[OpenSER-Users] authorization problems with multiple servers

[Ben Smithurst]

I wrote:

> We have a problem with clients authorizing (whether for INVITE or
> REGISTER) against a pair of openser servers, served via either round
> robin A records, or multiple equal preference SRV records.
> 
> The problem in a nutshell is
> 
> client sends INVITE to server 1
> server 1 replies with authorization challenge
> client sends INVITE with auth to server 2
> server 2 doesn't like the 'nonce' value
> 
> Now, this only happens via our nat proxy, as far as we can tell, so I
> think the problem lies there (and I have contacted the vendor of that
> system).  However I wonder if there is any way to make openser work in
> such a setup, in case other client do the same thing (which IMO is quite
> a stupid thing to do) ... would the valid 'nonce' values need to be
> stored in the DB?
> 
> Incidentally we are using mysql authentication and we are using usrloc
> in db_mode 3, with both openser machines pointed at the same mysql
> server.  We're using a pretty recent openser SVN revision (dev15).

For the record, and the benefit of anyone searching the archives for a
similar problem, I was being stupid.  Sorry to bother you all....

I read the code and found a bit more.  So, nonce values are not stored
at all as far as I can tell, this was actually my initial thought about
nonce values, I just couldn't work out why it wouldn't work across
multiple servers.

Turns out the default setup in openser (quite reasonably) is for the
secret string used in generating the nonce to be generated at run time.
If you use multiple servers it seems necessary to explicitly set the
secret the same on all servers

modparam("auth", "secret", "blah")

I wonder if it is worth putting a note about this multiple server issue
in the documentation for the 'secret' parameter - might just help people
googling/reading docs to solve the problem. :-)

cheers
-ben

-- 
Ben Smithurst
http://www.bensmithurst.com/