The save function from the registrar module uses the To header to disect and store the username for the location table according to observations and documentation http://www.kamailio.org/docs/modules/stable/modules/registrar.html#registrar...
After troubleshooting a ticket from an enduser unable to receive calls where all looked fine but the username used for authentication wasn't showing up in the location database. Finally I found the REGISTER was added to the location database, but not with the user its username, instead it was using the username (phonenumber) specified in the To header. Till now I always assumed that the username in the location table would be the username used during authentication(*).
This opens the door to hijacking incoming calls to other users on the same kamailio registrar if one knows/guesses other usernames and use those in the To header. This realisation is kind of shocking to me.
The solution is simple (if authentication is required): save("location", "0x00", "sip:$au@$rd");
*: which kind of answers my question in the subject, what else can be used if there is no authentication required?