[asterisk-bugs] [JIRA] (ASTERISK-23097) Module res_ldap uses cn for peer username regardless of attribute
Rusty Newton (JIRA)
noreply at issues.asterisk.org
Mon Jan 27 13:03:03 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rusty Newton updated ASTERISK-23097:
------------------------------------
Description:
With the following config in res_ldap.conf in conjuction with Active Directory (Global Catalog in my case)
[_general]
url=ldap://***.com:3268/
protocol=3
basedn=dc=***,dc=com
user=***
pass=***
[sip]
name=sAMAccountName
callerid=cn
auth=sAMAccountName
regexten=ipPhone
mailbox=sAMAccountName
host=astAccountHost
type=astAccountType
md5secret=astAccountPassword
context=astAccountContext
insecure=astAccountInsecure
qualify=astQualify
additionalFilter=(objectClass=user)
The registration successfully queries the directory with the file name = sAMAccountName, but authentication fails with error:
[Jan 3 20:27:43] WARNING[31236]: chan_sip.c:16296 check_auth: username mismatch, have <cn>, digest has <sAMAccountName>
it appears that regardless of attribute mappings, the username of the peer is always set to the LDAP cn.
*Workaround:*
To work around this the Auth Username must be set in the client to the LDAP cn, this works but appears "clunky" to users.
was:
With the following config in res_ldap.conf in conjuction with Active Directory (Global Catalog in my case)
[_general]
url=ldap://***.com:3268/
protocol=3
basedn=dc=***,dc=com
user=***
pass=***
[sip]
name=sAMAccountName
callerid=cn
auth=sAMAccountName
regexten=ipPhone
mailbox=sAMAccountName
host=astAccountHost
type=astAccountType
md5secret=astAccountPassword
context=astAccountContext
insecure=astAccountInsecure
qualify=astQualify
additionalFilter=(objectClass=user)
The registration successfully queries the directory with the file name = sAMAccountName, but authentication fails with error:
[Jan 3 20:27:43] WARNING[31236]: chan_sip.c:16296 check_auth: username mismatch, have <cn>, digest has <sAMAccountName>
it appears that regardless of attribute mappings, the username of the peer is always set to the LDAP cn. To work around this the Auth Username must be set in the client to the LDAP cn, this works but appears "clunky" to users.
> Module res_ldap uses cn for peer username regardless of attribute
> -----------------------------------------------------------------
>
> Key: ASTERISK-23097
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23097
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_config_ldap
> Affects Versions: 11.2.2
> Environment: Asterisk 11.2-cert3 built by root @ us-ma-pbx1.us.ieptechnologies.com on a i686 running Linux on 2013-12-27 20:33:59 UTC
> Linux us-ma-pbx1.us.ieptechnologies.com 2.6.32-431.1.2.0.1.el6.i686 #1 SMP Fri Dec 13 11:45:23 UTC 2013 i686 i686 i386 GNU/Linux
> CentOS release 6.5 (Final)
> Reporter: Stephen Mandolare
> Assignee: Rusty Newton
> Attachments: myDebugLog, myDebugLog.txt
>
>
> With the following config in res_ldap.conf in conjuction with Active Directory (Global Catalog in my case)
> [_general]
> url=ldap://***.com:3268/
> protocol=3
> basedn=dc=***,dc=com
> user=***
> pass=***
> [sip]
> name=sAMAccountName
> callerid=cn
> auth=sAMAccountName
> regexten=ipPhone
> mailbox=sAMAccountName
> host=astAccountHost
> type=astAccountType
> md5secret=astAccountPassword
> context=astAccountContext
> insecure=astAccountInsecure
> qualify=astQualify
> additionalFilter=(objectClass=user)
> The registration successfully queries the directory with the file name = sAMAccountName, but authentication fails with error:
> [Jan 3 20:27:43] WARNING[31236]: chan_sip.c:16296 check_auth: username mismatch, have <cn>, digest has <sAMAccountName>
> it appears that regardless of attribute mappings, the username of the peer is always set to the LDAP cn.
> *Workaround:*
> To work around this the Auth Username must be set in the client to the LDAP cn, this works but appears "clunky" to users.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list