Hi, I want to mantain independent domains in OpenSer. In my case I've a OpenSer with a single DNS A record and various CNAME (I still don't want to play with SRV and so).
so:
DNS A = openser.domain.org CNAME = sip1.domain.org CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent groups.
I just want to avoid SIP interdomain messages, so 200@sip1.domain.org CAN'T invite 300@sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()" and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain comunication, do I need to use the "domainpolicy" [1] module? I've read its doc and know it's based in 3 drafts [2][3][4], but all of them seems to be based in the complex NAPTR record and so. Is it the way?
I think I could just compare the FROM domain with the TO domain in order to avoid interdomain communication, but of course I'd like in the future the possiblity of allowing some domains to contact some other domains. Is then "domainpolicy" the solution I should learn?
Any other doc about it?
Thanks for any help.
[1] http://www.openser.org/docs/modules/1.2.x/domainpolicy.html [2] http://tools.ietf.org/id/draft-lendl-domain-policy-ddds-02.txt [3] http://tools.ietf.org/id/draft-lendl-speermint-federations-02.txt [4] http://tools.ietf.org/html/draft-lendl-speermint-technical-policy-00
Iñaki Baz Castillo wrote:
Hi, I want to mantain independent domains in OpenSer. In my case I've a OpenSer with a single DNS A record and various CNAME (I still don't want to play with SRV and so).
so:
DNS A = openser.domain.org CNAME = sip1.domain.org CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent groups.
I just want to avoid SIP interdomain messages, so 200@sip1.domain.org CAN'T invite 300@sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()" and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain comunication, do I need to use the "domainpolicy" [1] module?
no
I've read its doc and know it's based in 3 drafts [2][3][4], but all of them seems to be based in the complex NAPTR record and so. Is it the way?
if you only want to prevent calls from sip1 to sip2 just compare the from domain with the domain in the ruri
if ( $rd != $fd) { sl_send_reply("403","forbidden"); exit; }
I think I could just compare the FROM domain with the TO domain in order to avoid interdomain communication, but of course I'd like in the future the possiblity of allowing some domains to contact some other domains. Is then "domainpolicy" the solution I should learn?
no. it would be easier to just put all the allowed domains into a table:
A | B --------------- sip1 | sip2 sip1 | sip3 sip5 | sip6
the code would be somehow like this (from the logic . I do not know the exact syntax by heart):
if ( $rd != $fd) { # lookup table with raw_query from avp_ops module: ... SELECT count(*) from table WHERE ($rd=A and $fd=B) OR ($rd=B and $fd=A);
if count == 0 { sl_send_reply("403","forbidden"); exit; } }
regards klaus
El Monday 23 July 2007 17:50:58 Klaus Darilion escribió:
Iñaki Baz Castillo wrote:
Hi, I want to mantain independent domains in OpenSer. In my case I've a OpenSer with a single DNS A record and various CNAME (I still don't want to play with SRV and so).
so:
DNS A = openser.domain.org CNAME = sip1.domain.org CNAME = sip2.domain.org
And I want users of sip1.domain.org and sip2.domain.org, as independent groups.
I just want to avoid SIP interdomain messages, so 200@sip1.domain.org CAN'T invite 300@sip2.domain.org even if he does authentication.
I've loaded "domain" module and use "is_uri_host_local()" and "is_from_local()" functions, but for now I only used one domain.
My question is very general: for implement (or avoid) interdomain comunication, do I need to use the "domainpolicy" [1] module?
no
I've read its
doc and know it's based in 3 drafts [2][3][4], but all of them seems to be based in the complex NAPTR record and so. Is it the way?
if you only want to prevent calls from sip1 to sip2 just compare the from domain with the domain in the ruri
if ( $rd != $fd) { sl_send_reply("403","forbidden"); exit; }
I think I could just compare the FROM domain with the TO domain in order to avoid interdomain communication, but of course I'd like in the future the possiblity of allowing some domains to contact some other domains. Is then "domainpolicy" the solution I should learn?
no. it would be easier to just put all the allowed domains into a table:
A | B
sip1 | sip2 sip1 | sip3 sip5 | sip6
the code would be somehow like this (from the logic . I do not know the exact syntax by heart):
if ( $rd != $fd) { # lookup table with raw_query from avp_ops module: ... SELECT count(*) from table WHERE ($rd=A and $fd=B) OR ($rd=B and $fd=A);
if count == 0 { sl_send_reply("403","forbidden"); exit; } }
Ok, very clear. Thanks a lot.
Regards.
El Monday 23 July 2007 17:50:58 Klaus Darilion escribió:
if you only want to prevent calls from sip1 to sip2 just compare the from domain with the domain in the ruri
if ( $rd != $fd) { sl_send_reply("403","forbidden"); exit; }
Hi again, let me just improving a little that solution because comparing $rd and $fd I had problems with presence.
I think it's better (and it's working perfect for me) to compare $fd and $td.
Note that the parameter: modparam("presence","server_address","sip:openser.domain.org") is the <Contact> header the clients will contact for future subscription, so in that cases the $rd will be "openser.domain.org" even if the From: is "user1@sip1.domain.org" who is subscribing to the presence of a To: "user2@sip1.domain.org". In that case $fd = sip1.domain.org and $rd = openser.domain.org, so it will fail. Because of it, IMHO is better to compare $fd with $td.
Just it, regads. :)
-
Iñaki Baz Castillo -
Klaus Darilion