[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] Authenticating with LDAP

To: sip@ietf.org
Subject: [Sip] Authenticating with LDAP
From: "Avshalom Houri" <AVSHALOM@il.ibm.com>
Date: Thu, 13 Mar 2003 13:40:05 +0200
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-admin@ietf.org

There seems to be a problem with implementing SIP digest authentication as 
described in RFC 2617 (HTTP authentication) while using LDAP servers at 
the back-end. The authenticating server will receive the hashed password 
from the client, but cannot compare this with the password in the 
directory, because LDAP servers do not support a uniform way for querying 
passwords.

For example, some LDAP servers return the user's password hashed (using 
MD5,
SHA or something else) but this hashed value can not be compared with the 
hashed password from the client. Even if the same hashing algorithm is 
used in the client and in the LDAP server it will not be possible to 
compare the hashed passwords since LDAP hashes only the password, while 
the client-supplied hash includes more info in the digest. The only way 
that it can be done is by getting the password in cleartext from LDAP, and 
do our own digest, but most LDAP servers do not allow that, not even for 
the directory admin.

Another approach is to forward the client-supplied credentials (hashed 
password,
etc) to the LDAP server as a SASL request (RFC 2222). According to RFC 
2829
(Authentication methods for LDAP) section 4 "Implementations providing
password-based authenticated access MUST support authentication using the
DIGEST-MD5 SASL mechanism". Unfortunately, most LDAP servers do not follow 
that either.

It would have been nice if SIP supported cleartext password 
authentication,
like HTTP does, at least for TLS-encrypted connections. As I understand, 
it does not.

The note above may be more appropriate for the SIP implementors list but 
it seems that there is an inherent problem that we need to solve in SIP 
authentication itself or assume that all LDAP servers will be modified 
which might be a too optimistic assumption.

Avshalom

 
_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

Prev by Date: [Sip] Query on 5xx processing
Next by Date: [Sip] RE: Authintification of Responses
Previous by thread: [Sip] Query on 5xx processing
Next by thread: [Sip] RE: Authintification of Responses
Index(es):
- Date
- Thread