[Serusers] Restrict registration to one user per login - sr-users - kamailio.org

List overview All Threads
Download

[Serusers] Restrict registration to one user per login

[Serusers] Do Call but Can't...

[Serusers] is ther any way to...

Jffdsaklj dsjk

16 Mar 2005 16 Mar '05

5:04 p.m.

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks

Reply

Show replies by date

Klaus Darilion

16 Mar 16 Mar

5:11 p.m.

Hi Jffdsaklj! (must be a hard life living with such a name) And how will you distinguish between an invalid registration and a valid re-registration from a new IP address? regards, klaus Jffdsaklj dsjk wrote:

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Jffdsaklj dsjk

22 Mar 22 Mar

10:37 a.m.

Finally I found a solution. I've attached the block I included in the SER cfg file. The problem (big problem) is that after a day (more or less), there are defunct processes. I think it's a problem of the exec_msg sentence, but I'm not sure. With these defunct processes, SER crashed. :( ###################################################################### # This block of code controls the user registration if (method=="REGISTER") { # Enable authentication if (!www_authorize("galeno.hi.inet","subscriber")) { www_challenge("galeno.hi.inet","0"); break; }; #### # This block prevents a user from registering with a login previously registered from another machine # # Verify it's not a deregistration message if (!search("Expires: 0")) { # It's a registration message # Verify that there's no register in the table location with the same user but from a differente machine if ( !exec_msg(' USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; QUERY="select username from location where username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; if [ -z "$RESULT" ]; then exit 0; else echo "The user $USUARIO is already registered" >> /var/log/serprueba.log; exit 1; fi;') ) { # The user is already registered sl_send_reply("404", "Not Found"); break; }; } #### save("location"); break; }; ##################################################################### On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:

Hi Jffdsaklj! (must be a hard life living with such a name) And how will you distinguish between an invalid registration and a valid re-registration from a new IP address? regards, klaus Jffdsaklj dsjk wrote:

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Java Rockx

12:49 p.m.

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul On Tue, 22 Mar 2005 10:37:58 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote:

Finally I found a solution. I've attached the block I included in the SER cfg file. The problem (big problem) is that after a day (more or less), there are defunct processes. I think it's a problem of the exec_msg sentence, but I'm not sure. With these defunct processes, SER crashed. :( ###################################################################### # This block of code controls the user registration if (method=="REGISTER") { # Enable authentication if (!www_authorize("galeno.hi.inet","subscriber")) { www_challenge("galeno.hi.inet","0"); break; }; #### # This block prevents a user from registering with a login previously registered from another machine # # Verify it's not a deregistration message if (!search("Expires: 0")) { # It's a registration message # Verify that there's no register in the table location with the same user but from a differente machine if ( !exec_msg(' USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; QUERY="select username from location where username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; if [ -z "$RESULT" ]; then exit 0; else echo "The user $USUARIO is already registered" >> /var/log/serprueba.log; exit 1; fi;') ) { # The user is already registered sl_send_reply("404", "Not Found"); break; }; } #### save("location"); break; }; ##################################################################### On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:

Hi Jffdsaklj! (must be a hard life living with such a name) And how will you distinguish between an invalid registration and a valid re-registration from a new IP address? regards, klaus Jffdsaklj dsjk wrote:

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Dana Olson

3:16 p.m.

Right, but what alternative is there? On Tue, 22 Mar 2005 06:49:08 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul

Reply

Jiri Kuthan

23 Mar 23 Mar

10:11 a.m.

Write a SER module if you wish the code to be fast. -jiri At 03:16 PM 3/22/2005, Dana Olson wrote:

Right, but what alternative is there? On Tue, 22 Mar 2005 06:49:08 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

-- Jiri Kuthan http://iptel.org/~jiri/

Reply

Jffdsaklj dsjk

9:03 a.m.

So, what do you recommend us to use instead of exec_msg?. What's the best alternative?. On Tue, 22 Mar 2005 06:49:08 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul On Tue, 22 Mar 2005 10:37:58 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote:

Finally I found a solution. I've attached the block I included in the SER cfg file. The problem (big problem) is that after a day (more or less), there are defunct processes. I think it's a problem of the exec_msg sentence, but I'm not sure. With these defunct processes, SER crashed. :( ###################################################################### # This block of code controls the user registration if (method=="REGISTER") { # Enable authentication if (!www_authorize("galeno.hi.inet","subscriber")) { www_challenge("galeno.hi.inet","0"); break; }; #### # This block prevents a user from registering with a login previously registered from another machine # # Verify it's not a deregistration message if (!search("Expires: 0")) { # It's a registration message # Verify that there's no register in the table location with the same user but from a differente machine if ( !exec_msg(' USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; QUERY="select username from location where username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; if [ -z "$RESULT" ]; then exit 0; else echo "The user $USUARIO is already registered" >> /var/log/serprueba.log; exit 1; fi;') ) { # The user is already registered sl_send_reply("404", "Not Found"); break; }; } #### save("location"); break; }; ##################################################################### On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:

Hi Jffdsaklj! (must be a hard life living with such a name) And how will you distinguish between an invalid registration and a valid re-registration from a new IP address? regards, klaus Jffdsaklj dsjk wrote:

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Marian Dumitru

2:09 p.m.

Hi Paul, You are right - maybe a better approach will be to use the registered() function - it returns true if the AOR in the Request-URI is registered. To do the trick for REGISTER requests, use avpops so copy the From or To uri into RURI before checking - then you can to revert_uri() to restore to original value, I haven't tried it , it's just an idea. Best regards, Marian Java Rockx wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul On Tue, 22 Mar 2005 10:37:58 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote: >Finally I found a solution. I've attached the block I included in the >SER cfg file. >The problem (big problem) is that after a day (more or less), there >are defunct processes. I think it's a problem of the exec_msg >sentence, but I'm not sure. With these defunct processes, SER crashed. >:( > > ###################################################################### > # This block of code controls the user registration > if (method=="REGISTER") { > > # Enable authentication > if (!www_authorize("galeno.hi.inet","subscriber")) { > www_challenge("galeno.hi.inet","0"); > break; > }; > > #### > # This block prevents a user from registering with a login >previously registered from another machine > # > # Verify it's not a deregistration message > if (!search("Expires: 0")) { > # It's a registration message > # Verify that there's no register in the table location with the >same user but from a differente machine > if ( > !exec_msg(' > USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; > QUERY="select username from location where >username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; > RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; > if [ -z "$RESULT" ]; then exit 0; else echo "The user >$USUARIO is already registered" >> /var/log/serprueba.log; exit 1; >fi;') > ) { > # The user is already registered > sl_send_reply("404", "Not Found"); > break; > }; > } > #### > > save("location"); > break; > }; > ##################################################################### > >On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion ><klaus.mailinglists(a)pernau.at> wrote: > >>Hi Jffdsaklj! (must be a hard life living with such a name) >> >>And how will you distinguish between an invalid registration and a valid >>re-registration from a new IP address? >> >>regards, >>klaus >> >>Jffdsaklj dsjk wrote: >> >>>How can we restrict the registration to only one user per login?. >>>Currently, you can register with the same login/password in different >>>machines at the same time. But what we require is that only the first >>>registration is valid and the rest ones are invalidated by the SER. >>>Thanks

-- Voice System http://www.voice-system.ro

Reply

Dana Olson

2:58 p.m.

avpops is only in CVS, right? CVS also has max_contacts for the registrar module, which kinda does the same thing. Stable has no such option to my knowledge. -- Dana On Wed, 23 Mar 2005 14:09:22 +0100, Marian Dumitru <marian.dumitru(a)voice-sistem.ro> wrote:

Hi Paul, You are right - maybe a better approach will be to use the registered() function - it returns true if the AOR in the Request-URI is registered. To do the trick for REGISTER requests, use avpops so copy the From or To uri into RURI before checking - then you can to revert_uri() to restore to original value, I haven't tried it , it's just an idea. Best regards, Marian Java Rockx wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul On Tue, 22 Mar 2005 10:37:58 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote: >Finally I found a solution. I've attached the block I included in the >SER cfg file. >The problem (big problem) is that after a day (more or less), there >are defunct processes. I think it's a problem of the exec_msg >sentence, but I'm not sure. With these defunct processes, SER crashed. >:( > > ###################################################################### > # This block of code controls the user registration > if (method=="REGISTER") { > > # Enable authentication > if (!www_authorize("galeno.hi.inet","subscriber")) { > www_challenge("galeno.hi.inet","0"); > break; > }; > > #### > # This block prevents a user from registering with a login >previously registered from another machine > # > # Verify it's not a deregistration message > if (!search("Expires: 0")) { > # It's a registration message > # Verify that there's no register in the table location with the >same user but from a differente machine > if ( > !exec_msg(' > USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; > QUERY="select username from location where >username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; > RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; > if [ -z "$RESULT" ]; then exit 0; else echo "The user >$USUARIO is already registered" >> /var/log/serprueba.log; exit 1; >fi;') > ) { > # The user is already registered > sl_send_reply("404", "Not Found"); > break; > }; > } > #### > > save("location"); > break; > }; > ##################################################################### > >On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion ><klaus.mailinglists(a)pernau.at> wrote: > >>Hi Jffdsaklj! (must be a hard life living with such a name) >> >>And how will you distinguish between an invalid registration and a valid >>re-registration from a new IP address? >> >>regards, >>klaus >> >>Jffdsaklj dsjk wrote: >> >>>How can we restrict the registration to only one user per login?. >>>Currently, you can register with the same login/password in different >>>machines at the same time. But what we require is that only the first >>>registration is valid and the rest ones are invalidated by the SER. >>>Thanks

-- Voice System http://www.voice-system.ro _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Java Rockx

3:14 p.m.

IMHO setting max_contacts is very dangerous because if you reboot your SIP UA and your NAT device gives you a new port assignment, the you will __fail__ to register if your previous contact AOR has not expired. I think this is the hardest part of implementing a "per-seat" configuration. You just don't know when a NAT will assign a new port to a SIP UA. I gave up on this for this very reason. Our solution is to lock down the SIP UAs and never let a customer get in to the settings (except for the LAN/WAN settings). Regards, Paul On Wed, 23 Mar 2005 08:58:09 -0500, Dana Olson <rickaster(a)gmail.com> wrote:

avpops is only in CVS, right? CVS also has max_contacts for the registrar module, which kinda does the same thing. Stable has no such option to my knowledge. -- Dana On Wed, 23 Mar 2005 14:09:22 +0100, Marian Dumitru <marian.dumitru(a)voice-sistem.ro> wrote:

Hi Paul, You are right - maybe a better approach will be to use the registered() function - it returns true if the AOR in the Request-URI is registered. To do the trick for REGISTER requests, use avpops so copy the From or To uri into RURI before checking - then you can to revert_uri() to restore to original value, I haven't tried it , it's just an idea. Best regards, Marian Java Rockx wrote:

FYI, exec_msg is highly not recommended because it is "expensive" in terms of processing. Regards, Paul On Tue, 22 Mar 2005 10:37:58 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote: >Finally I found a solution. I've attached the block I included in the >SER cfg file. >The problem (big problem) is that after a day (more or less), there >are defunct processes. I think it's a problem of the exec_msg >sentence, but I'm not sure. With these defunct processes, SER crashed. >:( > > ###################################################################### > # This block of code controls the user registration > if (method=="REGISTER") { > > # Enable authentication > if (!www_authorize("galeno.hi.inet","subscriber")) { > www_challenge("galeno.hi.inet","0"); > break; > }; > > #### > # This block prevents a user from registering with a login >previously registered from another machine > # > # Verify it's not a deregistration message > if (!search("Expires: 0")) { > # It's a registration message > # Verify that there's no register in the table location with the >same user but from a differente machine > if ( > !exec_msg(' > USUARIO=`echo $SIP_HF_FROM | sed -n "s/<sip:\(.*\)@.*/\1/p"`; > QUERY="select username from location where >username=\"$USUARIO\" and contact not like \"sip:$SIP_SRCIP:%\""; > RESULT=`mysql -uXXX -pXXX -e "$QUERY" ser`; > if [ -z "$RESULT" ]; then exit 0; else echo "The user >$USUARIO is already registered" >> /var/log/serprueba.log; exit 1; >fi;') > ) { > # The user is already registered > sl_send_reply("404", "Not Found"); > break; > }; > } > #### > > save("location"); > break; > }; > ##################################################################### > >On Wed, 16 Mar 2005 17:11:01 +0100, Klaus Darilion ><klaus.mailinglists(a)pernau.at> wrote: > >>Hi Jffdsaklj! (must be a hard life living with such a name) >> >>And how will you distinguish between an invalid registration and a valid >>re-registration from a new IP address? >> >>regards, >>klaus >> >>Jffdsaklj dsjk wrote: >> >>>How can we restrict the registration to only one user per login?. >>>Currently, you can register with the same login/password in different >>>machines at the same time. But what we require is that only the first >>>registration is valid and the rest ones are invalidated by the SER. >>>Thanks

-- Voice System http://www.voice-system.ro _______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Dana Olson

4:05 p.m.

On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

IMHO setting max_contacts is very dangerous because if you reboot your SIP UA and your NAT device gives you a new port assignment, the you will __fail__ to register if your previous contact AOR has not expired. I think this is the hardest part of implementing a "per-seat" configuration. You just don't know when a NAT will assign a new port to a SIP UA. I gave up on this for this very reason. Our solution is to lock down the SIP UAs and never let a customer get in to the settings (except for the LAN/WAN settings). Regards, Paul

Hey Paul, I hear you. I'm just saying that max_contacts is basically what we're attempting to accomplish, only in the stable banch of SER. And I've basically got it down to the point where the only time it locks me out is if A) someone is already logged in with that account, or B) my IP address changes. I also wrote a real quick CGI that will list all the users logged in, and if you click on any of them, it'll force them out of the location table, allowing someone else to login (or re-login, if the IP changed). However, if my superiors find this to not be an acceptable solution, I'd like to know what you are using, and how did you lock it down? We tried with SJphone and had some success, but the quality just doesn't compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users can still get into the settings. I'd appreciate your insight. -- Dana

Reply

Java Rockx

4:16 p.m.

We're shipping UTstarcom iAN-02EX ATAs and these are fully remote configurable as they query our Apache farm for their configuration upon bootup (based on their MAC address). So we have full control of the customer IAD, and the customer doesn't. For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a way to remotely configure them and therefore you have to give the SIP proxy UID and PWD to the customer and we decided under no circumstances will this be done on our network. The solution for a softphone is to find one that will remotely configure like the UTstarcom IAD. We're not shipping softphones so I can't really help you there. Regards, Paul On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote:

On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

IMHO setting max_contacts is very dangerous because if you reboot your SIP UA and your NAT device gives you a new port assignment, the you will __fail__ to register if your previous contact AOR has not expired. I think this is the hardest part of implementing a "per-seat" configuration. You just don't know when a NAT will assign a new port to a SIP UA. I gave up on this for this very reason. Our solution is to lock down the SIP UAs and never let a customer get in to the settings (except for the LAN/WAN settings). Regards, Paul

Hey Paul, I hear you. I'm just saying that max_contacts is basically what we're attempting to accomplish, only in the stable banch of SER. And I've basically got it down to the point where the only time it locks me out is if A) someone is already logged in with that account, or B) my IP address changes. I also wrote a real quick CGI that will list all the users logged in, and if you click on any of them, it'll force them out of the location table, allowing someone else to login (or re-login, if the IP changed). However, if my superiors find this to not be an acceptable solution, I'd like to know what you are using, and how did you lock it down? We tried with SJphone and had some success, but the quality just doesn't compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users can still get into the settings. I'd appreciate your insight. -- Dana

Reply

Iqbal

5:54 p.m.

Hi I never tried max_contacts, but would it not be possible to logoff the previous contact b4 the new one registers, that way you wont have a locking issue. This is the kind of thing I guess yahoo IM etc all do...kind of Iqbal PS is max contacts in CVS head, or in 0.9 also On 3/23/2005, "Java Rockx" <javarockx(a)gmail.com> wrote:

We're shipping UTstarcom iAN-02EX ATAs and these are fully remote configurable as they query our Apache farm for their configuration upon bootup (based on their MAC address). So we have full control of the customer IAD, and the customer doesn't. For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a way to remotely configure them and therefore you have to give the SIP proxy UID and PWD to the customer and we decided under no circumstances will this be done on our network. The solution for a softphone is to find one that will remotely configure like the UTstarcom IAD. We're not shipping softphones so I can't really help you there. Regards, Paul On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote:

On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

IMHO setting max_contacts is very dangerous because if you reboot your SIP UA and your NAT device gives you a new port assignment, the you will __fail__ to register if your previous contact AOR has not expired. I think this is the hardest part of implementing a "per-seat" configuration. You just don't know when a NAT will assign a new port to a SIP UA. I gave up on this for this very reason. Our solution is to lock down the SIP UAs and never let a customer get in to the settings (except for the LAN/WAN settings). Regards, Paul

Hey Paul, I hear you. I'm just saying that max_contacts is basically what we're attempting to accomplish, only in the stable banch of SER. And I've basically got it down to the point where the only time it locks me out is if A) someone is already logged in with that account, or B) my IP address changes. I also wrote a real quick CGI that will list all the users logged in, and if you click on any of them, it'll force them out of the location table, allowing someone else to login (or re-login, if the IP changed). However, if my superiors find this to not be an acceptable solution, I'd like to know what you are using, and how did you lock it down? We tried with SJphone and had some success, but the quality just doesn't compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users can still get into the settings. I'd appreciate your insight. -- Dana

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

Reply

Dana Olson

8:29 p.m.

As far as I knew, 0.9.0 wasn't officially released as stable yet. Am I wrong? And yes, what you said to prevent the locking issue is exactly correct. But my scripting does this on 0.8.14 as well. The only time it will lock is if an IP address changes and then a reregister request is sent without unregistering first. I don't even know if that is a possibility, but I assume it is. Ideally, we would be able to know if it's the same phone re-registering, but you can't tell the difference if it's the same person with a new IP, or, for example, if you open up task manager, kill the softphone (which means its registration doesn't force expire/unregister), change IP addresses, and then log in again. My script does this in its current state. It will only reject if the registration hasn't expired and a new IP address is trying to register. I'm not sure, but I assume, this is also what happens with max_contacts. -- Dana On Wed, 23 Mar 2005 16:54:21 GMT, Iqbal <iqbal(a)gigo.co.uk> wrote:

Hi I never tried max_contacts, but would it not be possible to logoff the previous contact b4 the new one registers, that way you wont have a locking issue. This is the kind of thing I guess yahoo IM etc all do...kind of Iqbal PS is max contacts in CVS head, or in 0.9 also On 3/23/2005, "Java Rockx" <javarockx(a)gmail.com> wrote: >We're shipping UTstarcom iAN-02EX ATAs and these are fully remote >configurable as they query our Apache farm for their configuration >upon bootup (based on their MAC address). > >So we have full control of the customer IAD, and the customer doesn't. > >For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a >way to remotely configure them and therefore you have to give the SIP >proxy UID and PWD to the customer and we decided under no >circumstances will this be done on our network. > >The solution for a softphone is to find one that will remotely >configure like the UTstarcom IAD. We're not shipping softphones so I >can't really help you there. > >Regards, >Paul > > >On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote: >> On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote: >> > IMHO setting max_contacts is very dangerous because if you reboot your >> > SIP UA and your NAT device gives you a new port assignment, the you >> > will __fail__ to register if your previous contact AOR has not >> > expired. >> > >> > I think this is the hardest part of implementing a "per-seat" >> > configuration. You just don't know when a NAT will assign a new port >> > to a SIP UA. >> > >> > I gave up on this for this very reason. Our solution is to lock down >> > the SIP UAs and never let a customer get in to the settings (except >> > for the LAN/WAN settings). >> > >> > Regards, >> > Paul >> >> Hey Paul, I hear you. I'm just saying that max_contacts is basically >> what we're attempting to accomplish, only in the stable banch of SER. >> And I've basically got it down to the point where the only time it >> locks me out is if A) someone is already logged in with that account, >> or B) my IP address changes. I also wrote a real quick CGI that will >> list all the users logged in, and if you click on any of them, it'll >> force them out of the location table, allowing someone else to login >> (or re-login, if the IP changed). >> >> However, if my superiors find this to not be an acceptable solution, >> I'd like to know what you are using, and how did you lock it down? We >> tried with SJphone and had some success, but the quality just doesn't >> compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users >> can still get into the settings. I'd appreciate your insight. >> -- >> Dana

Reply

Java Rockx

8:37 p.m.

It would be really nice if somehow the SIP UA's MAC address could be discovered. If that were possible you could really do per-seat connections. Regards, Paul On Wed, 23 Mar 2005 14:29:37 -0500, Dana Olson <rickaster(a)gmail.com> wrote:

As far as I knew, 0.9.0 wasn't officially released as stable yet. Am I wrong? And yes, what you said to prevent the locking issue is exactly correct. But my scripting does this on 0.8.14 as well. The only time it will lock is if an IP address changes and then a reregister request is sent without unregistering first. I don't even know if that is a possibility, but I assume it is. Ideally, we would be able to know if it's the same phone re-registering, but you can't tell the difference if it's the same person with a new IP, or, for example, if you open up task manager, kill the softphone (which means its registration doesn't force expire/unregister), change IP addresses, and then log in again. My script does this in its current state. It will only reject if the registration hasn't expired and a new IP address is trying to register. I'm not sure, but I assume, this is also what happens with max_contacts. -- Dana On Wed, 23 Mar 2005 16:54:21 GMT, Iqbal <iqbal(a)gigo.co.uk> wrote:

Hi I never tried max_contacts, but would it not be possible to logoff the previous contact b4 the new one registers, that way you wont have a locking issue. This is the kind of thing I guess yahoo IM etc all do...kind of Iqbal PS is max contacts in CVS head, or in 0.9 also On 3/23/2005, "Java Rockx" <javarockx(a)gmail.com> wrote: >We're shipping UTstarcom iAN-02EX ATAs and these are fully remote >configurable as they query our Apache farm for their configuration >upon bootup (based on their MAC address). > >So we have full control of the customer IAD, and the customer doesn't. > >For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a >way to remotely configure them and therefore you have to give the SIP >proxy UID and PWD to the customer and we decided under no >circumstances will this be done on our network. > >The solution for a softphone is to find one that will remotely >configure like the UTstarcom IAD. We're not shipping softphones so I >can't really help you there. > >Regards, >Paul > > >On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote: >> On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote: >> > IMHO setting max_contacts is very dangerous because if you reboot your >> > SIP UA and your NAT device gives you a new port assignment, the you >> > will __fail__ to register if your previous contact AOR has not >> > expired. >> > >> > I think this is the hardest part of implementing a "per-seat" >> > configuration. You just don't know when a NAT will assign a new port >> > to a SIP UA. >> > >> > I gave up on this for this very reason. Our solution is to lock down >> > the SIP UAs and never let a customer get in to the settings (except >> > for the LAN/WAN settings). >> > >> > Regards, >> > Paul >> >> Hey Paul, I hear you. I'm just saying that max_contacts is basically >> what we're attempting to accomplish, only in the stable banch of SER. >> And I've basically got it down to the point where the only time it >> locks me out is if A) someone is already logged in with that account, >> or B) my IP address changes. I also wrote a real quick CGI that will >> list all the users logged in, and if you click on any of them, it'll >> force them out of the location table, allowing someone else to login >> (or re-login, if the IP changed). >> >> However, if my superiors find this to not be an acceptable solution, >> I'd like to know what you are using, and how did you lock it down? We >> tried with SJphone and had some success, but the quality just doesn't >> compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users >> can still get into the settings. I'd appreciate your insight. >> -- >> Dana

Reply

Dana Olson

9:28 p.m.

I thought of this too, and I think it really is the only way to do it. *sigh* I suppose that this could be done if we develop our own custom softphone, but I doubt we will do that (not entirely true, we're considering it, but it won't be immediately deployable either way). Ah well, I'm close enough I think. :) -- Dana On Wed, 23 Mar 2005 14:37:29 -0500, Java Rockx <javarockx(a)gmail.com> wrote:

It would be really nice if somehow the SIP UA's MAC address could be discovered. If that were possible you could really do per-seat connections. Regards, Paul On Wed, 23 Mar 2005 14:29:37 -0500, Dana Olson <rickaster(a)gmail.com> wrote: > As far as I knew, 0.9.0 wasn't officially released as stable yet. Am I wrong? > > And yes, what you said to prevent the locking issue is exactly > correct. But my scripting does this on 0.8.14 as well. The only time > it will lock is if an IP address changes and then a reregister request > is sent without unregistering first. I don't even know if that is a > possibility, but I assume it is. > > Ideally, we would be able to know if it's the same phone > re-registering, but you can't tell the difference if it's the same > person with a new IP, or, for example, if you open up task manager, > kill the softphone (which means its registration doesn't force > expire/unregister), change IP addresses, and then log in again. > > My script does this in its current state. It will only reject if the > registration hasn't expired and a new IP address is trying to > register. I'm not sure, but I assume, this is also what happens with > max_contacts. > -- > Dana > > On Wed, 23 Mar 2005 16:54:21 GMT, Iqbal <iqbal(a)gigo.co.uk> wrote: > > > > Hi > > > > I never tried max_contacts, but would it not be possible to logoff the > > previous contact b4 the new one registers, that way you wont have a > > locking issue. > > > > This is the kind of thing I guess yahoo IM etc all do...kind of > > > > Iqbal > > > > PS is max contacts in CVS head, or in 0.9 also > > > > On 3/23/2005, "Java Rockx" <javarockx(a)gmail.com> wrote: > > > > >We're shipping UTstarcom iAN-02EX ATAs and these are fully remote > > >configurable as they query our Apache farm for their configuration > > >upon bootup (based on their MAC address). > > > > > >So we have full control of the customer IAD, and the customer doesn't. > > > > > >For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a > > >way to remotely configure them and therefore you have to give the SIP > > >proxy UID and PWD to the customer and we decided under no > > >circumstances will this be done on our network. > > > > > >The solution for a softphone is to find one that will remotely > > >configure like the UTstarcom IAD. We're not shipping softphones so I > > >can't really help you there. > > > > > >Regards, > > >Paul > > > > > > > > >On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote: > > >> On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote: > > >> > IMHO setting max_contacts is very dangerous because if you reboot your > > >> > SIP UA and your NAT device gives you a new port assignment, the you > > >> > will __fail__ to register if your previous contact AOR has not > > >> > expired. > > >> > > > >> > I think this is the hardest part of implementing a "per-seat" > > >> > configuration. You just don't know when a NAT will assign a new port > > >> > to a SIP UA. > > >> > > > >> > I gave up on this for this very reason. Our solution is to lock down > > >> > the SIP UAs and never let a customer get in to the settings (except > > >> > for the LAN/WAN settings). > > >> > > > >> > Regards, > > >> > Paul > > >> > > >> Hey Paul, I hear you. I'm just saying that max_contacts is basically > > >> what we're attempting to accomplish, only in the stable banch of SER. > > >> And I've basically got it down to the point where the only time it > > >> locks me out is if A) someone is already logged in with that account, > > >> or B) my IP address changes. I also wrote a real quick CGI that will > > >> list all the users logged in, and if you click on any of them, it'll > > >> force them out of the location table, allowing someone else to login > > >> (or re-login, if the IP changed). > > >> > > >> However, if my superiors find this to not be an acceptable solution, > > >> I'd like to know what you are using, and how did you lock it down? We > > >> tried with SJphone and had some success, but the quality just doesn't > > >> compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users > > >> can still get into the settings. I'd appreciate your insight. > > >> -- > > >> Dana

Reply

Iqbal

24 Mar 24 Mar

2:48 p.m.

that would make life alot easier and more billable :-) Iqbal Java Rockx wrote:

It would be really nice if somehow the SIP UA's MAC address could be discovered. If that were possible you could really do per-seat connections. Regards, Paul On Wed, 23 Mar 2005 14:29:37 -0500, Dana Olson <rickaster(a)gmail.com> wrote:

As far as I knew, 0.9.0 wasn't officially released as stable yet. Am I wrong? And yes, what you said to prevent the locking issue is exactly correct. But my scripting does this on 0.8.14 as well. The only time it will lock is if an IP address changes and then a reregister request is sent without unregistering first. I don't even know if that is a possibility, but I assume it is. Ideally, we would be able to know if it's the same phone re-registering, but you can't tell the difference if it's the same person with a new IP, or, for example, if you open up task manager, kill the softphone (which means its registration doesn't force expire/unregister), change IP addresses, and then log in again. My script does this in its current state. It will only reject if the registration hasn't expired and a new IP address is trying to register. I'm not sure, but I assume, this is also what happens with max_contacts. -- Dana On Wed, 23 Mar 2005 16:54:21 GMT, Iqbal <iqbal(a)gigo.co.uk> wrote: >Hi > >I never tried max_contacts, but would it not be possible to logoff the >previous contact b4 the new one registers, that way you wont have a >locking issue. > >This is the kind of thing I guess yahoo IM etc all do...kind of > >Iqbal > >PS is max contacts in CVS head, or in 0.9 also > >On 3/23/2005, "Java Rockx" <javarockx(a)gmail.com> wrote: > > > >>We're shipping UTstarcom iAN-02EX ATAs and these are fully remote >>configurable as they query our Apache farm for their configuration >>upon bootup (based on their MAC address). >> >>So we have full control of the customer IAD, and the customer doesn't. >> >>For softphones --- this is bad. Xten (eyebeam) AFAIK, do not have a >>way to remotely configure them and therefore you have to give the SIP >>proxy UID and PWD to the customer and we decided under no >>circumstances will this be done on our network. >> >>The solution for a softphone is to find one that will remotely >>configure like the UTstarcom IAD. We're not shipping softphones so I >>can't really help you there. >> >>Regards, >>Paul >> >> >>On Wed, 23 Mar 2005 10:05:26 -0500, Dana Olson <rickaster(a)gmail.com> wrote: >> >> >>>On Wed, 23 Mar 2005 09:14:42 -0500, Java Rockx <javarockx(a)gmail.com> wrote: >>> >>> >>>>IMHO setting max_contacts is very dangerous because if you reboot your >>>>SIP UA and your NAT device gives you a new port assignment, the you >>>>will __fail__ to register if your previous contact AOR has not >>>>expired. >>>> >>>>I think this is the hardest part of implementing a "per-seat" >>>>configuration. You just don't know when a NAT will assign a new port >>>>to a SIP UA. >>>> >>>>I gave up on this for this very reason. Our solution is to lock down >>>>the SIP UAs and never let a customer get in to the settings (except >>>>for the LAN/WAN settings). >>>> >>>>Regards, >>>>Paul >>>> >>>> >>>Hey Paul, I hear you. I'm just saying that max_contacts is basically >>>what we're attempting to accomplish, only in the stable banch of SER. >>>And I've basically got it down to the point where the only time it >>>locks me out is if A) someone is already logged in with that account, >>>or B) my IP address changes. I also wrote a real quick CGI that will >>>list all the users logged in, and if you click on any of them, it'll >>>force them out of the location table, allowing someone else to login >>>(or re-login, if the IP changed). >>> >>>However, if my superiors find this to not be an acceptable solution, >>>I'd like to know what you are using, and how did you lock it down? We >>>tried with SJphone and had some success, but the quality just doesn't >>>compare to eyeBeam. We managed to lockdown eyeBeam a bit, but users >>>can still get into the settings. I'd appreciate your insight. >>>-- >>>Dana >>> >>>

.

Reply

Bruno Lopes F. Cabral

22 Mar 22 Mar

2:40 p.m.

Hi there isn't there a way on which a new registration would override the previous one? this way, the cases of re-registering (changed IPs) would be solved and anyone that wish to force two simultaenous registerings would have some hard time? Cheers !3runo Jffdsaklj dsjk wrote:

Finally I found a solution. I've attached the block I included in the SER cfg file. The problem (big problem) is that after a day (more or less), there are defunct processes. I think it's a problem of the exec_msg sentence, but I'm not sure. With these defunct processes, SER crashed. :(

[...]

Reply

Dana Olson

3:20 p.m.

I'm pretty sure that the default is this, and if not, you can certainly do it with stateless forwarding, which I am using. However, this is kinda defeating the goal I'm trying to achieve. If I'm logged into my account, and someone else logs in with my account after me, I stop receiving calls, and they go to the other person until they log out or I re-register. That's not good. I need to give the priority to the person who logged in first, and reject further registrations. I'm sure that someone can use your methodology though. -- Dana On Tue, 22 Mar 2005 10:40:41 -0300, Bruno Lopes F. Cabral <bruno(a)openline.com.br> wrote:

Hi there isn't there a way on which a new registration would override the previous one? this way, the cases of re-registering (changed IPs) would be solved and anyone that wish to force two simultaenous registerings would have some hard time? Cheers !3runo

Reply

Bruno Lopes F. Cabral

3:34 p.m.

Hi if you are 1 person only and your telefone is registered, supposedely no one else will have your id/password to try to register a second time. if they do so, you will complain (as you described) and the admin will know your id/password was stolen (and perhaps provide you a new one) I suppose this is the desire of any admin wishing to limit SIP registrations to 1 user only, to avoid having two customers sharing a single account. please note that, in second case, if you change IP and re-register, as you are only one person/account, the old register should expire imediately my excuses if I didn't myself clearer early Cheers !3runo Dana Olson wrote:

I'm pretty sure that the default is this, and if not, you can certainly do it with stateless forwarding, which I am using. However, this is kinda defeating the goal I'm trying to achieve. If I'm logged into my account, and someone else logs in with my account after me, I stop receiving calls, and they go to the other person until they log out or I re-register. That's not good. I need to give the priority to the person who logged in first, and reject further registrations. I'm sure that someone can use your methodology though. -- Dana On Tue, 22 Mar 2005 10:40:41 -0300, Bruno Lopes F. Cabral wrote >isn't there a way on which a new registration would >override the previous one? this way, the cases of >re-registering (changed IPs) would be solved and >anyone that wish to force two simultaenous registerings >would have some hard time?

Reply

karim Oumalou

4:37 p.m.

hi everybody, I am using ser with dbtext database The code is working, the authentification users is ok but when i add news users, i have a pb, they are not loaded in the suscriber. My question is : can i add users in the suscriber table (dbtext) without restart ser Thank you. # # $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei Exp $ # # simple quick-start config script # # ----------- global configuration parameters ------------------------ debug=7 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=yes check_via=no # (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo" # ------------------ module loading ---------------------------------- loadmodule "/usr/local/lib/ser/modules/dbtext.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/local/lib/ser/modules/usrloc.so" loadmodule "/usr/local/lib/ser/modules/registrar.so" # Uncomment this if you want digest authentication loadmodule "/usr/local/lib/ser/modules/auth.so" loadmodule "/usr/local/lib/ser/modules/auth_db.so" # ----------------- setting module-specific parameters --------------- # -- usrloc params -- ################################################################# modparam("usrloc", "db_mode",2) modparam("usrloc", "db_url", "/usr/local/etc/ser/dbtext") # -- auth params -- # modparam("auth_db", "db_url", "/usr/local/etc/ser/dbtext") modparam("auth_db", "calculate_ha1", 1) modparam("auth_db", "password_column", "password") ################################################################ # -- registrar params -- ########################################################## #modparam("registrar", "nat_flag", 6) #modparam("registrar", "max_expires", 1200) #modparam("registrar", "min_expires", 300) #modparam("registrar", "default_expires", 1200) #modparam("registrar", "use_domain", 1) #modparam("registrar","desc_time_order",1) # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); break; }; if ( msg:len > max_len ) { sl_send_reply("513", "Message too big"); break; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol record_route(); # loose-route processing if (loose_route()) { t_relay(); break; }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication # if (!www_authorize("softiphone.net", "subscriber")) { # www_challenge("softiphone.net", "0"); # break; # }; if (!proxy_authorize("", "subscriber")) { proxy_challenge("", "0"); break; } save("location"); break; }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); break; }; }; # forward to current uri now; use stateful forwarding; that # works reliably even if we forward from TCP to UDP if (!t_relay()) { sl_reply_error(); }; } On Tue, 22 Mar 2005 11:34:30 -0300, Bruno Lopes F. Cabral <bruno(a)openline.com.br> wrote:

Hi if you are 1 person only and your telefone is registered, supposedely no one else will have your id/password to try to register a second time. if they do so, you will complain (as you described) and the admin will know your id/password was stolen (and perhaps provide you a new one) I suppose this is the desire of any admin wishing to limit SIP registrations to 1 user only, to avoid having two customers sharing a single account. please note that, in second case, if you change IP and re-register, as you are only one person/account, the old register should expire imediately my excuses if I didn't myself clearer early Cheers !3runo Dana Olson wrote:

I'm pretty sure that the default is this, and if not, you can certainly do it with stateless forwarding, which I am using. However, this is kinda defeating the goal I'm trying to achieve. If I'm logged into my account, and someone else logs in with my account after me, I stop receiving calls, and they go to the other person until they log out or I re-register. That's not good. I need to give the priority to the person who logged in first, and reject further registrations. I'm sure that someone can use your methodology though. -- Dana On Tue, 22 Mar 2005 10:40:41 -0300, Bruno Lopes F. Cabral wrote >isn't there a way on which a new registration would >override the previous one? this way, the cases of >re-registering (changed IPs) would be solved and >anyone that wish to force two simultaenous registerings >would have some hard time?

_______________________________________________ Serusers mailing list serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers

-- Karim Oumalou

Reply

Dana Olson

16 Mar 16 Mar

5:55 p.m.

I was asking this same sort of thing last week... I have set this up using the stable version of SER, but yes, I am running into the problem that Klaus has mentioned. I haven't had time to debug any further, but the basic concept works... Just not good enough for production use as of yet. -- Dana On Wed, 16 Mar 2005 17:04:30 +0100, Jffdsaklj dsjk <jjjaime(a)gmail.com> wrote:

How can we restrict the registration to only one user per login?. Currently, you can register with the same login/password in different machines at the same time. But what we require is that only the first registration is valid and the rest ones are invalidated by the SER. Thanks

Reply

7192

days inactive

7200

days old

sr-users@lists.kamailio.org

Manage subscription

21 comments

9 participants

tags (0)

participants (9)

Bruno Lopes F. Cabral
Dana Olson
Iqbal
Java Rockx
Jffdsaklj dsjk
Jiri Kuthan
karim Oumalou
Klaus Darilion
Marian Dumitru