[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Iñaki Baz Castillo ibc at aliax.net
Fri Apr 17 19:28:13 CEST 2009 

El Viernes, 17 de Abril de 2009, Jan Janak escribió:
> > How looks auth_username?  "alice", "alice at domainA.org" or
> > "sip:alice at domainA.org"?
> > How do you handle a multidomain environment? For example: how to fill
> > the above table with these two users?:
>
> auth_username contains the value of the digest username parameter and it
> then depends on how you configure your phones, i.e. what they use as the
> value of the digest authentication username.
>
> >   sip:alice at domainA.org
> >   sip:bob at domainB.net
>
> It really depends on how do you choose to configure the system. First off,
> the digest username does not have to be the same as the username in the sip
> uri. If this is the case then the value of auth_username can be different
> from the username in the SIP URI.
>
> But it is often desirable to have the SIP username same as the digest
> username, because then you can just configure the user agent with a SIP URI
> and password. In this case you would store "alice" and "bob" in
> auth_username.
>
> The value of the realm column will be set to the digest realm configured
> for domainA.org and domainB.net. In the simplest case the digest realm will
> be equivalent to the domain name, so you will have:
>
> "alice", "domainA.org"
> "bob", "domainB.net"
>
> But, you can also decide that you want to share credentials across multiple
> domains, especially if those domains are hosted on one server, then you can
> have:
>
> "alice", "SIP Authentication"
> "bob", "SIP Authentication"
>
> > Also, Kamailio has an option to use domain or not (in various
> > modules), so domain is checked or not (this improves the DB access in
> > single-domain environments).
>
> We do not have that anymore. Originally, in the pre-fork (the first fork)
> era, I added the domain column pretty much everywhere where we had the
> username column. We needed to add multi-domain support back then and we
> needed to replace <username> with <username,domain> to ensure one username
> can be assigned to two different people in two domains.
>
> In SER, the pair <username,domain> has been replaced with <uid>. The uid is
> a unique identifier of the user. The identifier is unique across all
> domains in a multi-domain setup. The identifier can be anything, it can be
> a number, it can be an identifiers generated by uuidgen, such as
> 9dad2756-db88-4993-bbbe-3523fdffdf30.
>
> What then happens is this:
>
>  1) A user authenticates with his/her digest username and digest realm, and
>     if the authentication was successful, the authentication module
> retrieves the uid of the user from credentials table and stores that uid in
> an AVP.
>
>  2) For inbound calls (no authentication), there is a function which
>     translates the URI in the Request-URI to the UID of the user.
>
> > > This is the unique id of the user within the system. Authentication
> > > functions in SER store the value of the column in an AVP after
> > > successful authentication and this is the primary ID of the user we use
> > > in other functions (we no longer rely on comparing SIP URIs).
> >
> > Could you show an example of usage of uid column? which value does it
> > contain?
>
> My SIP URI at iptel.org is sip:jan at iptel.org. My UID in the system is
> "janakj", so in this case table credentials will contain:
>
>   auth_username | realm | uid
>   --------------+-----------+-------
>   jan           | iptel.org | janakj
>
> And if somebody calls sip:jan at iptel.org, the server needs to lookup my UID
> in the URI table, which contains:
>
>   scheme | username | did | uid
>   -------+----------+-----------+-------
>   "sip"  | jan      | iptel.org | janakj
>
>
> All other tables that contain data that belong to me, such as the location
> table with my contacts, only contain "janakj", so the location table has:
>
>   uid    | contact                | ...
>   -------+------------------------+----
>   janakj | sip:janakj at 192.168.0.1 | ...
>
> The big advantage of this is that I can have a dozen of SIP URIs registered
> in the system and they all will reach the same contact. I can change my
> digest authentication username any time I want and the system will still be
> able to identify me correctly. I can change my SIP username or the whole
> SIP URI if I get bothered by SPIT too much and and the system will still be
> able to lookup all my data, such as accounting records, because my uid
> never changes.


It seems more complex but seems to offer enough advantages.
Thanks for the extended explanation.


-- 
Iñaki Baz Castillo <ibc at aliax.net>

More information about the Devel mailing list