[SR-Users] auth_db authorize realm

Alex Balashov abalashov at evaristesys.com
Thu May 6 23:31:06 CEST 2010


There is a peculiar and confusing aspect to the documented 
significance of the "realm" argument to www_authorize(), and 
presumably proxy_authorize() as well.

The documentation says that if this value is empty, the digest realm 
will be generated from the domain part of the To or From URI, 
whichever is applicable to the given situation (REGISTER vs. any other 
request).  This is the way *_authorize() is invoked in most cases, and 
works fine.

However, we recently ran into a situation where www_authorize() would 
always fail and claim that it could not find the user in 'subscriber' 
despite being provided correct username and domain, with the 
appropriate options -- return value -1.  We were sending the public 
host IP as the domain of the To URI, using it as the realm, and 
setting it in the domain column of the 'subscriber' table.  The 
problem was, the public IP of the host was not in /etc/hosts -- 
/etc/hosts consisted solely of:

    127.0.0.1  localhost.localdomain localhost

For some reason, it wasn't until I added the public IP into it that 
www_authorize() started working properly:

    127.0.0.1          localhost.localdomain
    xxx.xxx.xxx.xxx    public_host.domain.tld public_host

I don't see anything different in the anatomy of the 401 Unauthorized 
challenges;  the realm is still xxx.xxx.xxx.xxx in both cases.  It 
just seems that unless Kamailio detects a DNS reverse alias for the 
domain, it won't properly authenticate requests.

This aspect of the behaviour is not documented, and I am also confused 
as to why it happens this way.  Any clarification would be appreciated.

-- 
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/



More information about the sr-users mailing list