[OpenSER-Devel] conceptual problem: domain - realm
Iñaki Baz Castillo
ibc at in.ilimit.es
Fri Jun 6 16:25:20 CEST 2008
El Thursday 05 June 2008 19:38:37 Daniel-Constantin Mierla escribió:
> Hello,
>
> there is a conceptual problem with the subscriber table, the domain
> column and realm for authentication. Practically, the realm used for
> authentication can be meaningless and one subscriber can have several
> pairs of realm-password to authenticate for different services.
>
> Furthermore, if the use_domain is 1, the realm is used to match the
> domain column to load the password in auth_db -- when the domain of
> username in authorization header is missing. This is obviously wrong.
>
> Now, the purpose of this thread is to find the best solution to fix it.
> One is to add new column for realm in subscriber table. This will
> duplicate all the rest of columns (rpid, email_address) for each realm
> assigned to a user. Alternative will be to move out realm-password pairs
> to a new table - this will add more db operations.
>
> Any comments, opinions, alternatives?
Hi Daniel, so are you speaking about different realms for different
authentications of the same user in OpenSer.
While this could be interesting (but sincerely I've never seen this escenario)
a more common escenario if one in which OpenSer asks for authentication as
proxy for "realm_1" and the UAS asks again for authentication for "realm_2"
(where "realm_2" si completely uknknown for OpenSer).
AFAIK this escenairo is not possible into OpenSer since a not very RFC3261
compliant behaviour when handling various "*-Authorization" headers.
Is the issue you meant also related to this second scenario?
Thanks a lot and regards :)
--
Iñaki Baz Castillo
ibc at in.ilimit.es
More information about the Devel
mailing list