[SR-Users] Dialogs not removed from memory, and occasionally persistent in DB as well

Øyvind Kolbu oyvind.kolbu at usit.uio.no
Wed Jan 18 13:46:15 CET 2012 

On 2012-01-17 at 23:47, Timo Reimann wrote:
> Hey Øyvind,
> Am 17.01.2012 um 13:41 schrieb Øyvind Kolbu:
> >
> > Then in the main route:
> >
> >        if !allow_trusted() {
> >                route(AUTH);
> >        }
> >
> >        if (is_method("INVITE")) {
> >            setflag(3);
> >            dlg_manage();
> >
> >            if ($avp(s:f_uid) != $null) {
> >                set_dlg_profile("busy","$avp(s:f_uid)");
> >                get_profile_size("busy", "$avp(s:f_uid)",
"$var(dlg_busy)");
> >                xlog("L_INFO", "BUSY: f_uid: $avp(s:f_uid), dlg_busy:
$var(dlg_busy)\n");
> >            }
> >        }
> >
> > $avp(s:f_uid) is set in route(AUTH), so it will catch calls
originating from one of
> > our users.
>
> Do you possibly start to track dialogs before they are authenticated and
> reply to unauthenticated INVITEs with 407 statelessly? IIRC, that causes
> dialogs to dangle in state 1 ("unconfirmed") because the module requires
> statefulness to operate and conclude dialog tracking properly.

No, we only do dlg_manage() after route(AUTH), as seen above.

Our route[AUTH] is below, slightly redacted, if you can spot any errors.
Worth mentioning is that both trusted calls, from our Nortel pbx, and calls
initiated from voip phones get stuck in the dialog memory.

# Route AUTH - LDAP authentication for hardphones REGISTER and INVITE
route[AUTH] {
        # if (isflagset(1)) {
                # xlog("L_INFO", "ROUTE AUTH: Au length $(aU{s.len}) \n");
        # }

        $var(digauth) = $aU + "x";
        if ($var(digauth) == "x") {
                if (is_method("REGISTER")) {
                        www_challenge("uio.no","1");
                } else {
                        proxy_challenge("uio.no","1");
                }
                exit;
        }

        # ldap search to authenticate the request
        $var(res) =
ldap_search("ldap://ldapprod/cn=clients,cn=voip,dc=uio,dc=no?sipMacAddress,sipSecret,sipVoipAddressDN,uid?one?(&(objectclass=sipClient)(|(sipMacAddress=$aU)(uid=$aU)))");
        if (!$var(res)) {
                switch ($retcode) {
                        case -1:
                                # no LDAP entry found
                                xlog("L_INFO", "LDAPAUTH: no ldap entry
found for $aU\n");
                                sl_send_reply("404", "User Not Found");
                                exit;
                        case -2:
                                # internal error
                                xlog("L_INFO", "LDAPAUTH: (ldap) internal
server error\n");
                                sl_send_reply("500", "Internal server
error");
                                exit;
                        default:
                                xlog("L_INFO", "LDAPAUTH: (ldap) found
$var(res) entries\n");
                }
        }

        # Pick from the first entry
        # First try hardphone
        if (!ldap_result("sipMacAddress/$avp(s:username)")) {
                ldap_result("uid/$avp(s:username)");
        }
        ldap_result("sipSecret/$avp(s:password)");
        ldap_result("sipVoipAddressDN/$avp(s:voipdn)");

        if (is_method("INVITE")) {
                $avp(s:f_uid) = $(avp(s:voipdn){param.value,uid});
        }

        if (is_method("REGISTER")) {
                if(!pv_www_authenticate("uio.no", "$avp(s:password)","0")) {
                        xlog("L_WARN", "ROUTE AUTH: FAILED authentication
on REGISTER for username: $avp(s:username)\n");
                        www_challenge("uio.no","1");
                        exit;
                }
                if (isflagset(1)) {
                        xlog("L_INFO", "LDAPAUTH: Successful
authentication. Username $avp(s:username)\n");
                }
                return(1);
        }
        if(!pv_proxy_authenticate("uio.no", "$avp(s:password)", "0")) {
                proxy_challenge("uio.no","1");
                exit;
        }
        append_hf("UIO-edge-auth-uid: $avp(s:username)\r\n");
        /* Now, remove credentials before passing the message on */
        consume_credentials();

        if (is_method("INVITE")) {
                ldap_search("ldap://ldapprod/cn=uris,cn=voip,dc=uio,dc=no?voipExtensionUri,cn,voipE164Uri?one?(&(objectClass=voipAddress)(uid=$avp(s:f_uid)))");
                ldap_result("voipExtensionUri/$avp(s:f_exten)");
                ldap_result("cn/$avp(s:f_name)");
                ldap_result("voipE164Uri/$avp(s:f_e164)");
                $avp(s:f_num) = "sip:" +
$(avp(s:f_e164){uri.user}{s.strip,3}) + "@uio.no";
                append_hf("P-Asserted-Identity: $avp(s:f_name)
<$avp(s:f_e164)>\r\n");
                # append_hf("Remote-Party-ID: \"$avp(s:f_name)\"
<$avp(s:f_exten)>;privacy=off;screen=no\r\n");
        }
}


> If that's the case, you have two options: Either return 407's statefully,
> or defer dialog tracking until dialogs are authenticated. The former may
> impose a security risk, the latter may (depending on your situation)
> limit your dialog tracking needs.

We don't need dialog tracking until either a call is authenticated or it
trusted, so that is fine our situation.

Our Kamailio has a tendency to send double replies for a request, e.g. two
200 OK for a single REGISTER. Most likely this is relevant to the
dialog-module
being confused.

-- 
Øyvind Kolbu

More information about the sr-users mailing list