[OpenSER-Devel] [Fwd: Re: [OpenSER-Users] Logging failed registration attempt]

Anatoly Pidruchny apidruchny at newxt.com
Wed Aug 15 03:10:03 CEST 2007


I am forwarding this thread from the OpenSER-Users list. Should 
information be added in the documentation about the return codes of the 
proxy_authorize, radius_proxy_authorize and diameter_proxy_authorize 
functions?

Regards,
Anatoly.

-------- Original Message --------
Subject: 	Re: [OpenSER-Users] Logging failed registration attempt
Date: 	Tue, 14 Aug 2007 10:38:58 -0400
From: 	Anatoly Pidruchny <apidruchny at newxt.com>
To: 	Edoardo Serra <edoardo.serra at webrainstorm.it>
CC: 	users at openser.org
References: 	<f9qdtq$ipi$1 at sea.gmane.org> 
<200708141019.35448.ibc at in.ilimit.es> <f9saul$o3q$1 at sea.gmane.org> 
<46C1B581.9040202 at newxt.com> <f9sd2p$vvo$1 at sea.gmane.org>



Edoardo,

I am looking at the documentation for the auth_db module for the 
development version: http://www.openser.org/docs/modules/devel/auth_db.html
Yes, the information about return codes is included in the description 
of the www_authorize function, but it is not included in the description 
of proxy_authorize function. In fact, proxy_authorize function returns 
the same error codes as the www_authorize function. Similar problem with 
documentation for the radius_proxy_authorize (auth_radius module) and 
diameter_proxy_authorize (auth_diameter module) functions. The return 
codes are described for the ..._www_... functions, but not for 
..._proxy_... functions.

Regards,
Anatoly.
> GREAT
>
> that's exactly was I was thinking at
> (shame on me for not having searched the tracker nor the online doc 
> which IS updated for devel section)
>
> Tnx for help
>
> Regards
>
>
> Anatoly Pidruchny ha scritto:
>> Please take a look at this patch: 
>> http://sourceforge.net/tracker/index.php?func=detail&aid=1693132&group_id=139143&atid=743022 
>>
>> This patch was uploaded into the trunk. This patch allows to check 
>> the reason why the www/proxy_authorize function fails. It now returns 
>> the following negative codes:
>>
>>  -1 - non existent user;
>>  -2 - invalid passwd
>>  -3 - stale nonce
>>  -4 - no credentials
>>  -5 - error
>>
>> You can use "switch" and "$retval" to test the return code in your 
>> script.
>>
>> It does not look like the documentation was updated though to include 
>> this information.
>>
>> Anatoly.
>>> Ok, that's how I did
>>>
>>> if (!proxy_authorize("exorsa", "openser_view")) {
>>>         if(search("Proxy-Authorization")) {
>>>                 xlog("L_ERR", "REGISTER: Auth error from - $au");
>>>         }
>>>         proxy_challenge("exorsa", "0");
>>>         exit;
>>> }
>>>
>>> so, if the packet contains credentials but they're wrong the attempt 
>>> is logged
>>>
>>> Now I'm facing the following problem...
>>> When the nonce axpires and the client reREGISTER the packet will 
>>> contain   wrong credential and the UA is challenged again.
>>>
>>> This way that's logged as a bad authentication
>>>
>>> I also tried to do
>>>
>>> if(search("Proxy-Authorization")) {
>>>     if(!registered("location")) {
>>>         xlog("L_ERR", "REGISTER: Auth error from - $au");
>>>     }
>>> }
>>>
>>> ...but without good results....
>>>
>>> Any idea ?
>>>
>>> Tnx in advance
>>>
>>> Edoardo
>>>
>>> Iñaki Baz Castillo ha scritto:
>>>> El Monday 13 August 2007 22:11:34 Edoardo Serra escribió:
>>>>> Hi all,
>>>>>     I'd like to log failed SIP REGISTER attempt either with xlog 
>>>>> or with
>>>>> sip_trace() but I cannot understand where to put related code to 
>>>>> catch
>>>>> the authentication error
>>>>
>>>>
>>>> With XLOG is easy :)
>>>>
>>>>
>>>>> Here is the part of my opensr.cfg dedicated to REGISTER handling
>>>>>
>>>>> if (method=="REGISTER") {
>>>>>          if (!proxy_authorize("exorsa", "openser_view")) {
>>>>                      xlog("L_INFO", "REGISTER: auth required\n");
>>>>>                  proxy_challenge("exorsa", "0");
>>>>>                  exit;
>>>>>          }
>>>>>          if (!check_to()) {
>>>>                      xlog("L_WARN", "REGISTER: !check_to()\n");
>>>>>                  sl_send_reply("403", "Digest username and URI 
>>>>> username
>>>>> do NOT match! Stay away!");
>>>>>                  exit;
>>>>>          }
>>>>             xlog("L_INFO", "REGISTER: authorized\n");
>>>>>          save("location");
>>>>>
>>>>>          exit;
>>>>> };
>>>>
>>>>
>>>> Regards.
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>>
>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>


_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users





More information about the Devel mailing list