[sr-dev] where is s proxy_challenge function?

Daniel-Constantin Mierla miconda at gmail.com
Thu Jul 1 22:04:28 CEST 2010 


On 7/1/10 9:50 PM, Iñaki Baz Castillo wrote:
> 2010/7/1 Jan Janak<jan at ryngle.com>:
>    
>> On Thu, Jul 1, 2010 at 3:31 PM, Iñaki Baz Castillo<ibc at aliax.net>  wrote:
>>      
>>> 2010/7/1 Juha Heinanen<jh at tutpro.com>:
>>>        
>>>>> if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
>>>>>            
>>> What is $fd.digest_realm ?
>>>        
>> A variable containing the string to be used as realm in digest
>> authentication. In most circumstances its value is retrieved from the
>> database (domain_attrs table).
>>      
> So, if for example the From domain is "example.org" then SER would
> search for the realm corresponding to the domain "example.org" (which
> could be the domain itself or any other token), am I right?
>
> I like it, more than the "subscriber" table and the "auth_db" module
> of Kamailio. Let me explain why:
>
> - Imagine a Kamailio in multidomain mode.
>
> - A phone "sip:alice at example.org" sends an INVITE with "From:
> sip:anonymous at invalid-domain.org" (so the user requests for privacy).
>
> - The INVITE doesn't have a "P-Preferred-Identity:
> <sip:alice at example.org>" (it doesn't implement RFC 3325).
>
> - So, how could Kamailio ask for authentication? which realm to use?
> there is no string in the INVITE identyfing the domain the originator
> belongs to, so...
>    

just use pv_proxy/www_authorize() from k auth module and you can pass 
username/password fetched from where you want and how you want.

Cheers,
Daniel

>
> The only solution for this issue would be using the same realm for
> every users and domain of the proxy,  but in Kamailio this is not
> possible if "calculate_ha1" (in "auth_db") is 0 because Kamailio takes
> the realm of the request to look for the corresponding user using such
> realm as domain.
>
> With SER the above problem would be solved by using the same realm for
> all the users and domains, but with a constrain: the "username" field
> of the creedentials generated by the user should be a full URI
> "sip:alice at example.org" (or perhaps also "alice at example.org"), so the
> auth module would parse the username and domain from the credentials
> "username" field.
>
> In a future I would like to talk about the credentials username field
> format (just SIP username, username at domain or sip:username at domain) in
> a future. IMHO in a multidomain system phones should authenticate
> themself by using the whole AoR (including the "sip:" schema) in the
> "username" field of the credentials.
>
>
> Regards.
>
>
>    

-- 
Daniel-Constantin Mierla
http://www.asipto.com/

More information about the sr-dev mailing list