[Serusers] Help with authorization
Steve Blair
blairs at isc.upenn.edu
Fri Apr 22 16:16:40 CEST 2005
Jan Janak wrote:
>On 21-04 21:08, Steve Blair wrote:
>
>
>> I have a working 0.9.1 config to which I would like add server side
>>features such as call forward all (cfwdall). I have a pretty good idea
>>how to handle cfwdall using avp_ops however I'm stuck on the
>>authentication.
>>
>> If a subscriber has local calling permissions (acl=local) and cfwdall
>>their phone to a long distance number I need to respond with an
>>informative response.
>>
>> In the INVITE processing in my config I have statements such as:
>>
>> if (is_user_in("credentials", "ld")) {
>> setflag(11);
>> };
>>
>> These checks fail with the following errors:
>>
>> Apr 21 18:31:53 ser[498]: [SER]: AVP: Checking From gateway caller
>> Apr 21 18:31:53 ser[498]: check_username(): No authorized credentials
>>found (error in scripts)
>> Apr 21 18:31:53 ser[498]: check_username(): Call {www,proxy}_authorize
>>before calling
>> check_* function !
>> Apr 21 18:31:53 ser[498]: [SER]: Flag for UMVM redirect successful.
>> Apr 21 18:31:53 ser[498]: [SER]: AVP: Checking credentials
>> Apr 21 18:31:53 ser[498]: is_user_in(): No authorized credentials
>>found (error in scripts)
>>
>>
>
> Checking the username without authentication does not make much sense
> because the user could fake the contents of the header field. That's
> why check_* functions require authorized credentials to be present.
>
>
>
>> I thought adding proxy_authorize("", "subscriber")), check_to and
>>check_from calls prior
>>to the is_user_in check would address these errors but that hasn't
>>worked either.
>>
>> If I want to set a flag if the caller is an authorized subscriber,
>>the callee is an
>>authorized subscriber and then use "is_user_in" to determine if the
>>called party has
>>a particular credential what am I missing?
>>
>>
>
> I am not sure I understand "the callee is an authorized subscriber".
> Digest authentication can only be performed for the caller, not the
> callee, because there is no way of challenging the callee.
>
>
>
Perhaps I am missing the obvious. That is why I posted this message.
When I wrote I was
thinking: Suppose someone calling in from the PSTN via a gateway calls
a subscriber that has
setup call forwarding all to a PSTN number.
I need to know that this subscriber can indeed place calls to the PSTN
(either local, long distance
or international) before rewriting the called address and allowing the
call to proceed. I was assuming
is_user_in was appropriate for this type of checking but that fails.
> Jan.
>
>
More information about the sr-users
mailing list