Contents
1 Introduction
This document specifies the Lightweight Directory Access Protocol (LDAP) interface between the Interrogating Call Session Control Function (I-CSCF) and the Dynamic User Association Database (DUA-DB).
The LDAP interface is used within the scope of Dynamic User Identity Support (DUIS). With DUIS enabled, for a terminating request the I-CSCF converts an external user identity of the terminating user of a partner’s network to an IP Multimedia Subsystem (IMS) internal identity.
2 Interface Overview
The LDAP messages sent between the I-CSCF and the DUA-DB, see Figure 1, are based on the standard LDAP v2 protocol and the standard LDAP v3 protocol defined in the RFC 1777 Lightweight Directory Access Protocol (March 1995) and RFC 4511 Lightweight Directory Access Protocol (June 2006) specifications.
The I-CSCF includes an LDAP Client based on OpenLDAP 2.4.31.
2.1 Interface Role
The LDAP interface between the I-CSCF and the DUA-DB is used by the I-CSCF to search for an internal IMS identity for an external user.
2.2 Services
The services used by the I-CSCF are shown in Table 1.
|
Used Service |
Description |
|---|---|
|
Request for an internal IMS identity (the specific IMPU of a Wildcarded IMPU) for an external user belonging to a partner of the operator. |
An LDAP SEARCH command is sent by the I-CSCF to the DUA-DB with the external user identity included. The DUA-DB returns the specific IMPU and a list of DUA-S that the external user has registered with. I-CSCF modifies the received terminating SIP request with the information received from the DUA-DB. The S-CSCF handles the terminating request with the Wildcarded IMPU associated with the external user. |
2.3 Encapsulation and Addressing
The LDAP interface between the I-CSCF and DUA-DB is running on top of Transmission Control Protocol (TCP) supporting IPv4 and IPv6 protocols. The interface uses standard defined requests and responses. The content within the requests is also based on standard defined formats. The IP address and other information, for example, RootDN related to accessing the DUA-DB are configured in the I-CSCF, refer to CSCF Configuration Management.
3 Procedures
This section describes the procedures used with the interfaces of the I-CSCF.
3.1 Lower-Level Procedures
The LDAP interface between the I-CSCF and the DUA-DB supports the procedures for the following:
- Establishment of an LDAP session with DUA-DB
- Search in the DUA-DB
- Release of the LDAP session from DUA-DB
3.2 Establishment of LDAP Session with DUA-DB
At establishment of an LDAP session, I-CSCF sends a BindRequest message to the DUA-DB, as shown in Figure 2.
The function of the BindRequest message is to initiate an LDAP session between the I-CSCF (the LDAP client) and the DUA-DB (the LDAP server) and to allow the authentication of the I-CSCF with the DUA-DB. The LDAP session is set up over a long-lasting TCP connection. Such session will not be released after a search query.
Once the DUA-DB LDAP server configuration is defined in the I-CSCF, the I-CSCF establishes multiple LDAP sessions to the DUA-DB, typically one per Traffic Processor. Multiple different DUA-DB servers can be configured in the I-CSCF. The DUA-DB server is selected based on availability and priority.
If a connected DUA-DB is removed from the configuration or becomes unavailable, new LDAP sessions are established to another DUA-DB based on availability and priority.
3.3 Search in DUA-DB
To convert an external user identity of a business partner network to an IMS internal user identity, the I-CSCF sends a SearchRequest to a connected DUA-DB, as shown in Figure 3.
One or more SearchResultEntry messages can be received for one SearchRequest. The SearchResultDone message contains a resultcode while any previously received SearchResultEntry messages contain an entry.
3.4 Release of LDAP Session
At release of an established LDAP session, the I-CSCF sends an UnbindRequest message the DUA-DB, as shown in Figure 4. There is no response for this message. The I-CSCF checks the status of the TCP connection before sending the UnbindRequest. If the TCP connection is lost, the UnbindRequest is not sent. Examples of situations when the I-CSCF (the LDAP client) terminates an established LDAP session are at configuration changes of the DUA-DB or the password is updated for a connected DUA-DB.
The operation is always considered as successful and the TCP connection is torn down immediately by the I-CSCF.
3.5 Error Handling
If the DUA-DB does not respond with a SearchResultDone message to the LDAP request within a timer set by configuration or the TCP connection is down, then the I-CSCF retries the LDAP request to the same DUA-DB. If the DUA-DB still does not respond, and after a configurable number of retries the I-CSCF considers this DUA-DB unavailable for a period. Then I-CSCF connects to another DUA-DB defined in the configuration based on priority and availability.
For details about the configuration, refer to CSCF Configuration Management.
4 Information Model
The following LDAP messages are supported by the I-CSCF and the DUA-DB in the previously mentioned procedures:
|
Message |
Sender |
|---|---|
|
BindRequest |
|
|
BindResponse |
|
|
SearchRequest |
|
|
SearchResultEntry |
|
|
SearchResultDone |
|
|
UnbindRequest |
The following LDAP messages, defined in LDAP version 3, are not supported by the I-CSCF. The searchResultReference message and the following listed responses are silently discarded upon reception:
- searchResultReference
- modifyRequest, modifyResponse
- addRequest, addResponse
- delRequest, delResponse
- modifyRDNRequest, modifyRDNResponse
- compareDNRequest, compareDNResponse
The ASN.1 syntax is used in this document for describing message formats.
4.1 BindRequest
ASN.1 syntax:
BindRequest ::=
[APPLICATION 0] SEQUENCE {
version Version,
name Name,
authentication AuthenticationChoice}
- Note:
- Only simple authentication is supported.
The BindRequest is used to establish an LDAP session.
Example of a BindRequest sent by the I-CSCF:
Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) "cn=admin,dc=o,dc=com" simple
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name: cn=admin,dc=o,dc=com
authentication: simple (0)
simple: 70617373776f7264
|
4.2 BindResponse
ASN.1 syntax:
BindResponse ::= [APPLICATION 1] LDAPResult
The BindResponse message indicates the status of the session setup request.
Example of a BindResponse received by the I-CSCF:
Lightweight Directory Access Protocol
LDAPMessage bindResponse(1) success
messageID: 1
protocolOp: bindResponse (1)
bindResponse
resultCode: success (0)
matchedDN:
errorMessage:
|
4.3 SearchRequest
ASN.1 syntax:
SearchRequest ::=
[APPLICATION 3] SEQUENCE {
baseObject BaseObject,
scope Scope,
derefAliases DerefAliases,
sizeLimit SizeLimit,
timeLimit TimeLimit,
typesOnly TypesOnly,
filter Filter,
attributes AttributeDescription}
The SearchRequest message is used to convert an external user identity to an IMS internal identity as supported by DUIS.
Example of a SearchRequest sent by the I-CSCF using SIP URI:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "duaExtId=sip:alice@partner.com,dc=duaExtId,ou=identities,o=DuaDb,
dc=o,dc=com" baseObject
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: duaExtId=sip:alice@partner.com,dc=duaExtId,ou=identities,o=DuaDb,
dc=o,dc=com
scope: baseObject (0)
derefAliases: derefAlways (3)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (objectClass=*)
filter: present (7)
present: objectClass
attributes: 3 items
AttributeDescription: duaAssocId
AttributeDescription: specificIMPU
AttributeDescription: listOfDuaS
|
Example of a SearchRequest sent by the I-CSCF using tel URI:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "duaExtId=tel:\2B16023332059,dc=duaExtId,ou=identities,o=DuaDb,⇒
dc=o,dc=com"
baseObject
messageID: 2
protocolOp: searchRequest (3)
searchRequest
baseObject: duaExtId=tel:\2B16023332059,dc=duaExtId,ou=identities,o=DuaDb,⇒
dc=o,dc=com
scope: baseObject (0)
derefAliases: derefAlways (3)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (objectClass=*)
filter: present (7)
present: objectClass
attributes: 3 items
AttributeDescription: specificIMPU
AttributeDescription: listOfDuaS
AttributeDescription: duaAssocId
|
4.4 Search Result
The results of the search operation are returned as zero or more SearchResultEntry messages, followed by a single SearchResultDone message.
ASN.1 syntax:
SearchResultEntry ::= [APPLICATION 4] SEQUENCE {
objectName BaseObject,
attributes PartialAttributeList }
SearchResultDone ::= [APPLICATION 5] LDAPResult}
With the DUIS enabled, the SearchResultEntry message contains a specific IMPU of a Wildcarded IMPU and a list of DUA-S.
Example of a SearchResultEntry received by the I-CSCF using SIP URI:
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "duaExtId=sip:alice@partner.com,dc=duaExtId,ou=identities,⇒
o=DuaDb,dc=o,
dc=com" [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: duaExtId=sip:alice@partner.com, dc=duaExtId,ou=identities,o=DuaDb,⇒
dc=o,dc=com
attributes: 6 items
PartialAttributeList item objectClass
type: objectClass
vals: 2 items
AttributeValue: duaExtId
AttributeValue: duaAssocId
PartialAttributeList item duaExtId
type: duaExtId
vals: 1 item
AttributeValue: sip:alice@partner.com
PartialAttributeList item duaAssocId
type: duaAssocId
vals: 1 item
AttributeValue: sip:alice@partner.com
PartialAttributeList item specificIMPU
type: specificIMPU
vals: 1 item
AttributeValue: sip:WP-A_WPServiceProfile-5@one.att.net
PartialAttributeList item listOfDuaS
type: listOfDuaS
vals: 1 item
AttributeValue: DUA-S-17;2012-12-24Z15:30:00;1
PartialAttributeList item wpUserAliasList
type: wpUserAliasList
vals: 1 item
AttributeValue: tel:+12141234789
|
Example of a SearchResultEntry received by I-CSCF using tel URI:
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) " duaExtId= tel:\2B16023332059,dc=duaExtId,ou=identities,⇒
o=DuaDb,dc=o,
dc=com” [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: duaExtId= tel:\2B16023332059,dc=duaExtId,ou=identities,o=DuaDb,dc=o,⇒
dc=com
attributes: 6 items
PartialAttributeList item objectClass
type: objectClass
vals: 2 items
AttributeValue: duaExtId
AttributeValue: duaAssocId
PartialAttributeList item duaExtId
type: duaExtId
vals: 1 item
AttributeValue: tel:+16023332059
PartialAttributeList item duaAssocId
type: duaAssocId
vals: 1 item
AttributeValue: sip:alice@partner.com
PartialAttributeList item specificIMPU
type: specificIMPU
vals: 1 item
AttributeValue: sip:WP-A_WPServiceProfile-5@one.att.net
PartialAttributeList item listOfDuaS
type: listOfDuaS
vals: 1 item
AttributeValue: DUA-S-11;2012-12-24Z15:30:00;1
PartialAttributeList item wpUserAliasList
type: wpUserAliasList
vals: 1 item
AttributeValue: tel:+16023332059
|
Example of a SearchResultDone received by the I-CSCF:
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) success [0 results]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 21]
[Time: 0.000418000 seconds]
|
4.5 UnbindRequest
ASN.1 syntax:
UnbindRequest ::= [APPLICATION 2] NULL
The UnbindRequest message is to terminate a protocol session.
Example of an UnbindRequest sent by the I-CSCF:
Lightweight Directory Access Protocol
LDAPMessage unbindRequest(2)
messageID: 2
protocolOp: unbindRequest (2)
unbindRequest
|
5 Formal Syntax
The LDAP client is compliant to the information element descriptions in the RFC 1777 Lightweight Directory Access Protocol (March 1995) and RFC 4511 Lightweight Directory Access Protocol (June 2006) specifications.
The following sections list values of certain elements that are specific to the LDAP interface between the I-CSCF and the DUA-DB.
5.1 AuthenticationChoice
ASN.1 syntax:
AuthenticationChoice ::= CHOICE {
simple [0] OCTET STRING,
-- 1 and 2 reserved
sasl [3] SaslCredentials,
... }
I-CSCF sets authentication to the following:
[0] password
Simple authentication is the only authentication method supported by I-CSCF.
The password is configured in the I-CSCF for each DUA-DB.
5.2 DerefAliases
ASN.1 syntax:
derefAliases ENUMERATED {
neverDerefAliases (0),
derefInSearching (1),
derefFindingBaseObj (2),
derefAlways (3)}
The I-CSCF only uses derefAlways.
5.3 Entry
ASN.1 syntax:
Entry ::= SEQUENCE {
objectName LDAPString,
attributes SEQUENCE OF SEQUENCE {
AttributeType,
SET OF AttributeValue}}
5.3.1 objectName
This element contains the object name given in the search request. The objectName is set to the full path of the data element in the LDAP tree that identifies the external identity to be converted, for example, as follows:
objectName: duaAssocId=sip:alice@partner.com,duaDbWpId=1,ou=duaDbData,o=DuaDb,⇒ dc=o,dc=com
5.3.2 Attributes
Only the attributes that are important for the I-CSCF are described in the following subsections.
5.3.2.1 duaAssocId
Attribute duaAssocId contains the default external user identity stored in DUA-DB. An example value contained in duaAssocId is sip:alice@partner.com.
5.3.2.2 duaExtId
Attribute duaExtId contains the external user id to be converted. This attribute can be either SIP or TEL. An example value contains in duaExtId as SIP is sip:alice@partner.com, or as TEL is tel:+16023332059.
- Note:
- The I-CSCF escapes the + character, as shown in the example.
5.3.2.3 specificIMPU
Attribute specificIMPU contains the specific IMPU of a Wildcarded IMPU. An example value contained in specificIMPU is sip:WP-A_WPServiceProfile-1@one.att.net.
5.3.2.4 listOfDuaS
Attribute listOfDuaS contains a list of DUA-S Session Border Gateways (SBGs) that are added as feature tags to the terminating request by the S-CSCF. An example value contained in listOfDuaS is DUA-S-7;2011-12-24Z15:30:00;1.
5.3.2.5 wpUserAliasList
Attribute wpUserAliasList contains list of wholesale partner user alias.
5.4 Filter
ASN.1 syntax:
Filter ::=
CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion
extensibleMatch[9] MatchingRuleAssertion,
... }
AttributeValueAssertion ::=
SEQUENCE {
attributeDescription AttributeDescription,
attributeValue AttributeValue}
AttributeValue ::= OCTET STRING
SubstringFilter ::=
SEQUENCE {
type AttributeDescription,
SEQUENCE OF CHOICE {
initial [0] AssertionValue,
any [1] AssertionValue,
final [2] AssertionValue}}
MatchingRuleAssertion ::= SEQUENCE {
matchingRule [1] MatchingRuleId OPTIONAL,
type [2] AttributeDescription OPTIONAL,
matchValue [3] AssertionValue,
dnAttributes [4] BOOLEAN DEFAULT FALSE }The I-CSCF only uses the present filter with the value (ObjectClass=*).
5.5 Name
ASN.1 syntax:
Name ::= LDAPString
The Name contains the AdminDN in the BindRequest.
5.6 LDAPResult
The I-CSCF interprets LDAPResult success(0) as a successful result, refer to the RFC 4511 Lightweight Directory Access Protocol (June 2006) specification.
All other results are interpreted as unsuccessful.
5.7 Version
ASN.1 syntax:
Version ::= INTEGER (1 .. 127)
The I-CSCF sets the value according to a configuration parameter. The default value is 3.
6 Security Considerations
Simple authentication is used between the I-CSCF and DUA-DB. The username and a password for the LDAP Servers are defined in the configuration data in clear text.
7 Related Standards
Not all LDAP messages are needed in the interface between the I-CSCF and the DUA-DB.
The LDAP messages used between the I-CSCF and the DUA-DB are compliant to the standard LDAP v2 protocol and the standard LDAP v3 protocol defined in the RFC 1777 Lightweight Directory Access Protocol (March 1995) and RFC 4511 Lightweight Directory Access Protocol (June 2006) specifications.