[Serusers] multi-domain support with one SER-2
Lambert, Micheline (Satnet)
Lambert.M at emssatnet.com
Thu Sep 29 15:21:04 CEST 2005
Hi,
I'm new with SER since August 2005.
I'm using ser v0.9.3 and mysql v4.1.13.
I use SER with two domains: 192.168.20.55 and 192.168.20.155.
Some users are configured in subscribe table of SER database with domain
192.168.20.55 and
other users are configured in the same subscribe table of SER database with
domain 192.168.20.155.
I understand that user from domain 192.168.20.55 can not talk to users in
domain 192.168.20.155. Is it right?
I have the following problem:
Users from domain 192.168.20.55 can make calls to PBX/PSTN but users from
domain 192.168.20.155 can not,
There is the message 403 Forbidden sent to the users.
Here is the sequence:
<- INVITE
-> 407 Proxy Authentication Required
<-ACK
<-INVITE
->100 Trying
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
->403 Forbidden
<-ACK
I would like to know if there is a need to have two databases for the
multi-domain support with one SER?
Micheline Lambert
I included a part of my ser.cfg file
#
# $Id: ser.cfg,v 1.25.2.1 2005/02/18 14:30:44 andrei Exp $
#
# simple quick-start config script
#
...
listen=192.168.20.55
listen=192.168.20.155 # support multi-domains
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"
loadmodule "/usr/local/lib/ser/modules/uri_db.so"
# load the group module to use : is_useer_in() function
loadmodule "/usr/local/lib/ser/modules/group.so"
# load the acc module ffor accounting
loadmodule "/usr/local/lib/ser/modules/acc.so"
#new module for multi-domain support
loadmodule "/usr/local/lib/ser/modules/domain.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("auth_db|uri_db|usrloc", "db_url",
"mysql://ser:heslo@localhost/ser")
modparam("acc", "db_url", "mysql://ser:heslo@localhost/ser")
modparam("usrloc|registrar", "use_domain", 1)
# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", 1)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# -- acc params --
# set the reporting log level
modparam("acc", "log_level", 1)
# number of fflag which will be used fffor accounting; if a message
# is labeled with this flag, its completion status will be reported
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "report_cancels", 1)
# ------------------------- request routing logic -------------------
# main routing logic
route{
# ------------------------------------------------------------------
# Sanity Check Section
#
------------------------------------------------------------------
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big");
break;
};
# ------------------------------------------------------------------
# labeled all transactions for accounting
#
------------------------------------------------------------------
log(1, "++++ labeled all transactions for accounting\n");
setflag(1);
# ------------------------------------------------------------------
# Record Route Section
#
------------------------------------------------------------------
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# ------------------------------------------------------------------
# Loose Route Section
#
------------------------------------------------------------------
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
# ------------------------------------------------------------------
# Call Type Processing
#
------------------------------------------------------------------
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound uri!=myself\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="INVITE") {
route(3);
break;
} else if (method=="REGISTER") {
route(2);
break;
};
lookup("aliases");
if (!uri==myself) { /* myself = my IP address */
append_hf("P-hint: outbound alias -
uri!=myself\r\n");
route(1); /* relay the message */
break;
};
log(1, "++++ route other SIP
messages???????????????\n");
route(1);
};
}
route[1]
{
if (!t_relay()) {
sl_reply_error();
};
}
route[2]
{
sl_send_reply("100", "Trying");
log(1, "==== www_authorize\n");
# validate the authentication of the user
if (!www_authorize("", "subscriber")) {
log(1, "==== send 401 Unauthorized\n");
www_challenge("", "0"); # send back 401
Unauthorized message
break; # ask for another
registration with auth.
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized 2");
break;
};
log(1, "==== remove Authorization line\n");
consume_credentials(); # remove Authorization digest info from
message
# save the user in the location table
log(1, "==== save location and send Ok\n");
if (!save("location")) { # save the user in the location table,
send Ok message
sl_reply_error();
};
}
route[3]
{
if (!uri=~"sip:\+?[0-9]+ at .*") {
log(1, "---- call cannot be serverd here - not
numeric uri\n");
sl_send_reply("403", "Call cannot be served here");
break;
}
#
# validate if Incoming call
#
if (src_ip==192.168.20.105) { # address of VoIP Gateway
#
# INCOMING call from VoIP Gateway
#
log(1, "---- Incoming calls from VoIP
Gateway\n");
if (lookup("location")) {
#
# dest user registered !
#
log(1, "---- dest user registered -
relay the message\n");
route(1);
break;
} else {
#
# dest user not registered (not part of
location table)
#
log(1, "---- dest user NOT registered
\n");
sl_send_reply("403", "User not Found");
break;
};
};
#
# Calls received from ATA
#
log(1, "---- call received from ATA\n");
#
# validate the authentication of dest user
#
log(1, "---- proxy_authorize()\n");
if (!proxy_authorize("", "subscriber")) {
log(1, "---- src user NOT authenticated\n");
proxy_challenge("", "0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
};
log(1, "---- src user authenticated\n");
#
# remove Authorization line if necessary
#
log(1, "---- remove proxy-authorization line\n");
consume_credentials();
#
# is it neccessary ????
#
lookup("aliases");
if (uri!=myself) {
log(1, "---- Relay message because uri !=
myself\n");
append_hf("P-hint: outbound alias -
uri!=myself\r\n");
route(1);
break;
};
#
# Validate destination calls
#
if (uri=~"sip:31[0-9]*@.*") { # first digits = "31" following
with 0-9
#
# Local IP calls
#
log(1, "---- local IP calls\n");
if (is_user_in("From", "local")) { # source user
part of local group?
#
# src part of local group, relay the
message
#
log(1, "---- src part of local
group\n");
if (lookup("location")) { # dest user
registered ?
#
# User registered in
location table
#
log(1, "---- dest user
registered\n");
log(1, "---- dest = local
ATA\n");
route(1); /* relay the
message */
break;
} else {
log(1, "---- dest user
NOT registered \n");
sl_send_reply("403", "User
not Found");
break;
};
} else {
log(1, "---- src NOT part of local
group\n");
sl_send_reply("403", "No Permission for
local calls");
break;
};
};
#
# Local PBX calls
#
if (uri=~"sip:3[0-9]*@.*") { # first digit = "3" following with
0-9
#
# Local PBX calls
#
log(1, "---- local PBX calls\n");
if (is_user_in("From", "local")) { # source user
part of local group?
#
# src part of local group, relay the
message
#
log(1, "---- src part of local
group\n");
log(1, "---- forward message to VoIP
Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of local
group\n");
sl_send_reply("403", "No Permission for
local calls");
break;
};
};
if (uri=~"sip:9[2-9][0-9]*@.*") { /* first digit = "9" following
with 2-9 */
#
# Free PSTN calls
#
log(1, "---- free PSTN calls\n");
if (is_user_in("From", "free-pstn")) { # source user
part of free_pstn group?
#
# src part of free-pstn group, forward
the message
#
log(1, "---- forward message to VoIP
Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of
free_pstn group\n");
sl_send_reply("403", "No Permission for
free PSTN calls");
break;
};
};
if (uri=~"sip:91[2-9][0-9]*@.*") { /* first digit = "91"
following with 2-9 */
#
# Long distance PSTN calls
#
log(1, "---- long distance calls\n");
if (is_user_in("From", "ld")) { # source user part
of long_dist group?
#
# src part of long_dist group, forward
the message
#
log(1, "---- forward message to VoIP
Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of long
ddistance (ld) group\n");
sl_send_reply("403", "No Permission for
long distance calls");
break;
};
};
if (uri=~"sip:9011[0-9]*@.*") { /* first digit = "9011"
following with 2-9 */
#
# International calls
#
log(1, "---- international calls\n");
if (is_user_in("From", "int")) { # source user part
of int group?
#
# src part of international group,
forward the message
#
log(1, "---- forward message to VoIP
Gateway\n");
rewritehostport("192.168.20.105:5060");
forward(192.168.20.105, 5060);
break;
} else {
log(1, "---- src NOT part of
international (int) group\n");
sl_send_reply("403", "No Permission for
international calls");
break;
};
};
#
# Invalid calls
#
log(1, "---- call NOT authorized\n");
sl_send_reply("403", "Call not Authorized");
}
More information about the sr-users
mailing list