Hi,
I'm new with SER since August 2005.
I'm using ser v0.9.3 and mysql v4.1.13.
I use SER with two domains: 192.168.20.55 and 192.168.20.155.
Some users are configured in subscribe table of SER database with domain 192.168.20.55 and
other users are configured in the same subscribe table of SER database with domain 192.168.20.155.
I understand that user from domain 192.168.20.55 can not talk to users in domain 192.168.20.155. Is it right?
I have the following problem:
Users from domain 192.168.20.55 can make calls to PBX/PSTN but users from domain 192.168.20.155 can not,
There is the message 403 Forbidden sent to the users.
Here is the sequence:
<- INVITE
-> 407 Proxy Authentication Required
<-ACK
<-INVITE
->100 Trying
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
I would like to know if there is a need to have two databases for the multi-domain support with one SER?
Micheline Lambert
I included a part of my ser.cfg file
#
# $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
#
# simple quick-start config script
#
...
listen=192.168.20.55
listen=192.168.20.155 # support multi-domains
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
# load the group module to use : is_useer_in() function
loadmodule "/usr/local/lib/ser/modules/group.so"
# load the acc module ffor accounting
loadmodule "/usr/local/lib/ser/modules/acc.so"
#new module for multi-domain support
loadmodule "/usr/local/lib/ser/modules/domain.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("auth_db|uri_db|usrloc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("usrloc|registrar", "use_domain", 1)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", 1)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- acc params --
# set the reporting log level
modparam("acc", "log_level", 1)
# number of fflag which will be used fffor accounting; if a message
# is labeled with this flag, its completion status will be reported
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "report_cancels", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# ------------------------------------------------------------------
# Sanity Check Section
# ------------------------------------------------------------------
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
break;
};
# ------------------------------------------------------------------
# labeled all transactions for accounting
# ------------------------------------------------------------------
log(1, "++++ labeled all transactions for accounting\n");
setflag(1);
# ------------------------------------------------------------------
# Record Route Section
# ------------------------------------------------------------------
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# ------------------------------------------------------------------
# Loose Route Section
# ------------------------------------------------------------------
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
# ------------------------------------------------------------------
# Call Type Processing
# ------------------------------------------------------------------
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound uri!=myself\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (!uri==myself) { /* myself = my IP address */
append_hf("P-hint: outbound alias - uri!=myself\r\n");
route(1); /* relay the message */
break;
};
log(1, "++++ route other SIP messages???????????????\n");
route(1);
};
}
route[1]
{
if (!t_relay()) {
sl_reply_error();
};
}
route[2]
{
sl_send_reply("100", "Trying");
log(1, "==== www_authorize\n");
# validate the authentication of the user
if (!www_authorize("", "subscriber")) {
log(1, "==== send 401 Unauthorized\n");
www_challenge("", "0"); # send back 401 Unauthorized message
break; # ask for another registration with auth.
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized 2");
break;
};
log(1, "==== remove Authorization line\n");
consume_credentials(); # remove Authorization digest info from message
# save the user in the location table
log(1, "==== save location and send Ok\n");
if (!save("location")) { # save the user in the location table, send Ok message
sl_reply_error();
};
}
route[3]
{
if (!uri=~"sip:+?[0-9]+@.*") {
log(1, "---- call cannot be serverd here - not numeric uri\n");
sl_send_reply("403", "Call cannot be served here");
break;
}
#
# validate if Incoming call
#
if (src_ip==192.168.20.105) { # address of VoIP Gateway
#
# INCOMING call from VoIP Gateway
#
log(1, "---- Incoming calls from VoIP Gateway\n");
if (lookup("location")) {
#
# dest user registered !
#
log(1, "---- dest user registered - relay the message\n");
route(1);
break;
} else {
#
# dest user not registered (not part of location table)
#
log(1, "---- dest user NOT registered \n");
sl_send_reply("403", "User not Found");
break;
};
};
#
# Calls received from ATA
#
log(1, "---- call received from ATA\n");
#
# validate the authentication of dest user
#
log(1, "---- proxy_authorize()\n");
if (!proxy_authorize("", "subscriber")) {
log(1, "---- src user NOT authenticated\n");
proxy_challenge("", "0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
log(1, "---- src user authenticated\n");
#
# remove Authorization line if necessary
#
log(1, "---- remove proxy-authorization line\n");
consume_credentials();
#
# is it neccessary ????
#
lookup("aliases");
if (uri!=myself) {
log(1, "---- Relay message because uri != myself\n");
append_hf("P-hint: outbound alias - uri!=myself\r\n");
route(1);
break;
};
#
# Validate destination calls
#
if (uri=~"sip:31[0-9]*@.*") { # first digits = "31" following with 0-9
#
# Local IP calls
#
log(1, "---- local IP calls\n");
if (is_user_in("From", "local")) { # source user part of local group?
#
# src part of local group, relay the message
#
log(1, "---- src part of local group\n");
if (lookup("location")) { # dest user registered ?
#
# User registered in location table
#
log(1, "---- dest user registered\n");
log(1, "---- dest = local ATA\n");
route(1); /* relay the message */
break;
} else {
log(1, "---- dest user NOT registered \n");
sl_send_reply("403", "User not Found");
break;
};
} else {
log(1, "---- src NOT part of local group\n");
sl_send_reply("403", "No Permission for local calls");
break;
};
};
#
# Local PBX calls
#
if (uri=~"sip:3[0-9]*@.*") { # first digit = "3" following with 0-9
#
# Local PBX calls
#
log(1, "---- local PBX calls\n");
if (is_user_in("From", "local")) { # source user part of local group?
#
# src part of local group, relay the message
#
log(1, "---- src part of local group\n");
log(1, "---- forward message to VoIP Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of local group\n");
sl_send_reply("403", "No Permission for local calls");
break;
};
};
if (uri=~"sip:9[2-9][0-9]*@.*") { /* first digit = "9" following with 2-9 */
#
# Free PSTN calls
#
log(1, "---- free PSTN calls\n");
if (is_user_in("From", "free-pstn")) { # source user part of free_pstn group?
#
# src part of free-pstn group, forward the message
#
log(1, "---- forward message to VoIP Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of free_pstn group\n");
sl_send_reply("403", "No Permission for free PSTN calls");
break;
};
};
if (uri=~"sip:91[2-9][0-9]*@.*") { /* first digit = "91" following with 2-9 */
#
# Long distance PSTN calls
#
log(1, "---- long distance calls\n");
if (is_user_in("From", "ld")) { # source user part of long_dist group?
#
# src part of long_dist group, forward the message
#
log(1, "---- forward message to VoIP Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of long ddistance (ld) group\n");
sl_send_reply("403", "No Permission for long distance calls");
break;
};
};
if (uri=~"sip:9011[0-9]*@.*") { /* first digit = "9011" following with 2-9 */
#
# International calls
#
log(1, "---- international calls\n");
if (is_user_in("From", "int")) { # source user part of int group?
#
# src part of international group, forward the message
#
log(1, "---- forward message to VoIP Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of international (int) group\n");
sl_send_reply("403", "No Permission for international calls");
break;
};
};
#
# Invalid calls
#
log(1, "---- call NOT authorized\n");
sl_send_reply("403", "Call not Authorized");
}
Hi, I am new user too.
Have you add twos domains into "domain" table?
Regards -- Alberto
----- Original Message ----- From: "Lambert, Micheline (Satnet)" Lambert.M@emssatnet.com To: serusers@lists.iptel.org Sent: Thursday, September 29, 2005 3:21 PM Subject: [Serusers] multi-domain support with one SER-2
Hi,
I'm new with SER since August 2005.
I'm using ser v0.9.3 and mysql v4.1.13.
I use SER with two domains: 192.168.20.55 and 192.168.20.155.
Some users are configured in subscribe table of SER database with domain 192.168.20.55 and
other users are configured in the same subscribe table of SER database with domain 192.168.20.155.
I understand that user from domain 192.168.20.55 can not talk to users in domain 192.168.20.155. Is it right?
I have the following problem:
Users from domain 192.168.20.55 can make calls to PBX/PSTN but users from domain 192.168.20.155 can not,
There is the message 403 Forbidden sent to the users.
Here is the sequence:
<- INVITE
-> 407 Proxy Authentication Required
<-ACK
<-INVITE
->100 Trying
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
I would like to know if there is a need to have two databases for the multi-domain support with one SER?
Micheline Lambert
I included a part of my ser.cfg file
#
# $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
#
# simple quick-start config script
#
...
listen=192.168.20.55
listen=192.168.20.155 # support multi-domains
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
# load the group module to use : is_useer_in() function
loadmodule "/usr/local/lib/ser/modules/group.so"
# load the acc module ffor accounting
loadmodule "/usr/local/lib/ser/modules/acc.so"
#new module for multi-domain support
loadmodule "/usr/local/lib/ser/modules/domain.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("auth_db|uri_db|usrloc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("usrloc|registrar", "use_domain", 1)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", 1)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- acc params --
# set the reporting log level
modparam("acc", "log_level", 1)
# number of fflag which will be used fffor accounting; if a message
# is labeled with this flag, its completion status will be reported
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "report_cancels", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# ------------------------------------------------------------------ # Sanity Check Section #
# initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); break; }; # ------------------------------------------------------------------ # labeled all transactions for accounting #
log(1, "++++ labeled all transactions for accounting\n"); setflag(1); # ------------------------------------------------------------------ # Record Route Section #
# we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # ------------------------------------------------------------------ # Loose Route Section #
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); break; }; # ------------------------------------------------------------------ # Call Type Processing #
if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound uri!=myself\r\n"); route(1); break; }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="INVITE") { route(3); break; } else if (method=="REGISTER") { route(2); break; }; lookup("aliases"); if (!uri==myself) { /* myself = my IP address */ append_hf("P-hint: outbound alias -uri!=myself\r\n");
route(1); /* relay the message */ break; }; log(1, "++++ route other SIPmessages???????????????\n");
route(1); };}
route[1]
{
if (!t_relay()) { sl_reply_error(); };}
route[2]
{
sl_send_reply("100", "Trying"); log(1, "==== www_authorize\n"); # validate the authentication of the user if (!www_authorize("", "subscriber")) { log(1, "==== send 401 Unauthorized\n"); www_challenge("", "0"); # send back 401Unauthorized message
break; # ask for anotherregistration with auth.
}; if (!check_to()) { sl_send_reply("401", "Unauthorized 2"); break; }; log(1, "==== remove Authorization line\n"); consume_credentials(); # remove Authorization digest info frommessage
# save the user in the location table log(1, "==== save location and send Ok\n"); if (!save("location")) { # save the user in the location table,send Ok message
sl_reply_error(); };}
route[3]
{
if (!uri=~"sip:\+?[0-9]+@.*") { log(1, "---- call cannot be serverd here - notnumeric uri\n");
sl_send_reply("403", "Call cannot be served here"); break; } # # validate if Incoming call # if (src_ip==192.168.20.105) { # address of VoIP Gateway # # INCOMING call from VoIP Gateway # log(1, "---- Incoming calls from VoIPGateway\n");
if (lookup("location")) { # # dest user registered ! # log(1, "---- dest user registered -relay the message\n");
route(1); break; } else { # # dest user not registered (not part oflocation table)
# log(1, "---- dest user NOTregistered \n");
sl_send_reply("403", "User not Found"); break; }; }; # # Calls received from ATA # log(1, "---- call received from ATA\n"); # # validate the authentication of dest user # log(1, "---- proxy_authorize()\n"); if (!proxy_authorize("", "subscriber")) { log(1, "---- src user NOT authenticated\n"); proxy_challenge("", "0"); break; } else if (!check_from()) { sl_send_reply("403", "Use From=ID"); break; }; log(1, "---- src user authenticated\n"); # # remove Authorization line if necessary # log(1, "---- remove proxy-authorization line\n"); consume_credentials(); # # is it neccessary ???? # lookup("aliases"); if (uri!=myself) { log(1, "---- Relay message because uri !=myself\n");
append_hf("P-hint: outbound alias -uri!=myself\r\n");
route(1); break; }; # # Validate destination calls # if (uri=~"sip:31[0-9]*@.*") { # first digits = "31" followingwith 0-9
# # Local IP calls # log(1, "---- local IP calls\n"); if (is_user_in("From", "local")) { # source userpart of local group?
# # src part of local group, relay themessage
# log(1, "---- src part of localgroup\n");
if (lookup("location")) { # dest userregistered ?
# # User registered inlocation table
# log(1, "---- dest userregistered\n");
log(1, "---- dest =local ATA\n");
route(1); /* relay themessage */
break; } else { log(1, "---- dest userNOT registered \n");
sl_send_reply("403", "Usernot Found");
break; }; } else { log(1, "---- src NOT part of localgroup\n");
sl_send_reply("403", "No Permission forlocal calls");
break; }; }; # # Local PBX calls # if (uri=~"sip:3[0-9]*@.*") { # first digit = "3" following with0-9
# # Local PBX calls # log(1, "---- local PBX calls\n"); if (is_user_in("From", "local")) { # source userpart of local group?
# # src part of local group, relay themessage
# log(1, "---- src part of localgroup\n");
log(1, "---- forward message to VoIPGateway\n");
rewritehostport("192.168.20.105:5060"); forward(192.168.20.105, 5060); break; } else { log(1, "---- src NOT part of localgroup\n");
sl_send_reply("403", "No Permission forlocal calls");
break; }; }; if (uri=~"sip:9[2-9][0-9]*@.*") { /* first digit = "9"following with 2-9 */
# # Free PSTN calls # log(1, "---- free PSTN calls\n"); if (is_user_in("From", "free-pstn")) { # sourceuser part of free_pstn group?
# # src part of free-pstn group, forwardthe message
# log(1, "---- forward message to VoIPGateway\n");
rewritehostport("192.168.20.105:5060"); forward(192.168.20.105, 5060); break; } else { log(1, "---- src NOT part offree_pstn group\n");
sl_send_reply("403", "No Permission forfree PSTN calls");
break; }; }; if (uri=~"sip:91[2-9][0-9]*@.*") { /* first digit = "91"following with 2-9 */
# # Long distance PSTN calls # log(1, "---- long distance calls\n"); if (is_user_in("From", "ld")) { # source user partof long_dist group?
# # src part of long_dist group, forwardthe message
# log(1, "---- forward message to VoIPGateway\n");
rewritehostport("192.168.20.105:5060"); forward(192.168.20.105, 5060); break; } else { log(1, "---- src NOT part of longddistance (ld) group\n");
sl_send_reply("403", "No Permission forlong distance calls");
break; }; }; if (uri=~"sip:9011[0-9]*@.*") { /* first digit = "9011"following with 2-9 */
# # International calls # log(1, "---- international calls\n"); if (is_user_in("From", "int")) { # source user partof int group?
# # src part of international group,forward the message
# log(1, "---- forward message to VoIPGateway\n");
rewritehostport("192.168.20.105:5060"); forward(192.168.20.105, 5060); break; } else { log(1, "---- src NOT part ofinternational (int) group\n");
sl_send_reply("403", "No Permission forinternational calls");
break; }; }; # # Invalid calls # log(1, "---- call NOT authorized\n"); sl_send_reply("403", "Call not Authorized");}
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Alberto -
Lambert, Micheline (Satnet)