– Kamailio SIP Server –

LDAP Authentication for Kamailio 3.1.x

work in progress

Prerequisites

* install OpenLDAP library (libldap) v2.1 or greater, libldap header files (libldap-dev) are needed for compilation * read the documentation of auth module: http://kamailio.org/docs/modules/stable/modules/auth.html * read the documentation of ldap module: http://kamailio.org/docs/modules/stable/modules_k/ldap.html

Sample LDAP Tree

- dc=example,dc=com
  |
  +- ou=users
  |  |
  |  +- cn=sip_proxy -- sn: sip_proxy
  |                  -- userPassword: proxypwd
  |
  +- ou=sip
     |
     +- cn=user1 -- SIPUserName: user1
     |           -- SIPPassword: pwd1
     |
     +- cn=user2 -- SIPUserName: user2
                 -- SIPPassword: pwd2

LDAP Module Configuration File

/usr/local/etc/kamailio/ldap.cfg:

[sipaccounts]
ldap_server_url = "ldap://ldap.example.com"
ldap_bind_dn = "cn=sip_proxy,ou=users,dc=example,dc=com"
ldap_bind_password = "proxypwd"

OpenSER Configuration File

...
loadmodule "ldap.so"
...
modparam("ldap", "config_file", "/usr/local/etc/kamailio/ldap.cfg")
...
 
route[LDAPAUTH] {
    if(is_method("REGISTER"))
    {
        if(is_present_hf("Authorization"))
        {
            # ldap search
            if (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,SIPPassword?one?(cn=$fU)"))
            {
                switch ($retcode)
                {
                    case -1:
                       # no LDAP entry found
                       sl_send_reply("404", "User Not Found");
                       exit;
                    case -2:
                       # internal error
                       sl_send_reply("500", "Internal server error");
                       exit;
                    default:
                       exit;
                }
            }
            ldap_result("SIPUserName/$avp(username)");
            ldap_result("SIPPassword/$avp(password)");
            if (!pv_www_authenticate("$td", "$avp(password)", "0")) {
                 www_challenge("$td", "1");
                 exit;
            }
            sl_send_reply("200", "ok");\a
            exit;
        } else {
            www_challenge("$td", "1");
            exit;
        }
    } else {
        # handle proxy-authentication (e.g., for INVITE)
        ...
    }
}
...