29 Feb
2008
29 Feb
'08
6:07 p.m.
Hi all,
I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy +
RTPPROXY) and LDAP module. Although REGISTER authentication works well, I cannot
check user authorization for INVITE messages. I'm using an openser.cfg
configuration template from sipwise (see an extract below).
pv_proxy_authorize() routine always returns false, even if my user is registered
and authenticated through our OpenLDAP. Can you tell me what I'm doing wrong ?
Many thks,
---------------------------
openser.cfg
---------------------------
route {
...
if(is_method("REGISTER"))
{
route(2);
}
if(is_method("INVITE"))
{
route(4);
}
...
}
########################################################################
# Request route 'base-route-register'
########################################################################
route[2]
{
sl_send_reply("100", "Trying");
if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
{
xlog("L_INFO", "is_present_hf Authorization
or
Proxy-Authorization\n");
if
(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
switch ($retcode) {
case -1:
# no LDAP entry found
xlog("L_INFO", "Ldap user
not
found\n");
sl_send_reply("404", "User
Not
Found");
exit;
case -2:
# internal error
xlog("L_INFO", "Internal
server
error during authentication\n");
sl_send_reply("500",
"Internal
server error");
exit;
default:
exit;
}
}
ldap_result("uid/$avp(s:username)");
ldap_result("userPassword/$avp(s:password)");
}
if(!pv_www_authorize(""))
{
xlog("L_INFO", "Register authentication failed - M=$rm
RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
www_challenge("mydomain", "1");
exit;
}
if(!check_to())
{
xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_send_reply("403", "Spoofed To-URI Detected");
exit;
}
consume_credentials();
if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
{
fix_nated_register();
setbflag(6);
}
if(!save("location"))
{
xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_reply_error();
exit;
}
xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
exit;
}
########################################################################
# Request route 'base-route-invite'
########################################################################
route[4]
{
sl_send_reply("100", "Trying");
if(nat_uac_test("19"))
{
fix_nated_contact();
setbflag(6);
}
route(5);
}
########################################################################
# Request route 'invite-find-callee'
########################################################################
route[5]
{
if(!is_domain_local("$rd"))
{
setflag(20);
route(7);
}
if(does_uri_exist())
{
xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(6);
}
else
{
xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(7);
}
exit;
}
########################################################################
# Request route 'invite-to-external'
########################################################################
route[7]
{
if(isflagset(20))
{
xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
if (!pv_proxy_authorize(""))
{
xlog("L_INFO", "TESTING : NOT AUTHENTICATED
!!!!\n");
}
else
{
xlog("L_INFO", "TESTING : AUTHENTICATED
!!!!\n");
}
route(3);
exit;
}
xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
IP=$si
ID=$ci\n");
sl_send_reply("404", "User Not Found");
exit;
}
---------------------
DEBUG LOGS
---------------------
eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain -
M=INVITE RURI=sip:beacon@columbia.edu F=sip:test@xxxxxxxx T=sip:beacon@co
lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa@xxxxxx
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=10000
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
credentials with given realm not found
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT AUTHENTICATED
29 Feb
29 Feb
6:23 p.m.
Hello,
for INVITE you have to use pv_proxy_authorize("")
http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
The problem is that the domain part for the URI of the user you want to
authenticate does not match the value from the realm attribute of
authorization header. Pasting the SIP message will help to give clear
indications.
Cheers,
Daniel
On 02/29/08 18:07, antalsia(a)free.fr wrote:
Hi all,
I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy +
RTPPROXY) and LDAP module. Although REGISTER authentication works well, I cannot
check user authorization for INVITE messages. I'm using an openser.cfg
configuration template from sipwise (see an extract below).
pv_proxy_authorize() routine always returns false, even if my user is registered
and authenticated through our OpenLDAP. Can you tell me what I'm doing wrong ?
Many thks,
---------------------------
openser.cfg
---------------------------
route {
...
if(is_method("REGISTER"))
{
route(2);
}
if(is_method("INVITE"))
{
route(4);
}
...
}
########################################################################
# Request route 'base-route-register'
########################################################################
route[2]
{
sl_send_reply("100", "Trying");
if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
{
xlog("L_INFO", "is_present_hf
Authorization or
Proxy-Authorization\n");
if
(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
switch ($retcode) {
case -1:
# no LDAP entry found
xlog("L_INFO", "Ldap user
not
found\n");
sl_send_reply("404", "User
Not
Found");
exit;
case -2:
# internal error
xlog("L_INFO", "Internal
server
error during authentication\n");
sl_send_reply("500",
"Internal
server error");
exit;
default:
exit;
}
}
ldap_result("uid/$avp(s:username)");
ldap_result("userPassword/$avp(s:password)");
}
if(!pv_www_authorize(""))
{
xlog("L_INFO", "Register authentication failed - M=$rm
RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
www_challenge("mydomain", "1");
exit;
}
if(!check_to())
{
xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_send_reply("403", "Spoofed To-URI Detected");
exit;
}
consume_credentials();
if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
{
fix_nated_register();
setbflag(6);
}
if(!save("location"))
{
xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_reply_error();
exit;
}
xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
exit;
}
########################################################################
# Request route 'base-route-invite'
########################################################################
route[4]
{
sl_send_reply("100", "Trying");
if(nat_uac_test("19"))
{
fix_nated_contact();
setbflag(6);
}
route(5);
}
########################################################################
# Request route 'invite-find-callee'
########################################################################
route[5]
{
if(!is_domain_local("$rd"))
{
setflag(20);
route(7);
}
if(does_uri_exist())
{
xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(6);
}
else
{
xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(7);
}
exit;
}
########################################################################
# Request route 'invite-to-external'
########################################################################
route[7]
{
if(isflagset(20))
{
xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
if (!pv_proxy_authorize(""))
{
xlog("L_INFO", "TESTING : NOT AUTHENTICATED
!!!!\n");
}
else
{
xlog("L_INFO", "TESTING : AUTHENTICATED
!!!!\n");
}
route(3);
exit;
}
xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
IP=$si
ID=$ci\n");
sl_send_reply("404", "User Not Found");
exit;
}
---------------------
DEBUG LOGS
---------------------
eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain -
M=INVITE RURI=sip:beacon@columbia.edu F=sip:test@xxxxxxxx T=sip:beacon@co
lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa@xxxxxx
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=10000
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
credentials with given realm not found
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT AUTHENTICATED
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
3 Mar
3 Mar
10:26 a.m.
Hi daniel,
Same result when I call pv_proxy_authorize() function with our SIP domain. It
always returns false. When I dump SIP packet with tshark, the SIP user & domain
are not visible inside the INVITE request... Quite strange... the SIP URI is
composed of my local linux user and the domain is my local IP address. I'm using
Ekiga 2.0.11 and my user is registered ! I'll try with another UA.
Regards,
Selon Daniel-Constantin Mierla <miconda(a)gmail.com>om>:
Hello,
for INVITE you have to use pv_proxy_authorize("")
http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
The problem is that the domain part for the URI of the user you want to
authenticate does not match the value from the realm attribute of
authorization header. Pasting the SIP message will help to give clear
indications.
Cheers,
Daniel
On 02/29/08 18:07, antalsia(a)free.fr wrote:
Hi all,
I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy +
RTPPROXY) and LDAP module. Although REGISTER authentication works well, I
cannot
check user authorization for INVITE messages.
I'm using an openser.cfg
configuration template from sipwise (see an extract below).
pv_proxy_authorize() routine always returns false, even if my user is
registered
and authenticated through our OpenLDAP. Can you
tell me what I'm doing
wrong ?
Many thks,
---------------------------
openser.cfg
---------------------------
route {
...
if(is_method("REGISTER"))
{
route(2);
}
if(is_method("INVITE"))
{
route(4);
}
...
}
########################################################################
# Request route 'base-route-register'
########################################################################
route[2]
{
sl_send_reply("100", "Trying");
if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
{
xlog("L_INFO", "is_present_hf
Authorization
or
Proxy-Authorization\n");
if
(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
switch ($retcode) {
case -1:
# no LDAP entry found
xlog("L_INFO", "Ldap user
not
found\n");
sl_send_reply("404", "User
Not
Found");
exit;
case -2:
# internal error
xlog("L_INFO", "Internal
server
error during authentication\n");
sl_send_reply("500",
"Internal
server error");
exit;
default:
exit;
}
}
ldap_result("uid/$avp(s:username)");
ldap_result("userPassword/$avp(s:password)");
}
if(!pv_www_authorize(""))
{
xlog("L_INFO", "Register authentication failed - M=$rm
RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
www_challenge("mydomain", "1");
exit;
}
if(!check_to())
{
xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_send_reply("403", "Spoofed To-URI Detected");
exit;
}
consume_credentials();
if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
{
fix_nated_register();
setbflag(6);
}
if(!save("location"))
{
xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
sl_reply_error();
exit;
}
xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
exit;
}
########################################################################
# Request route 'base-route-invite'
########################################################################
route[4]
{
sl_send_reply("100", "Trying");
if(nat_uac_test("19"))
{
fix_nated_contact();
setbflag(6);
}
route(5);
}
########################################################################
# Request route 'invite-find-callee'
########################################################################
route[5]
{
if(!is_domain_local("$rd"))
{
setflag(20);
route(7);
}
if(does_uri_exist())
{
xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(6);
}
else
{
xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
route(7);
}
exit;
}
########################################################################
# Request route 'invite-to-external'
########################################################################
route[7]
{
if(isflagset(20))
{
xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
if (!pv_proxy_authorize(""))
{
xlog("L_INFO", "TESTING : NOT AUTHENTICATED
!!!!\n");
}
else
{
xlog("L_INFO", "TESTING : AUTHENTICATED
!!!!\n");
}
route(3);
exit;
}
xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
IP=$si
ID=$ci\n");
sl_send_reply("404", "User Not Found");
exit;
}
---------------------
DEBUG LOGS
---------------------
eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain -
M=INVITE RURI=sip:beacon@columbia.edu F=sip:test@xxxxxxxx T=sip:beacon@co
lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa@xxxxxx
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=10000
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
credentials with given realm not found
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT
AUTHENTICATED
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
4 Mar
4 Mar
2:36 p.m.
Hi all,
Wengophone and ekiga under linux both send an INVITE request with a SIP FROM URI
user@myipaddress... With wengophone under windows, I get user@sipdomain !
Unfortunately, I still cannot authenticate the INVITE message even by inserting
pv_proxy_authorize("sipdomain"). Any idea ?
Selon antalsia(a)free.fr:
Hi daniel,
Same result when I call pv_proxy_authorize() function with our SIP domain. It
always returns false. When I dump SIP packet with tshark, the SIP user &
domain
are not visible inside the INVITE request... Quite strange... the SIP URI is
composed of my local linux user and the domain is my local IP address. I'm
using
Ekiga 2.0.11 and my user is registered ! I'll try with another UA.
Regards,
Selon Daniel-Constantin Mierla <miconda(a)gmail.com>om>:
Authorization
F=$fu
Hello,
for INVITE you have to use pv_proxy_authorize("")
http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
The problem is that the domain part for the URI of the user you want to
authenticate does not match the value from the realm attribute of
authorization header. Pasting the SIP message will help to give clear
indications.
Cheers,
Daniel
On 02/29/08 18:07, antalsia(a)free.fr wrote:
> Hi all,
>
> I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy
+
RTPPROXY)
and LDAP module. Although REGISTER authentication works well, I
cannot
check user authorization for INVITE messages.
I'm using an openser.cfg
configuration template from sipwise (see an extract below).
pv_proxy_authorize() routine always returns false, even if my user is
registered
and authenticated through our OpenLDAP. Can you
tell me what I'm doing
wrong ?
Many thks,
---------------------------
openser.cfg
---------------------------
route {
...
if(is_method("REGISTER"))
{
route(2);
}
if(is_method("INVITE"))
{
route(4);
}
...
}
########################################################################
# Request route 'base-route-register'
########################################################################
route[2]
{
sl_send_reply("100", "Trying");
if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
> {
>
> xlog("L_INFO", "is_present_hf or
"User
Proxy-Authorization\n");
if
(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
switch ($retcode) {
case -1:
# no LDAP entry found
xlog("L_INFO", "Ldap user
not
> found\n");
> sl_send_reply("404",
Not
F=$fu
Found");
exit;
case -2:
# internal error
xlog("L_INFO", "Internal
server
error during authentication\n");
sl_send_reply("500",
"Internal
server error");
exit;
default:
exit;
}
}
ldap_result("uid/$avp(s:username)");
ldap_result("userPassword/$avp(s:password)");
}
if(!pv_www_authorize(""))
{
xlog("L_INFO", "Register authentication failed - M=$rm
RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
www_challenge("mydomain", "1");
exit;
}
if(!check_to())
{
xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
F=$fu
> T=$tu IP=$si ID=$ci\n");
> sl_send_reply("403", "Spoofed To-URI
Detected");
> exit;
> }
> consume_credentials();
> if(!search("^Contact:[ ]*\*") &&
nat_uac_test("19"))
> {
> fix_nated_register();
> setbflag(6);
> }
> if(!save("location"))
> {
>
> xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
T=$tu
IP=$si ID=$ci\n");
sl_reply_error();
exit;
}
xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
T=$tu
IP=$si ID=$ci\n");
exit;
}
########################################################################
# Request route 'base-route-invite'
########################################################################
route[4]
{
sl_send_reply("100", "Trying");
if(nat_uac_test("19"))
{
fix_nated_contact();
setbflag(6);
}
route(5);
}
########################################################################
# Request route 'invite-find-callee'
########################################################################
route[5]
{
if(!is_domain_local("$rd"))
{
setflag(20);
route(7);
}
if(does_uri_exist())
{
xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
T=$tu
> IP=$si ID=$ci\n");
> route(6);
> }
> else
> {
>
> xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru
T=$tu
DBG:core:parse_headers:
IP=$si ID=$ci\n");
route(7);
}
exit;
}
########################################################################
# Request route 'invite-to-external'
########################################################################
route[7]
{
if(isflagset(20))
{
xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
F=$fu
T=$tu IP=$si ID=$ci\n");
if (!pv_proxy_authorize(""))
{
xlog("L_INFO", "TESTING : NOT AUTHENTICATED
!!!!\n");
}
else
{
xlog("L_INFO", "TESTING : AUTHENTICATED
!!!!\n");
}
route(3);
exit;
}
xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
IP=$si
> ID=$ci\n");
> sl_send_reply("404", "User Not Found");
> exit;
>
> }
>
>
> ---------------------
> DEBUG LOGS
> ---------------------
> eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
> flags=80
> Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: > flags=80
> Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain
-
> M=INVITE RURI=sip:beacon@columbia.edu
F=sip:test@xxxxxxxx T=sip:beacon@co
> lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa@xxxxxx
> Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]:
DBG:core:parse_headers:
flags=10000
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
credentials with given realm not found
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT
AUTHENTICATED
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
6110
days inactive
6114
days old
3 comments
2 participants
participants (2)
-
antalsia@free.fr -
Daniel-Constantin Mierla