I think I'll abandon my efforts to build a LDAP backed VOIP system. SIP is just too frustrating to me, mostly because of their (IMHO) completely outdated authentication mechanism. For Digest-HA1, which is the only option in SIP, there is already an password-gathering hack out in the wild which affects hard- and softphones by leaking the Challenge Response.
My LDAP tree stores the passwords for the users in their userPassword attribute which only contains the SSHA encrypted version of it so there is no way to extract the clear text password. Digest-HA1 needs to calculates its digest by concatenating user, password and realm and applying MD5 on this string. This leaves me with two options:
- Store the password in clear text form inside LDAP (don't want to because of security concerns)
- Use any other authentication mechanism which transmits the password in clear text (over encrpyted transport like TLS/SSL)
The second one is is not supported by RFC 3261 so I have to resort to the first option which drags in a lot of other issues like securing access to the password while granting users access to the LDAP tree for work and the usage of a proxy DN in LDAP to get a narroed down view on the clear text password.
My conclusion is that I'll dump SIP and discontinue my efforts in this segment.