2010/7/1 Jan Janak jan@ryngle.com:
With SER the above problem would be solved by using the same realm for all the users and domains, but with a constrain: the "username" field of the creedentials generated by the user should be a full URI "sip:alice@example.org" (or perhaps also "alice@example.org"), so the auth module would parse the username and domain from the credentials "username" field.
And this too can already be done, you can simply set the value of the digest_realm variable with something like:
$f.digest_realm = @authorization[...].username.domain
Could you please detail more this code? Let me set an example:
1) SR multidomain and two users:
- sip:alice@dom1.org - realm = "myserver.org" - sip:alice@dom2.org - realm = "myserver.org"
2) An INVITE arrives sent by alice@dom1.org:
INVITE sip:bob@dom3.org SIP/2.0 From: sip:anonymous@invalid-domain.org
3) SR asks for authentication using the shared realm "myserver.org".
4) Let's imagine the UAC sets credentials in these ways:
4.1) Digest realm="myserver.org", username="alice" 4.2) Digest realm="myserver.org", username="alice@dom1.org" 4.3) Digest realm="myserver.org", username="sip:alice@dom1.org"
So, option 4.1 wouldn't clarify if the authenticated user is "sip:alice@dom1.org" or "sip:alice@dom2.org". This is, if the UAC just sets its AoR username in the credentials 'username' field then the above case cannot work as it would require the proxy using a different realm = domain and the INVITE request to contain the domain somewhere (i.e. P-Preferred-Identity header which is not the case).
Option 4.2 would work as from the credentials the proxy can identity "sip:alice@dom1.org", but IMHO the credentials username format should be an AoR (with the schema).
Options 4.3 seems the best one for me, but not sure if it's feasible with the currently existing UA's.
before calling proxy_authenticate. Any part of the SIP message can be used to set digest realm.
The problem is that in the above INVITE there is no way to choose the realm based on the SIP headers.
Note that this would also work with calc_ha1 set to 0. The subscriber table contains a column called ha1b which is used when the UA supplies digest username of form "user@domain".
Yes, but would it work in case of "sip:user@domain"?
Thanks a lot.