[SR-Users] auth_db authorize realm
Alex Balashov
abalashov at evaristesys.com
Thu May 6 23:31:06 CEST 2010
There is a peculiar and confusing aspect to the documented
significance of the "realm" argument to www_authorize(), and
presumably proxy_authorize() as well.
The documentation says that if this value is empty, the digest realm
will be generated from the domain part of the To or From URI,
whichever is applicable to the given situation (REGISTER vs. any other
request). This is the way *_authorize() is invoked in most cases, and
works fine.
However, we recently ran into a situation where www_authorize() would
always fail and claim that it could not find the user in 'subscriber'
despite being provided correct username and domain, with the
appropriate options -- return value -1. We were sending the public
host IP as the domain of the To URI, using it as the realm, and
setting it in the domain column of the 'subscriber' table. The
problem was, the public IP of the host was not in /etc/hosts --
/etc/hosts consisted solely of:
127.0.0.1 localhost.localdomain localhost
For some reason, it wasn't until I added the public IP into it that
www_authorize() started working properly:
127.0.0.1 localhost.localdomain
xxx.xxx.xxx.xxx public_host.domain.tld public_host
I don't see anything different in the anatomy of the 401 Unauthorized
challenges; the realm is still xxx.xxx.xxx.xxx in both cases. It
just seems that unless Kamailio detects a DNS reverse alias for the
domain, it won't properly authenticate requests.
This aspect of the behaviour is not documented, and I am also confused
as to why it happens this way. Any clarification would be appreciated.
--
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the sr-users
mailing list