[OpenSER-Devel] conceptual problem: domain - realm

Daniel-Constantin Mierla miconda at gmail.com
Fri Jun 6 16:31:12 CEST 2008 

Hello Inaki,

On 06/06/08 17:25, Iñaki Baz Castillo wrote:
> El Thursday 05 June 2008 19:38:37 Daniel-Constantin Mierla escribió:
>   
>> Hello,
>>
>> there is a conceptual problem with the subscriber table, the domain
>> column and realm for authentication. Practically, the realm used for
>> authentication can be meaningless and one subscriber can have several
>> pairs of realm-password to authenticate for different services.
>>
>> Furthermore, if the use_domain is 1, the realm is used to match the
>> domain column to load the password in auth_db -- when the domain of
>> username in authorization header is missing. This is obviously wrong.
>>
>> Now, the purpose of this thread is to find the best solution to fix it.
>> One is to add new column for realm in subscriber table. This will
>> duplicate all the rest of columns (rpid, email_address) for each realm
>> assigned to a user. Alternative will be to move out realm-password pairs
>> to a new table - this will add more db operations.
>>
>> Any comments, opinions, alternatives?
>>     
>
> Hi Daniel, so are you speaking about different realms for different 
> authentications of the same user in OpenSer.
>   
yes, same user. You can have different realms (very easy with openser) 
for different requests. Beware that I can have a client just for 
IM/Presence and another one vor VoIP. If the provisioning of the clients 
is done automatically, from different servers, and the service has 
couple of levels, this feature might be very helpful.

> While this could be interesting (but sincerely I've never seen this escenario) 
> a more common escenario if one in which OpenSer asks for authentication as 
> proxy for "realm_1" and the UAS asks again for authentication for "realm_2" 
> (where "realm_2" si completely uknknown for OpenSer).
> AFAIK this escenairo is not possible into OpenSer since a not very RFC3261 
> compliant behaviour when handling various "*-Authorization" headers.
>   

In this case, the client shall send the message with two Authorization 
headers, openser is able to select the proper one based on realm.  Do 
you mean hear that openser cannot handle because you are using it to 
authenticate in behalf of the client, via uac module? Or the messages 
are just passing through  openser?

Cheers,
Daniel
 
> Is the issue you meant also related to this second scenario?
>
> Thanks a lot and regards :)
>
>
>
>   

-- 
http://www.asipto.com

More information about the Devel mailing list