Hello,
for INVITE you have to use pv_proxy_authorize("") http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
The problem is that the domain part for the URI of the user you want to authenticate does not match the value from the realm attribute of authorization header. Pasting the SIP message will help to give clear indications.
Cheers, Daniel
On 02/29/08 18:07, antalsia@free.fr wrote:
Hi all,
I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy + RTPPROXY) and LDAP module. Although REGISTER authentication works well, I cannot check user authorization for INVITE messages. I'm using an openser.cfg configuration template from sipwise (see an extract below).
pv_proxy_authorize() routine always returns false, even if my user is registered and authenticated through our OpenLDAP. Can you tell me what I'm doing wrong ?
Many thks,
openser.cfg
route {
... if(is_method("REGISTER")) { route(2); } if(is_method("INVITE")) { route(4); }
...
}
######################################################################## # Request route 'base-route-register' ######################################################################## route[2] { sl_send_reply("100", "Trying");
if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization")){
xlog("L_INFO", "is_present_hf Authorization orProxy-Authorization\n");
if(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) { switch ($retcode) { case -1: # no LDAP entry found xlog("L_INFO", "Ldap user not found\n"); sl_send_reply("404", "User Not Found"); exit; case -2: # internal error xlog("L_INFO", "Internal server error during authentication\n"); sl_send_reply("500", "Internal server error"); exit; default: exit; } }
ldap_result("uid/$avp(s:username)"); ldap_result("userPassword/$avp(s:password)"); } if(!pv_www_authorize("")) { xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ruF=$fu T=$tu IP=$si ID=$ci\n"); www_challenge("mydomain", "1"); exit; }
if(!check_to()) { xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fuT=$tu IP=$si ID=$ci\n"); sl_send_reply("403", "Spoofed To-URI Detected"); exit; } consume_credentials(); if(!search("^Contact:[ ]**") && nat_uac_test("19")) { fix_nated_register(); setbflag(6); } if(!save("location")) {
xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fuT=$tu IP=$si ID=$ci\n"); sl_reply_error(); exit; }
xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu T=$tuIP=$si ID=$ci\n"); exit;
}
######################################################################## # Request route 'base-route-invite' ######################################################################## route[4] { sl_send_reply("100", "Trying"); if(nat_uac_test("19")) { fix_nated_contact(); setbflag(6); }
route(5);}
######################################################################## # Request route 'invite-find-callee' ######################################################################## route[5] { if(!is_domain_local("$rd")) { setflag(20);
route(7); } if(does_uri_exist()) { xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu T=$tuIP=$si ID=$ci\n"); route(6); } else {
xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu T=$tuIP=$si ID=$ci\n"); route(7); } exit;
}
######################################################################## # Request route 'invite-to-external' ######################################################################## route[7] { if(isflagset(20)) {
xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru F=$fuT=$tu IP=$si ID=$ci\n"); if (!pv_proxy_authorize("")) { xlog("L_INFO", "TESTING : NOT AUTHENTICATED !!!!\n"); } else { xlog("L_INFO", "TESTING : AUTHENTICATED !!!!\n"); }
route(3); exit; } xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu IP=$siID=$ci\n"); sl_send_reply("404", "User Not Found"); exit;
}
DEBUG LOGS
eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers: flags=80 Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers: flags=80 Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain - M=INVITE RURI=sip:beacon@columbia.edu F=sip:test@xxxxxxxx T=sip:beacon@co lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa@xxxxxx Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers: flags=10000 Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth: credentials with given realm not found Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT AUTHENTICATED
Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users