog("L_INFO", "ldap_search: found [$retcode] entries for >>>>>> (uid=$fU)"); >>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) { >>>>>> www_challenge("$td", "1"); >>>>>> exit; >>>>>> } >>>>>> sl_send_reply("200", "ok"); >>>>>> exit; >>>>>> } else { >>>>>> www_challenge("$td", "1"); >>>>>> exit; >>>>>> } >>>>>> } else { >>>>>> >>>>>> And the error message: >>>>>> >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735 >>>>>> a=26 n=ldap_search >>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into >>>>>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0], >>>>>> filter [] >>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP >>>>>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)], >>>>>> client_timeout [5000000] usecs >>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries >>>>>> found >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752 >>>>>> a=26 n=ldap_result >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753 >>>>>> a=26 n=ldap_result >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754 >>>>>> a=27 n=xlog >>>>>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for >>>>>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace: >>>>>> c=[/etc/kamailio/kamailio.cfg] >>>>>> l=759 a=17 n=if >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755 >>>>>> a=28 n=pv_www_authenticate >>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to >>>>>> str >>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value >>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 >>>>>> a=27 n=www_challenge >>>>>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf: >>>>>> realm='ip.of.sip.server' >>>>>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf: >>>>>> qop='auth' >>>>>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate: >>>>>> Digest realm="ip.of.sip.server", >>>>>> nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l", >>>>>> qop="auth" >>>>>> >>>>>> Any help is greatly appreciated! >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad <[email protected]>wrote: >>>>>> >>>>>>> Hi Saul, >>>>>>> >>>>>>> username_avp_spec was previously a AUTH module parameter to specify >>>>>>> a variable that was passed to pv_www_authorize implicitly (the function >>>>>>> doesn't take arguments). Now you should use the new >>>>>>> pv_www_authenticate and pass to it explicitly the credentials as >>>>>>> arguments. >>>>>>> >>>>>>> So forget about username_avp_spec since it doesn't exist as module >>>>>>> param anymore (this is why you are getting the error). Store the result >>>>>>> of >>>>>>> ldap_search in the avps as in the tutorial using ldap_result, and pass >>>>>>> them >>>>>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the >>>>>>> following arguments: >>>>>>> - realm: which you can get from "to domain" using $td >>>>>>> - password: $avp(s:password) >>>>>>> - flag: set it to 0 as a first test >>>>>>> >>>>>>> example: >>>>>>> pv_www_authorize("$td", "$avp(s:password)", 0) >>>>>>> >>>>>>> This function takes the username from the authentication header, so >>>>>>> no need to pass it anymore as argument. >>>>>>> >>>>>>> Reda >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer <[email protected]>wrote: >>>>>>> >>>>>>>> Hello List, >>>>>>>> >>>>>>>> I am trying to incorporate an existing LDAP directory with our >>>>>>>> Kamailio installation for SIP authentication. A good friend suggested >>>>>>>> to >>>>>>>> checkout this tutorial and adapt it to fit my needs (and current >>>>>>>> version) >>>>>>>> >>>>>>>> >>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap >>>>>>>> >>>>>>>> It seems like the AUTH module does not contain the function >>>>>>>> username_spec (which I believe is not used anymore) but the >>>>>>>> username_avp_spec which is not part of the AUTH module but the H350 >>>>>>>> module >>>>>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html >>>>>>>> >>>>>>>> I enabled the h350 module and tried setting the params as described >>>>>>>> in the documentation: >>>>>>>> >>>>>>>> modparam("auth", "username_spec", "$avp(s:username)") >>>>>>>> modparam("auth", "password_spec", "$avp(s:password)") >>>>>>>> modparam("auth", "calculate_ha1", 1) >>>>>>>> >>>>>>>> I got the following error after checking the configuration: >>>>>>>> >>>>>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter >>>>>>>> <username_spec> not found in module <auth> >>>>>>>> >>>>>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu >>>>>>>> >>>>>>>> Thank you in advance! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing >>>>>>>> list >>>>>>>> [email protected] >>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
