Hi,
Not sure about the registration, but for allowing calls with different CLI then the auth-user, you could maintain a list of allowed CLIs per user in usr_preferences. Let's assume you store them as integer-avp 345, then something like this could work for invites:
# authenticate, load usr_preferences, then: if(!check_fom() && !avp_check("$fU", "eq/$avp(i:345/g")) { sl_send_reply("403", "Invalid CLI"); }
The check could be modified for registers as well, of course. And note that From is not the only way to transport CLIs, also check for P-Preferred/Asserted-Identity and Remote-Party-ID.
Andreas
Andreas Sikkema wrote:
Hi,
I'm working on extending my OpenSER configuration to allow a user account to have one or more aliases.
User A is reachable by calling A, but also using alias B or C. I have this working for calls to the UA, but I'm having problems with registration attempts from A and calls from A to other UA's or PSTN where it wants to send B or C as outgoing CLI.
For some reason, all UAs I've seen so far need to register their aliases to be able to send an alias as outgoing CLI. My OpenSER config uses the following to check authenticate the user (from an old SER example:
if (!www_authorize("domain", "subscriber")) { www_challenge("domain", "0"); exit; }
if (!check_to()) { log("LOG: To Cheating attempt\n"); sl_send_reply("403", "That is ugly -- use To=id in REGISTERs"); exit; };
When a UA tries to register an alias the www_authorize() succeeds, because the UA sends the correct authentication data for A, but uses the alias B or C in the To and From headers so check_to() fails with the error that B or C is being spoofed.
I (OpenSER) know that B and C are aliases of A, but how do I make this registration logic accept that and send a 200 OK message back? (I also don't want to save the registered alias in the location table, but that part I know how to do, I think).
The calls using outgoing CLI of the alias have I think the same problem where the From header has an alias where check_from() expects the data for A. I think the solution for this would be something comparable to solving the registration problem, correct?
Thanks!
This e-mail is confidential and may well also be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence. Thank you for your cooperation.