[OpenSIPS-Users] Help proxy authentication/www_authroize

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Feb 20 18:44:18 CET 2009


Hi Khan,

Here is the problem:

   Feb 19 23:28:09 [12798] DBG:auth:pre_auth: credentials with given 
realm not found

The auth module looks for the credentials based on realm - so the Auth 
hdr must have the realm value equal to the TO URI domain.

Check the request you received.

Regards,
Bogdan

Khan wrote:
> Bogdan,
>
> I made the changes: you suggested, and then i made call within network
> but I get 407 error. The UAC bounce error "Call rejected: 407 Proxy
> authenticaion Required...
>
> I have the following data in domain table:
> +--------+----+----------------+---------------------+
> | domain | id | domain         | last_modified       |
> +--------+----+----------------+---------------------+
> | domain |  1 | 192.168.1.2    | 2009-02-04 22:35:22 |
> | domain |  2 | xxxxxxxxxx.com | 2009-02-04 22:35:54 |
> | domain |  3 | 127.0.0.1      | 2009-02-18 23:29:28 |
> | domain |  4 | localhost      | 2009-02-18 23:29:56 |
> +--------+----+----------------+---------------------+
>
>
>
>
>
>
>
> On Thu, Feb 19, 2009 at 4:14 AM, Bogdan-Andrei Iancu
> <bogdan at voice-system.ro> wrote:
>   
>> Hi Khan,
>>
>> If it doesn't work, enable full logging (debug=6) and post the opensips's
>> logs while trying to authenticate.
>>
>> Regards,
>> Bogdan
>>
>>
>> Khan wrote:
>>     
>>> Hi Bogdan,
>>>
>>> Thanks for your prompt reply, I have generated users as follows:
>>>
>>> OPENSIPSCTL add 11111110000 1234
>>> database engine 'MYSQL' loaded
>>> Control engine 'FIFO' loaded
>>> is_user: user counter=0
>>> check_db_alias: alias counter=0
>>> new user '11111110000' added
>>>
>>>
>>> my contents of table in MySQL looks like this:
>>>
>>> +-------------+----------------+----------+----------------------------------+
>>> | username    | domain         | password | ha1
>>>    |
>>>
>>> +-------------+----------------+----------+----------------------------------+
>>> | 11111110000 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234     |
>>> 5ff58df2ebbad1408412dd01c2b285e0 |
>>> | 11111110001 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234     |
>>> 2640b80036659c6b34354f8026ef3067 |
>>> | 11111110002 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234     |
>>> 6cdf8849b8b75d657bb217b5ab820a44
>>>
>>>
>>> there are no values in email column, rpid has null, but ha1b do have
>>> values:
>>>
>>>
>>> OPENSIPS.CFG
>>> #############
>>> modparam("auth_db", "user_column", "username")
>>> modparam("auth_db", "domain_column", "domain")
>>> modparam("auth_db", "password_column", "password")
>>> modparam("auth_db", "password_column_2", "ha1b")
>>> modparam("auth_db", "calculate_ha1", 1)
>>> modparam("auth_db", "use_domain", 0)
>>> modparam("auth_db", "load_credentials", "rpid")
>>>
>>> ... ...
>>> ... ...
>>>
>>> sl_send_reply("100", "Trying");
>>> if(!www_authorize("", "subscriber"))    {
>>>        xlog("L_INFO", "Register auth failed (subscribe) - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>>        www_challenge("", "0");
>>>        exit;
>>>    } else {
>>>        xlog("L_INFO", "@@@ Register auth success @@@ - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>>    }
>>>
>>>    # --->
>>>    if(!check_to())    {
>>>                xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>>        sl_send_reply("403", "Spoofed To-URI Detected");
>>>        exit;
>>>    }
>>>
>>>    #
>>>    xlog("L_INFO", "consume_credentials!!! - M=$rm RURI=$ru F=$fu T=$tu
>>> IP=$si ID=$ci\n");
>>>    consume_credentials();
>>>
>>> ... ...
>>> ... ...
>>>
>>>    if(proxy_authorize("", "subscriber"))    xlog("L_INFO", "@@@ Proxy
>>> authentication success @@@ - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>>
>>>            if(!proxy_authorize("", "subscriber"))            {
>>>               xlog("L_INFO", "Proxy authentication failed R8- M=$rm
>>> RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>>                proxy_challenge("", "0");
>>>                exit;
>>>            }
>>>            if(!check_from())            {
>>>                            xlog("L_INFO", "Spoofed From-URI detected -
>>> M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>>                sl_send_reply("403", "Spoofed From-URI Detected");
>>>                exit;
>>>            }
>>>
>>>
>>> The config file was generated from sipwize for 1.2 ver and made the
>>> necessary changes according to my needs and newer version of OpenSIPS.
>>>
>>> The way my box is laid out is as follows:
>>>
>>> ubuntu --> MySQL --> OpenSIPS 1.4.4 --> RTPProxy
>>>
>>>
>>> Is there anything I missed in the process, because according to what you
>>> said I do have them exactly the same way except some additional stuff...
>>>
>>> Thanks for help in advance.
>>>
>>>
>>> Khan
>>>
>>>
>>> On Wed, Feb 18, 2009 at 12:59 PM, Bogdan-Andrei Iancu
>>> <bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>> wrote:
>>>
>>>    Hi Khan,
>>>
>>>    do you set the "calculate_ha1" parameter in auth_db? because the
>>>    default value indicates that you have in DB a HA1 and not a plain
>>>    text password. (see:
>>>    http://www.opensips.org/html/docs/modules/1.4.x/auth_db.html#id228159).
>>>
>>>    So, if you have the plain-text passwords in the "password" field add:
>>>         modparam("auth_db", "calculate_ha1", 1)
>>>         modparam("auth_db", "password_column", "password")
>>>
>>>    Regards,
>>>    Bogdan
>>>
>>>    Khan wrote:
>>>
>>>        Hello everyone,
>>>
>>>        Can someone help me or point me in direction to resolve some
>>>        authenticaion errors.
>>>        Currently I m having problems with UAC outside network, it
>>>        gives me
>>>        authentication problem. I need to understand the followings:
>>>
>>>        1. www_authorize("", "subscriber") checks in subscriber table
>>>        but what
>>>        fields, what should exist in table, what parameters function
>>>        passes
>>>        for mattching existence
>>>        2. proxy_authorize("", "subscriber") checks what in
>>>        subscriber? what
>>>        column should exist in table and match to what
>>>
>>>        I'm getting 407, I checked subscriber table, it has records with
>>>        mydomain, user, pwd but i keep getting error since
>>>        authentication keep
>>>        failing.
>>>
>>>        ##########
>>>        My xlog outputs:
>>>
>>>        New request and force_rport - M=REGISTER RURI=sip:mydomain.com
>>>        <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        My request... M=REGISTER sip:mydomain.com <http://mydomain.com>
>>>        method REGISTER from R0 ... R6 - M=REGISTER
>>>        RURI=sip:mydomain.com <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        Register auth failed (subscribe) - M=REGISTER
>>>        RURI=sip:mydomain.com <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        New request and force_rport - M=REGISTER RURI=sip:mydomain.com
>>>        <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        My request... M=REGISTER sip:mydomain.com <http://mydomain.com>
>>>
>>>        method REGISTER from R0 ... R6 - M=REGISTER
>>>        RURI=sip:mydomain.com <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        consume_credentials!!! - M=REGISTER RURI=sip:mydomain.com
>>>        <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>
>>>        Request Username in RURI - rU=<null>
>>>
>>>        Registration successful 6 - M=REGISTER RURI=sip:mydomain.com
>>>        <http://mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        New request and force_rport - M=SUBSCRIBE
>>>        RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>
>>>        method is NOT REGISTER from R0 ... NAT test - M=SUBSCRIBE
>>>        RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.c
>>>        om IP=
>>>        My request... M=SUBSCRIBE sip:10009 at mydomain.com
>>>        <mailto:sip%3A10009 at mydomain.com>
>>>
>>>        Requested Service Unavailable PUBLISH/SUBSCRIBE/NOTIFY -
>>>        M=SUBSCRIBE
>>>
>>>        New request and force_rport - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        IP=
>>>        My request... M=INVITE sip:10000 at mydomain.com
>>>        <mailto:sip%3A10000 at mydomain.com>
>>>
>>>        method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>>        P=
>>>        Proxy authentication failed R8- M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        New request and force_rport - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        IP=
>>>
>>>        My request... M=INVITE sip:10000 at mydomain.com
>>>        <mailto:sip%3A10000 at mydomain.com>
>>>        method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>>        P=
>>>        Proxy authentication failed R8- M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        New request and force_rport - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        IP=
>>>        My request... M=INVITE sip:10000 at mydomain.com
>>>        <mailto:sip%3A10000 at mydomain.com>
>>>
>>>        method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>>        P=
>>>        Proxy authentication failed R8- M=INVITE
>>>        RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>>        New request and force_rport - M=SUBSCRIBE
>>>        RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>        method is NOT REGISTER from R0 ... NAT test - M=SUBSCRIBE
>>>        RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>>        T=sip:10009 at mydomain.c
>>>        om IP=
>>>        My request... M=SUBSCRIBE sip:10009 at mydomain.com
>>>        <mailto:sip%3A10009 at mydomain.com>
>>>        Requested Service Unavailable PUBLISH/SUBSCRIBE/NOTIFY -
>>>        M=SUBSCRIBE
>>>
>>>        Khan
>>>
>>>        _______________________________________________
>>>        Users mailing list
>>>        Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>        http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>>       
>>     
>
>   




More information about the Users mailing list