2010/7/1 Jan Janak jan@ryngle.com:
On Thu, Jul 1, 2010 at 3:31 PM, Iñaki Baz Castillo ibc@aliax.net wrote:
2010/7/1 Juha Heinanen jh@tutpro.com:
if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
What is $fd.digest_realm ?
A variable containing the string to be used as realm in digest authentication. In most circumstances its value is retrieved from the database (domain_attrs table).
So, if for example the From domain is "example.org" then SER would search for the realm corresponding to the domain "example.org" (which could be the domain itself or any other token), am I right?
I like it, more than the "subscriber" table and the "auth_db" module of Kamailio. Let me explain why:
- Imagine a Kamailio in multidomain mode.
- A phone "sip:alice@example.org" sends an INVITE with "From: sip:anonymous@invalid-domain.org" (so the user requests for privacy).
- The INVITE doesn't have a "P-Preferred-Identity: sip:alice@example.org" (it doesn't implement RFC 3325).
- So, how could Kamailio ask for authentication? which realm to use? there is no string in the INVITE identyfing the domain the originator belongs to, so...
The only solution for this issue would be using the same realm for every users and domain of the proxy, but in Kamailio this is not possible if "calculate_ha1" (in "auth_db") is 0 because Kamailio takes the realm of the request to look for the corresponding user using such realm as domain.
With SER the above problem would be solved by using the same realm for all the users and domains, but with a constrain: the "username" field of the creedentials generated by the user should be a full URI "sip:alice@example.org" (or perhaps also "alice@example.org"), so the auth module would parse the username and domain from the credentials "username" field.
In a future I would like to talk about the credentials username field format (just SIP username, username@domain or sip:username@domain) in a future. IMHO in a multidomain system phones should authenticate themself by using the whole AoR (including the "sip:" schema) in the "username" field of the credentials.
Regards.