Authentication with LDAP databse

Hello,

i am successfully integrated an openLDAP server with my openSER SIP proxy server. however i am facing a security problem. let me explain it briefly.

*** Successful Registration with password save as clear in openLDAP DB ****

# Configration #
- user name was stored in clear in openSER database
- modparam("auth", "calculate_ha1", 1) which means the server will assume that the "password_spec" pseudo-variable contains plaintext passwords and it will calculate HA1 strings on the fly.

# Senario #
- after the UAC receives Authentication request he will build the response = MD5(username + MD5(passowrd) + realm + nonce)
- then the server will build the challenge by searching the the user in the database and retrieving the password in clear then hash the password with MD5 build the challenge such that challenge=MD5(username + MD5(passowrd) + realm + nonce) . .
- by comparing the the response the with the challenge the user will be authenticated.
- it works


*** Successful Registration with password save as MD5 in openLDAP DB ****

# Configration #
- user name was stored in MD5 in openSER database
- modparam("auth", "calculate_ha1", 0) which means the server assumes the pseudo-variable contains the HA1 strings directly and will not calculate them.

# Senario #
- after the UAC receives Authentication request he will build the response = MD5(username + MD5(password) + realm + nonce)
- then the server will build the challenge by searching the the user in the database and retrieving the password in MD5 then challenge such that challenge=MD5(username + MD5(password) + realm + nonce) .
- by comparing the the response the with the challenge the user will be authenticated.
- 401 unauthorized !

*** CONCLUSION ****

there for possible scenarios:
1- password clear + calculate_ha1= 0 ==> 401 unauthorized !
2- password clear + calculate_ha1= 1 ==> Authorized
3- password MD5 + calculate_ha1= 0 ==> 401 unauthorized !
4- password MD5 + calculate_ha1= 1 ==> 401 unauthorized !

-----------------------------------------------------------------------------------------

asuumptions:

1- the password might be not hashed. if so then why modparam("auth", "calculate_ha1", ) used? does it mean that the password might be received hashed or not?
2- in scenario(2) the sip server hash the password by setting calculate_ha1= 1. if the password is already hashed in the database then scenario(3) should work unless there is a conflict with the hash. is this might be related to hash type or size? or something else that i do not know!

question:

1- why scenario(3) does not work? where might be the problem?
2- what to do if i want to change the hash algorithm used? for example i need to SSH1 instead of MD5 because nowadays MD5 is proved to be weak algorithm

regards,
Ahmed ALALI

HA1 is not MD5 over the password, check the RFC for WWW Digest authentication to see exactly the algorithm.

I suffer from the exact same problem. Did you find out a solution for that

The solution is to keep plain text or HA1 form of password in LDAP -- unfortunately SIP auth does not offer alternatives -- see rfc 3261.

Hello,

It appears from this thread that it IS possible to authenticate to an OpenSER system using an LDAP database. Is this also true for OpenSIPS (1.5)?

Does anyone have a tutorial for configuring such a setup? I found one for Kamailio, but it doesn't appear to be identical to my version of OpenSIPS (or there are typos of significance in the tutorial).

Also important, can this authentication be done with existing LDAP credentials or does there have to be specific SIP information inside the LDAP database for the authentication to work? The requirement of additional values in the LDAP space is also indicated by the example in the tutorial for Kamailio that I found (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), but I am unable to add SIP specific information in my instance. There is, however, already UID and password information contained within.

Thanks.