[Serusers] Help with authorization

Steve Blair blairs at isc.upenn.edu
Fri Apr 22 16:16:40 CEST 2005



Jan Janak wrote:

>On 21-04 21:08, Steve Blair wrote:
>  
>
>> I have a working 0.9.1 config to which I would like add server side
>>features such as call forward all (cfwdall). I have a pretty good idea
>>how to handle cfwdall using avp_ops however I'm stuck on the
>>authentication.
>>
>> If a subscriber has local calling permissions (acl=local) and cfwdall
>>their phone to a long distance number I need to respond with an
>>informative response.
>>
>> In the INVITE processing in my config I have statements such as:
>>
>>       if (is_user_in("credentials", "ld")) {
>>         setflag(11);
>>       };
>>
>> These checks fail with the following errors:
>>
>> Apr 21 18:31:53 ser[498]:  [SER]: AVP: Checking From gateway caller
>> Apr 21 18:31:53 ser[498]: check_username(): No authorized credentials 
>>found (error in scripts)
>> Apr 21 18:31:53 ser[498]: check_username(): Call {www,proxy}_authorize 
>>before calling
>>        check_* function !
>> Apr 21 18:31:53 ser[498]: [SER]: Flag for UMVM redirect successful.
>> Apr 21 18:31:53 ser[498]:  [SER]: AVP: Checking credentials
>> Apr 21 18:31:53 ser[498]: is_user_in(): No authorized credentials 
>>found (error in scripts)
>>    
>>
>
>  Checking the username without authentication does not make much sense
>  because the user could fake the contents of the header field. That's
>  why check_* functions require authorized credentials to be present.
>
>  
>
>>  I thought adding proxy_authorize("", "subscriber")), check_to and 
>>check_from calls prior
>>to the is_user_in check would address these errors but that hasn't 
>>worked either.
>>
>>   If I want to set a flag if the caller is an authorized subscriber, 
>>the callee is an
>>authorized subscriber and then use "is_user_in" to determine if the 
>>called party has
>>a particular credential what am I missing?
>>    
>>
>
>  I am not sure I understand "the callee is an authorized subscriber".
>  Digest authentication can only be performed for the caller, not the
>  callee, because there is no way of challenging the callee.
>
>  
>
  Perhaps I am missing the obvious. That is why I posted this message.  
When I wrote I was
thinking:  Suppose someone calling in from the PSTN via a gateway calls 
a subscriber that has
setup call forwarding all to a PSTN number.

  I need to know that this subscriber can indeed place calls to the PSTN 
(either local, long distance
or international) before rewriting the called address and allowing the 
call to proceed. I was assuming
is_user_in was appropriate for this type of checking but that fails.



>    Jan.
>  
>




More information about the sr-users mailing list