[SR-Users] auth_db authorize realm

[Daniel-Constantin Mierla]

On 5/6/10 11:31 PM, Alex Balashov wrote:
> There is a peculiar and confusing aspect to the documented 
> significance of the "realm" argument to www_authorize(), and 
> presumably proxy_authorize() as well.
>
> The documentation says that if this value is empty, the digest realm 
> will be generated from the domain part of the To or From URI, 
> whichever is applicable to the given situation (REGISTER vs. any other 
> request).  This is the way *_authorize() is invoked in most cases, and 
> works fine.
>
> However, we recently ran into a situation where www_authorize() would 
> always fail and claim that it could not find the user in 'subscriber' 
> despite being provided correct username and domain, with the 
> appropriate options -- return value -1.  We were sending the public 
> host IP as the domain of the To URI, using it as the realm, and 
> setting it in the domain column of the 'subscriber' table.  The 
> problem was, the public IP of the host was not in /etc/hosts -- 
> /etc/hosts consisted solely of:
>
>    127.0.0.1  localhost.localdomain localhost
>
> For some reason, it wasn't until I added the public IP into it that 
> www_authorize() started working properly:
>
>    127.0.0.1          localhost.localdomain
>    xxx.xxx.xxx.xxx    public_host.domain.tld public_host
>
> I don't see anything different in the anatomy of the 401 Unauthorized 
> challenges;  the realm is still xxx.xxx.xxx.xxx in both cases.  It 
> just seems that unless Kamailio detects a DNS reverse alias for the 
> domain, it won't properly authenticate requests.
>
> This aspect of the behaviour is not documented, and I am also confused 
> as to why it happens this way.  Any clarification would be appreciated.
>
should be no relation between dns and realm, realm is practically just a 
token.

Can you ngrep the sql traffic to see the query and if the record is 
returned to auth db module?

Cheers,
Daniel

-- 
Daniel-Constantin Mierla
* http://www.asipto.com/