– Kamailio SIP Server –

LDAP Authentication for OpenSER 1.3.x

work in progress

Prerequisites

* install OpenLDAP library (libldap) v2.1 or greater, libldap header files (libldap-dev) are needed for compilation * read the documentation of auth module: http://www.kamailio.org/docs/modules/1.3.x/auth.html * read the documentation of ldap module: http://www.kamailio.org/docs/modules/1.3.x/ldap.html

Sample LDAP Tree

- dc=example,dc=com
  |
  +- ou=users
  |  |
  |  +- cn=sip_proxy -- sn: sip_proxy
  |                  -- userPassword: proxypwd
  |
  +- ou=sip
     |
     +- cn=user1 -- SIPUserName: user1
     |           -- SIPPassword: pwd1
     |
     +- cn=user2 -- SIPUserName: user2
                 -- SIPPassword: pwd2

LDAP Module Configuration File

/usr/local/etc/openser/ldap.cfg:

[sipaccounts]
ldap_server_url = "ldap://ldap.example.com"
ldap_bind_dn = "cn=sip_proxy,ou=users,dc=example,dc=com"
ldap_bind_password = "proxypwd"

OpenSER Configuration File

...
modparam("ldap", "config_file", "/usr/local/etc/openser/ldap.cfg")

modparam("auth", "username_spec", "$avp(s:username)")
modparam("auth", "password_spec", "$avp(s:password)")
modparam("auth", "calculate_ha1", 1)

...

route[11] {
    if(is_method("REGISTER"))
    {
        if(is_present_hf("Authorization"))
        {
            # ldap search
            if (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,SIPPassword?one?(cn=$fU)"))
            {
                switch ($retcode)
                {
                    case -1:
                       # no LDAP entry found
                       sl_send_reply("404", "User Not Found");
                       exit;
                    case -2:
                       # internal error
                       sl_send_reply("500", "Internal server error");
                       exit;
                    default:
                       exit;
                }
            }
            ldap_result("SIPUserName/$avp(s:username)");
            ldap_result("SIPPassword/$avp(s:password)");
            if(!pv_www_authorize(""))
            {
                 www_challenge(""/*realm*/,"0"/*qop*/);
                 exit;
            }
            sl_send_reply("200", "ok");
            exit;
        } else {
            www_challenge("","0");
            exit;
        }
    }
}
...