[OpenSER-Users] fail to authenticate INVITE messages

antalsia at free.fr antalsia at free.fr
Mon Mar 3 09:26:44 CET 2008 

Hi daniel,

Same result when I call pv_proxy_authorize() function with our SIP domain. It
always returns false. When I dump SIP packet with tshark, the SIP user & domain
are not visible inside the INVITE request... Quite strange... the SIP URI is
composed of my local linux user and the domain is my local IP address. I'm using
Ekiga 2.0.11 and my user is registered ! I'll try with another UA.

Regards,


Selon Daniel-Constantin Mierla <miconda at gmail.com>:

> Hello,
>
> for INVITE you have to use pv_proxy_authorize("")
> http://www.openser.org/docs/modules/1.3.x/auth.html#AEN281
>
>
> The problem is that the domain part for the URI of the user you want to
> authenticate does not match the value from the realm attribute of
> authorization header. Pasting the SIP message will help to give clear
> indications.
>
> Cheers,
> Daniel
>
>
> On 02/29/08 18:07, antalsia at free.fr wrote:
> > Hi all,
> >
> > I'm trying to authenticate INVITE messages with OpenSER 1.3.0 (SIP Proxy +
> > RTPPROXY) and LDAP module. Although REGISTER authentication works well, I
> cannot
> > check user authorization for INVITE messages. I'm using an openser.cfg
> > configuration template from sipwise (see an extract below).
> >
> > pv_proxy_authorize() routine always returns false, even if my user is
> registered
> > and authenticated through our OpenLDAP. Can you tell me what I'm doing
> wrong ?
> >
> > Many thks,
> >
> >
> > ---------------------------
> > openser.cfg
> > ---------------------------
> >
> >
> > route {
> >
> >    ...
> >    if(is_method("REGISTER"))
> >         {
> >                 route(2);
> >         }
> >    if(is_method("INVITE"))
> >         {
> >                 route(4);
> >         }
> >
> >    ...
> >
> > }
> >
> > ########################################################################
> > # Request route 'base-route-register'
> > ########################################################################
> > route[2]
> > {
> >         sl_send_reply("100", "Trying");
> >
> >
> if(is_present_hf("Authorization")||is_present_hf("Proxy-Authorization"))
> > {
> >
> >                                 xlog("L_INFO", "is_present_hf Authorization
> or
> > Proxy-Authorization\n");
> >
> >                                 if
> > (!ldap_search("ldap://blabla/blabla?uid,userPassword?sub?(uid=$fU)")) {
> >                                         switch ($retcode) {
> >                                                 case -1:
> >                                                 # no LDAP entry found
> >                                                 xlog("L_INFO", "Ldap user
> not
> > found\n");
> >                                                 sl_send_reply("404", "User
> Not
> > Found");
> >                                                 exit;
> >                                                 case -2:
> >                                                 # internal error
> >                                                 xlog("L_INFO", "Internal
> server
> > error during authentication\n");
> >                                                 sl_send_reply("500",
> "Internal
> > server error");
> >                                                 exit;
> >                                                 default:
> >                                                 exit;
> >                                         }
> >                                 }
> >
> >                                 ldap_result("uid/$avp(s:username)");
> >
> ldap_result("userPassword/$avp(s:password)");
> >                         }
> >
> >
> >         if(!pv_www_authorize(""))
> >         {
> >
> >                 xlog("L_INFO", "Register authentication failed - M=$rm
> RURI=$ru
> > F=$fu T=$tu IP=$si ID=$ci\n");
> >                 www_challenge("mydomain", "1");
> >                 exit;
> >         }
> >
> >
> >         if(!check_to())
> >         {
> >
> >                 xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
> F=$fu
> > T=$tu IP=$si ID=$ci\n");
> >                 sl_send_reply("403", "Spoofed To-URI Detected");
> >                 exit;
> >         }
> >         consume_credentials();
> >         if(!search("^Contact:[ ]*\*") && nat_uac_test("19"))
> >         {
> >                 fix_nated_register();
> >                 setbflag(6);
> >         }
> >         if(!save("location"))
> >         {
> >
> >                 xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru F=$fu
> > T=$tu IP=$si ID=$ci\n");
> >                 sl_reply_error();
> >                 exit;
> >         }
> >
> >         xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu
> T=$tu
> > IP=$si ID=$ci\n");
> >         exit;
> >
> > }
> >
> >
> > ########################################################################
> > # Request route 'base-route-invite'
> > ########################################################################
> > route[4]
> > {
> >         sl_send_reply("100", "Trying");
> >         if(nat_uac_test("19"))
> >         {
> >                 fix_nated_contact();
> >                 setbflag(6);
> >         }
> >
> >         route(5);
> > }
> >
> >
> > ########################################################################
> > # Request route 'invite-find-callee'
> > ########################################################################
> > route[5]
> > {
> >         if(!is_domain_local("$rd"))
> >         {
> >                 setflag(20);
> >
> >                 route(7);
> >         }
> >         if(does_uri_exist())
> >         {
> >
> >                 xlog("L_INFO", "Callee is local - M=$rm RURI=$ru F=$fu
> T=$tu
> > IP=$si ID=$ci\n");
> >                 route(6);
> >         }
> >         else
> >         {
> >
> >                 xlog("L_INFO", "Callee is not local - M=$rm RURI=$ru F=$fu
> T=$tu
> > IP=$si ID=$ci\n");
> >                 route(7);
> >         }
> >         exit;
> >
> > }
> >
> > ########################################################################
> > # Request route 'invite-to-external'
> > ########################################################################
> > route[7]
> > {
> >         if(isflagset(20))
> >         {
> >
> >                 xlog("L_INFO", "Call to foreign domain - M=$rm RURI=$ru
> F=$fu
> > T=$tu IP=$si ID=$ci\n");
> >                 if (!pv_proxy_authorize(""))
> >                 {
> >                         xlog("L_INFO", "TESTING : NOT AUTHENTICATED
> !!!!\n");
> >                 }
> >                 else
> >                 {
> >                         xlog("L_INFO", "TESTING : AUTHENTICATED !!!!\n");
> >                 }
> >
> >                 route(3);
> >                 exit;
> >         }
> >
> >         xlog("L_INFO", "Call to unknown user - M=$rm RURI=$ru F=$fu T=$tu
> IP=$si
> > ID=$ci\n");
> >         sl_send_reply("404", "User Not Found");
> >         exit;
> >
> > }
> >
> >
> > ---------------------
> > DEBUG LOGS
> > ---------------------
> > eb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
> > flags=80
> > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
> > flags=80
> > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: Call to foreign domain -
> > M=INVITE RURI=sip:beacon at columbia.edu F=sip:test at xxxxxxxx T=sip:beacon at co
> > lumbia.edu IP=xxxxxxx ID=282a363f-5be5-dc11-8272-0015c56ccfaa at xxxxxx
> > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:core:parse_headers:
> > flags=10000
> > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: DBG:auth:pre_auth:
> > credentials with given realm not found
> > Feb 29 15:33:14 proxy_sip /usr/sbin/openser[5444]: TESTING : NOT
> AUTHENTICATED
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.openser.org
> > http://lists.openser.org/cgi-bin/mailman/listinfo/users
> >
>

More information about the Users mailing list