https://www.ejabberd.im/forum/25114/sip-ldap-authentication-it-possible-all en https://www.ejabberd.im/forum/25114/sip-ldap-authentication-it-possible-all#comment-66128 <p>SIP authentication is performed via DIGEST, so it's indeed not possible to use it with LDAP. I don't see how DIGEST-MD5 will work when the passwords are not stored in plain.</p> Thu, 24 Sep 2015 09:31:52 +0000 zinid comment 66128 at https://www.ejabberd.im https://www.ejabberd.im/forum/25114/sip-ldap-authentication-it-possible-all#comment-66110 <p>So, I found out myself by reading the source. It's not possible to use ldap authentication with mod_sip.</p> <p>mod_sip uses a get_passwd2 authentication method, and silently fails if it returns an empty password. That's exactly what the ldap auth module does.</p> <p>Of course, this could only be implemented for ldap in the case that ejabberd would bind with priviledges enough to read this password, but it could be done easily.</p> <p>Other possibilities would include making the SIP digest-md5 authentication work with LDAP using SASL digest-md5... It sounds possible.</p> <p>Finally, this can be worked around using external authentication and an authentication script that authenticates against LDAP. external authentication keeps the password in a cache, and this is used. I tried it and it works. I still don't have SIP fully working, but registration works and I'm on to the next obstacle.</p> <p>One problem of this work around is that while password change worked fine with LDAP authentication, it's not so fine with external authentication, because the external script is given only the new password, so it would only be able to change the user's password with administrative priviledges.</p> <p>The Erlang source is pretty easy to read and probably to modify. However, who would want to keep patches...</p> Fri, 18 Sep 2015 17:51:00 +0000 migle comment 66110 at https://www.ejabberd.im