[OpenSER-Users] fail to authenticate INVITE messages
antalsia at free.fr
antalsia at free.fr
Tue Mar 4 13:36:50 CET 2008
Hi all,
Wengophone and ekiga under linux both send an INVITE request with a SIP FROM URI
user at myipaddress... With wengophone under windows, I get user at sipdomain !
Unfortunately, I still cannot authenticate the INVITE message even by inserting
pv_proxy_authorize("sipdomain"). Any idea ?
Selon antalsia at free.fr:
> Hi daniel,
>
> Same result when I call pv_proxy_authorize() function with our SIP domain. It
> always returns false. When I dump SIP packet with tshark, the SIP user &
> domain
> are not visible inside the INVITE request... Quite strange... the SIP URI is
> composed of my local linux user and the domain is my local IP address. I'm
> using
> Ekiga 2.0.11 and my user is registered ! I'll try with another UA.
>
> Regards,
>
>
> Selon Daniel-Constantin Mierla <miconda at gmail.com>:
>
> > Hello,
> >
> > for INVITE you have to use pv_proxy_authorize("")
> > http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
> >
> >
> > The problem is that the domain part for the URI of the user you want to
> > authenticate does not match the value from the realm attribute of
> > authorization header. Pasting the SIP message will help to give clear
> > indications.
> >
> > Cheers,
> > Daniel
> >
> >
> > On 02/29/08 18:07, antalsia at free.fr wrote:
> > > Hi all,
> > >
> > > I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy
> +
> > > RTPPROXY) and LDAP module. Although REGISTER authentication works well, I
> > cannot
> > > check user authorization for INVITE messages. I'm using an openser.cfg
> > > configuration template from sipwise (see an extract below).
> > >
> > > pv_proxy_authorize() routine always returns false, even if my user is
> > registered
> > > and authenticated through our OpenLDAP. Can you tell me what I'm doing
> > wrong ?
> > >
> > > Many thks,
> > >
> > >
> > > ---------------------------
> > > openser.cfg
> > > ---------------------------
> > >
> > >
> > > route {
> > >
> > > ...
> > > if(is_method("REGISTER"))
> > > {
> > > route(2);
> > > }
> > > if(is_method("INVITE"))
> > > {
> > > route(4);
> > > }
> > >
> > > ...
> > >
> > > }
> > >
> > > ########################################################################
> > > # Request route 'base-route-register'
> > > ########################################################################
> > > route[2]
> > > {
> > > sl_send_reply("100", "Trying");
> > >
> > >
> > if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
> > > {
> > >
> > > xlog("L_INFO", "is_present_hf
> Authorization
> > or
> > > Proxy-Authorization\n");
> > >
> > > if
> > > (!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
> > > switch ($retcode) {
> > > case -1:
> > > # no LDAP entry found
> > > xlog("L_INFO", "Ldap user
> > not
> > > found\n");
> > > sl_send_reply("404",
> "User
> > Not
> > > Found");
> > > exit;
> > > case -2:
> > > # internal error
> > > xlog("L_INFO", "Internal
> > server
> > > error during authentication\n");
> > > sl_send_reply("500",
> > "Internal
> > > server error");
> > > exit;
> > > default:
> > > exit;
> > > }
> > > }
> > >
> > > ldap_result("uid/$avp(s:username)");
> > >
> > ldap_result("userPassword/$avp(s:password)");
> > > }
> > >
> > >
> > > if(!pv_www_authorize(""))
> > > {
> > >
> > > xlog("L_INFO", "Register authentication failed - M=$rm
> > RURI=$ru
> > > F=$fu T=$tu IP=$si ID=$ci\n");
> > > www_challenge("mydomain", "1");
> > > exit;
> > > }
> > >
> > >
> > > if(!check_to())
> > > {
> > >
> > > xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
> > F=$fu
> > > T=$tu IP=$si ID=$ci\n");
> > > sl_send_reply("403", "Spoofed To-URI Detected");
> > > exit;
> > > }
> > > consume_credentials();
> > > if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
> > > {
> > > fix_nated_register();
> > > setbflag(6);
> > > }
> > > if(!save("location"))
> > > {
> > >
> > > xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru
> F=$fu
> > > T=$tu IP=$si ID=$ci\n");
> > > sl_reply_error();
> > > exit;
> > > }
> > >
> > > xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
> > T=$tu
> > > IP=$si ID=$ci\n");
> > > exit;
> > >
> > > }
> > >
> > >
> > > ########################################################################
> > > # Request route 'base-route-invite'
> > > ########################################################################
> > > route[4]
> > > {
> > > sl_send_reply("100", "Trying");
> > > if(nat_uac_test("19"))
> > > {
> > > fix_nated_contact();
> > > setbflag(6);
> > > }
> > >
> > > route(5);
> > > }
> > >
> > >
> > > ########################################################################
> > > # Request route 'invite-find-callee'
> > > ########################################################################
> > > route[5]
> > > {
> > > if(!is_domain_local("$rd"))
> > > {
> > > setflag(20);
> > >
> > > route(7);
> > > }
> > > if(does_uri_exist())
> > > {
> > >
> > > xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
> > T=$tu
> > > IP=$si ID=$ci\n");
> > > route(6);
> > > }
> > > else
> > > {
> > >
> > > xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru
> F=$fu
> > T=$tu
> > > IP=$si ID=$ci\n");
> > > route(7);
> > > }
> > > exit;
> > >
> > > }
> > >
> > > ########################################################################
> > > # Request route 'invite-to-external'
> > > ########################################################################
> > > route[7]
> > > {
> > > if(isflagset(20))
> > > {
> > >
> > > xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
> > F=$fu
> > > T=$tu IP=$si ID=$ci\n");
> > > if (!pv_proxy_authorize(""))
> > > {
> > > xlog("L_INFO", "TESTING : NOT AUTHENTICATED
> > !!!!\n");
> > > }
> > > else
> > > {
> > > xlog("L_INFO", "TESTING : AUTHENTICATED !!!!\n");
> > > }
> > >
> > > route(3);
> > > exit;
> > > }
> > >
> > > xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
> > IP=$si
> > > ID=$ci\n");
> > > sl_send_reply("404", "User Not Found");
> > > exit;
> > >
> > > }
> > >
> > >
> > > ---------------------
> > > DEBUG LOGS
> > > ---------------------
> > > eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
> > > flags=80
> > > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]:
> DBG:core:parse_headers:
> > > flags=80
> > > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain
> -
> > > M=INVITE RURI=sip:beacon at columbia.edu F=sip:test at xxxxxxxx T=sip:beacon at co
> > > lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa at xxxxxx
> > > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]:
> DBG:core:parse_headers:
> > > flags=10000
> > > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
> > > credentials with given realm not found
> > > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT
> > AUTHENTICATED
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.openser.org
> > > http://lists.openser.org/cgi-bin/mailman/listinfo/users
> > >
> >
>
>
>
More information about the Users
mailing list