[OpenSER-Users] fail to authenticate INVITE messages

[antalsia at free.fr]

Hi all,

I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy +
RTPPROXY) and LDAP module. Although REGISTER authentication works well, I cannot
check user authorization for INVITE messages. I'm using an openser.cfg
configuration template from sipwise (see an extract below).

pv_proxy_authorize() routine always returns false, even if my user is registered
and authenticated through our OpenLDAP. Can you tell me what I'm doing wrong ?

Many thks,


---------------------------
openser.cfg
---------------------------


route {

   ...
   if(is_method("REGISTER"))
        {
                route(2);
        }
   if(is_method("INVITE"))
        {
                route(4);
        }

   ...

}

########################################################################
# Request route 'base-route-register'
########################################################################
route[2]
{
        sl_send_reply("100", "Trying");

        if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
{

                                xlog("L_INFO", "is_present_hf Authorization or
Proxy-Authorization\n");

                                if
(!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
                                        switch ($retcode) {
                                                case -1:
                                                # no LDAP entry found
                                                xlog("L_INFO", "Ldap user not
found\n");
                                                sl_send_reply("404", "User Not
Found");
                                                exit;
                                                case -2:
                                                # internal error
                                                xlog("L_INFO", "Internal server
error during authentication\n");
                                                sl_send_reply("500", "Internal
server error");
                                                exit;
                                                default:
                                                exit;
                                        }
                                }

                                ldap_result("uid/$avp(s:username)");
                                ldap_result("userPassword/$avp(s:password)");
                        }


        if(!pv_www_authorize(""))
        {

                xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ru
F=$fu T=$tu IP=$si ID=$ci\n");
                www_challenge("mydomain", "1");
                exit;
        }


        if(!check_to())
        {

                xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru F=$fu
T=$tu IP=$si ID=$ci\n");
                sl_send_reply("403", "Spoofed To-URI Detected");
                exit;
        }
        consume_credentials();
        if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
        {
                fix_nated_register();
                setbflag(6);
        }
        if(!save("location"))
        {

                xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fu
T=$tu IP=$si ID=$ci\n");
                sl_reply_error();
                exit;
        }

        xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu T=$tu
IP=$si ID=$ci\n");
        exit;

}


########################################################################
# Request route 'base-route-invite'
########################################################################
route[4]
{
        sl_send_reply("100", "Trying");
        if(nat_uac_test("19"))
        {
                fix_nated_contact();
                setbflag(6);
        }

        route(5);
}


########################################################################
# Request route 'invite-find-callee'
########################################################################
route[5]
{
        if(!is_domain_local("$rd"))
        {
                setflag(20);

                route(7);
        }
        if(does_uri_exist())
        {

                xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu T=$tu
IP=$si ID=$ci\n");
                route(6);
        }
        else
        {

                xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu T=$tu
IP=$si ID=$ci\n");
                route(7);
        }
        exit;

}

########################################################################
# Request route 'invite-to-external'
########################################################################
route[7]
{
        if(isflagset(20))
        {

                xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru F=$fu
T=$tu IP=$si ID=$ci\n");
                if (!pv_proxy_authorize(""))
                {
                        xlog("L_INFO", "TESTING : NOT AUTHENTICATED !!!!\n");
                }
                else
                {
                        xlog("L_INFO", "TESTING : AUTHENTICATED !!!!\n");
                }

                route(3);
                exit;
        }

        xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu IP=$si
ID=$ci\n");
        sl_send_reply("404", "User Not Found");
        exit;

}


---------------------
DEBUG LOGS
---------------------
eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=80
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain -
M=INVITE RURI=sip:beacon at columbia.edu F=sip:test at xxxxxxxx T=sip:beacon at co
lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa at xxxxxx
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
flags=10000
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
credentials with given realm not found
Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT AUTHENTICATED