Thank you Reda,
Is there a way to utilize external scripts for authentication? Like bash,
php etc? I cannot change the format of the LDAP but I am thinking about
other methods that could possibly work too utilizing the same
pv_www_authenticate logic, however these would require some external script
processing.
Example: SSO Authentication.
SIP user ----> SIP server ----> external auth script ----> OpenSSO server
Thank you
On Fri, May 4, 2012 at 5:56 PM, Reda Aouad <reda.ao...@gmail.com> wrote:
> Sorry didn't reply to mailing list before. Emails are below.
>
> SHA1 encryption may not encrypt the same way as HA1 (HA1 = MD5 of realm +
> username + password), so the problem may be here.
> I suggest you store your passwords as clear text in LDAP for testing first.
>
> Reda
>
>
>
> On Fri, May 4, 2012 at 11:14 PM, Saul Waizer <saulwai...@gmail.com> wrote:
>
>> with the variations I get different results:
>> 4(24126) ERROR: <script>: Password={SHA}v/m3IZiuy+VVizqnt56e2baZsT8=
>> 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=760 a=17 n=if
>> 4(24126) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756 a=28
>> n=pv_www_authenticate
>> 4(24126) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>> 4(24126) DEBUG: auth [api.c:210]: check_response: Our result =
>> '3839aa4cae572f5f8b23601a2bb1178f'
>> 4(24126) DEBUG: auth [api.c:220]: check_response: Authorization failed
>>
>> On Fri, May 4, 2012 at 3:11 PM, Saul Waizer <saulwai...@gmail.com> wrote:
>>
>>> Also: i used xlog to print out the password and I get the same exact
>>> password I have on my LDAP server, so it seems something with the decoding
>>>
>>>
>>> On Fri, May 4, 2012 at 3:01 PM, Saul Waizer <saulwai...@gmail.com>wrote:
>>>
>>>> Now i got it down to this:
>>>>
>>>> 2(23003) INFO: <script>: ldap_search: found [1] entries for
>>>> (uid=mmiller) 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg]
>>>> l=759 a=17 n=if
>>>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>> a=28 n=pv_www_authenticate
>>>> 2(23003) DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>>>> 2(23003) DEBUG: auth [auth_mod.c:455]: HA1 string calculated:
>>>> c69622bbd922ec9321ab1293c226b703
>>>> 2(23003) DEBUG: auth [api.c:210]: check_response: Our result =
>>>> '939676a5591165f1da8ba04562d446b2'
>>>> 2(23003) DEBUG: auth [api.c:220]: check_response: Authorization failed
>>>> 2(23003) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>>> a=27 n=www_challenge
>>>> 2(23003) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>> realm='23.22.35.43'
>>>> 2(23003) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>> Digest realm="23.22.35.43", nonce="T6Qn/E+kJtAU7IvGh4OLivg7ptLbdida"
>>>>
>>>> I have changed the values of:
>>>>
>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>> www_challenge("$td", "0");
>>>>
>>>> to:
>>>>
>>>> if (!pv_www_authenticate("$td", "$avp(password)", "1")) {
>>>> www_challenge("$td", "0");
>>>>
>>>> because of the password in LDAP is stored as SHA1, and according to
>>>> the docs, it should be 1. I'm so close it seems :)
>>>>
>>>> *flags* - the value of this parameter can be a bitmask of following:
>>>>
>>>> -
>>>>
>>>> *1* - the value of password parameter is HA1 format
>>>>
>>>>
>>>>
>>>> On Fri, May 4, 2012 at 2:47 PM, Reda Aouad <reda.ao...@gmail.com>wrote:
>>>>
>>>>> can you also print the avp(s:password) to log to see what its value is?
>>>>> use:
>>>>> xlog('Password=$avp(s:password)')
>>>>> after ldap_search and you'll see its output in the log file
>>>>> maybe you're not correctly getting the password from the ldap search
>>>>> url, avp(s:password) is then null and you get the error that it can't be
>>>>> converted to string
>>>>>
>>>>> Reda
>>>>>
>>>>>
>>>>>
>>>>> On Fri, May 4, 2012 at 8:40 PM, Reda Aouad <reda.ao...@gmail.com>wrote:
>>>>>
>>>>>> in the line
>>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>>>>
>>>>>> write avp(s:password) instead of avp(password)
>>>>>> not sure it will solve it though.. if it doesn't, maybe others can
>>>>>> help you more on this.
>>>>>>
>>>>>> Reda
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, May 4, 2012 at 5:50 PM, Saul Waizer <saulwai...@gmail.com>wrote:
>>>>>>
>>>>>>> Hello Reda,
>>>>>>>
>>>>>>> Thank you for your feedback, after some further research and testing
>>>>>>> I got the LDAP search working, I am just having one issue with the
>>>>>>> password
>>>>>>> variable:
>>>>>>>
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>>>>> a=28 n=pv_www_authenticate
>>>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>>>>>> str
>>>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>>>>>
>>>>>>> My relevant configuration:
>>>>>>>
>>>>>>> route[AUTH] {
>>>>>>> #!ifdef WITH_AUTH
>>>>>>> if (is_method("REGISTER"))
>>>>>>> {
>>>>>>> if(is_present_hf("Authorization"))
>>>>>>> {
>>>>>>> # ldap search
>>>>>>>
>>>>>>> if
>>>>>>> (!ldap_search("ldap://demo/ou=demo,dc=mydomain,dc=com?uid,userPassword?";))
>>>>>>>
>>>>>>> {
>>>>>>> switch ($retcode)
>>>>>>> {
>>>>>>> case -1:
>>>>>>> # no LDAP entry found
>>>>>>> sl_send_reply("404", "User Not Found");
>>>>>>> exit;
>>>>>>> case -2:
>>>>>>> # internal error
>>>>>>> sl_send_reply("500", "Internal server error");
>>>>>>> exit;
>>>>>>> default:
>>>>>>> exit;
>>>>>>> }
>>>>>>> }
>>>>>>> ldap_result("uid/$avp(s:username)");
>>>>>>> ldap_result("userPassword/$avp(s:password)");
>>>>>>> xlog("L_INFO", "ldap_search: found [$retcode] entries
>>>>>>> for (uid=$fU)");
>>>>>>> if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
>>>>>>> www_challenge("$td", "1");
>>>>>>> exit;
>>>>>>> }
>>>>>>> sl_send_reply("200", "ok");
>>>>>>> exit;
>>>>>>> } else {
>>>>>>> www_challenge("$td", "1");
>>>>>>> exit;
>>>>>>> }
>>>>>>> } else {
>>>>>>>
>>>>>>> And the error message:
>>>>>>>
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=735
>>>>>>> a=26 n=ldap_search
>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:273]: LDAP URL parsed into
>>>>>>> session_name [demo], base [ou=demo,dc=mydomain,dc=com], scope [0],
>>>>>>> filter []
>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:433]: [demo]: performing LDAP
>>>>>>> search: dn [ou=demo,dc=mydomain,dc=com], scope [0], filter [(null)],
>>>>>>> client_timeout [5000000] usecs
>>>>>>> 3(22487) DEBUG: ldap [ldap_api_fn.c:240]: [demo]: [1] LDAP entries
>>>>>>> found
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=752
>>>>>>> a=26 n=ldap_result
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=753
>>>>>>> a=26 n=ldap_result
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=754
>>>>>>> a=27 n=xlog
>>>>>>> 3(22487) INFO: <script>: ldap_search: found [-1] entries for
>>>>>>> (uid=mmiller) 3(22487) ERROR: *** cfgtrace:
>>>>>>> c=[/etc/kamailio/kamailio.cfg]
>>>>>>> l=759 a=17 n=if
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=755
>>>>>>> a=28 n=pv_www_authenticate
>>>>>>> 3(22487) ERROR: <core> [sr_module.c:1613]: Could not convert PV to
>>>>>>> str
>>>>>>> 3(22487) ERROR: auth [auth_mod.c:569]: failed to get passwd value
>>>>>>> 3(22487) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio.cfg] l=756
>>>>>>> a=27 n=www_challenge
>>>>>>> 3(22487) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>>>>> realm='ip.of.sip.server'
>>>>>>> 3(22487) DEBUG: auth [challenge.c:113]: build_challenge_hf:
>>>>>>> qop='auth'
>>>>>>> 3(22487) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>>>>> Digest realm="ip.of.sip.server",
>>>>>>> nonce="T6P5yU+j+J23OE93mPaektZpJszGpt/l",
>>>>>>> qop="auth"
>>>>>>>
>>>>>>> Any help is greatly appreciated!
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 3, 2012 at 4:22 PM, Reda Aouad <reda.ao...@gmail.com>wrote:
>>>>>>>
>>>>>>>> Hi Saul,
>>>>>>>>
>>>>>>>> username_avp_spec was previously a AUTH module parameter to specify
>>>>>>>> a variable that was passed to pv_www_authorize implicitly (the function
>>>>>>>> doesn't take arguments). Now you should use the new
>>>>>>>> pv_www_authenticate and pass to it explicitly the credentials as
>>>>>>>> arguments.
>>>>>>>>
>>>>>>>> So forget about username_avp_spec since it doesn't exist as module
>>>>>>>> param anymore (this is why you are getting the error). Store the
>>>>>>>> result of
>>>>>>>> ldap_search in the avps as in the tutorial using ldap_result, and pass
>>>>>>>> them
>>>>>>>> to pv_www_authenticate as parameters. pv_www_authenticate takes the
>>>>>>>> following arguments:
>>>>>>>> - realm: which you can get from "to domain" using $td
>>>>>>>> - password: $avp(s:password)
>>>>>>>> - flag: set it to 0 as a first test
>>>>>>>>
>>>>>>>> example:
>>>>>>>> pv_www_authorize("$td", "$avp(s:password)", 0)
>>>>>>>>
>>>>>>>> This function takes the username from the authentication header, so
>>>>>>>> no need to pass it anymore as argument.
>>>>>>>>
>>>>>>>> Reda
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, May 3, 2012 at 8:47 PM, Saul Waizer
>>>>>>>> <saulwai...@gmail.com>wrote:
>>>>>>>>
>>>>>>>>> Hello List,
>>>>>>>>>
>>>>>>>>> I am trying to incorporate an existing LDAP directory with our
>>>>>>>>> Kamailio installation for SIP authentication. A good friend suggested
>>>>>>>>> to
>>>>>>>>> checkout this tutorial and adapt it to fit my needs (and current
>>>>>>>>> version)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap
>>>>>>>>>
>>>>>>>>> It seems like the AUTH module does not contain the function
>>>>>>>>> username_spec (which I believe is not used anymore) but the
>>>>>>>>> username_avp_spec which is not part of the AUTH module but the H350
>>>>>>>>> module
>>>>>>>>> http://kamailio.org/docs/modules/3.2.x/modules_k/h350.html
>>>>>>>>>
>>>>>>>>> I enabled the h350 module and tried setting the params as
>>>>>>>>> described in the documentation:
>>>>>>>>>
>>>>>>>>> modparam("auth", "username_spec", "$avp(s:username)")
>>>>>>>>> modparam("auth", "password_spec", "$avp(s:password)")
>>>>>>>>> modparam("auth", "calculate_ha1", 1)
>>>>>>>>>
>>>>>>>>> I got the following error after checking the configuration:
>>>>>>>>>
>>>>>>>>> ERROR: <core> [modparam.c:151]: set_mod_param_regex: parameter
>>>>>>>>> <username_spec> not found in module <auth>
>>>>>>>>>
>>>>>>>>> I am running kamailio 3.2.3 (i386/linux) Ubuntu
>>>>>>>>>
>>>>>>>>> Thank you in advance!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>>>>>> list
>>>>>>>>> sr-users@lists.sip-router.org
>>>>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
