On Sep 27, 2010 at 16:37, Rouskol Andrey <anry-dev(a)yandex.ru> wrote: It looks ok to me, although a little ambiguous (some avps are fully specified in some cases and in others they are not). See inline comments below. before this we have proxy_authenticate("$fd.digest_realm", "credentials") which if the auth. is succesful will set $fu.uid (unless the default load_credentials authdb modparam was changed). So $fu.uid is set to the UID of the authenticated user. This is equivalent to: $fr.authuid = $uid. If nobody else did set $fr.uid before (in the default config nobody seems to do this), then $fr.authuid = $fu.uid == UID of the authenticated user. => $fu.uid set to the UID of the user in the from uri. => UID of the user in from is compared with the authenticated user UID => it should be ok (although I admit I haven't actually tested it in a very long while). You could try adding debugging xlog statements, e.g.: add xlog("L_ERR", "uids do not match: %$fu.uid != %$fr.authuid \n") before sl_reply("403", "Fake Identity"); and xlog ("L_ERR", "debug: $uid= %$uid, $fr.uid= %$fr.uid and $fu.uid= %fu.uid \n") before $authuid = $uid;. This change practically disables the check (it will always succeed). It loads the UID from the from user inside $fr.uid instead of $fu.uid (which from a logic point of view is not wrong), but then you compare $fu.uid with $fr.authuid and nobody changed $fu.uid in-between $authuid = $uid and the check, so it will always be true. If you want to use $fr.uid instead of $fu.uid (like in ser-oob.cfg), then you must also change it in the comparions: $fr.uid != $fr.authuid. Most likely you are trying to send a message with a from user different from the user in the authenticate headers. Could you send me a copy of the config (if you did change anything besides IPs and db urls) and the captured packet for which the authentication fails? Andrei P.S.: that section from the config is ambiguous, I'll probably replace it with the corresponding part from ser-oob.cfg.