[OpenSIPS-Users] Issues using memcache auth

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jun 9 17:47:47 CEST 2015


Hi Tito,

OK, so you have a plain text pwd in DB. You also load it to the script 
during DB auth and push it into the cache. What I was asking is to do 
some xlog from script to double check that whatever is stored and later 
fetched from script is correct - have you checked that ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 03.06.2015 20:01, Tito Cumpen wrote:
> Bogdan,
>
>
> The password is provided in plaintext by the db. The working scenario 
> looks likes this :
>
> loadmodule "auth.so"
>
> loadmodule "auth_db.so"
>
> modparam("auth_db", "calculate_ha1", yes)
>
>
> modparam("auth_db", "password_column", "password")
>
> #modparam("auth_db", "db_url",
>
> modparam("auth_db", "db_url",
>
>          "http://myauthdb")
>
>
> modparam("auth_db", "load_credentials", "")
>
>
> On Wed, Jun 3, 2015 at 11:59 AM, Bogdan-Andrei Iancu 
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
>     Tito,
>
>     In DB, what do you have - the plain text passwd or the HA1 ?
>
>     Regards,
>
>     Bogdan-Andrei Iancu
>     OpenSIPS Founder and Developer
>     http://www.opensips-solutions.com
>
>     On 03.06.2015 18:56, Tito Cumpen wrote:
>>     Bogdan,
>>
>>     The password is hashed into a numeric value it would seem. Though
>>     my http db provides the password in raw unhashed string when
>>     queried for the subscriber password. The debug shows that the md5
>>     hashing is not being matched matching but I am not sure why since
>>     the save function is only called if  (!www_authorize("",
>>     "subscriber")) is succeeded. Maybe something is being left out?
>>
>>     Thanks,
>>      Tito
>>
>>
>>     On Wed, Jun 3, 2015 at 11:12 AM, Bogdan-Andrei Iancu
>>     <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>>
>>         Hi Tito,
>>
>>         Have you double checked if the passwd you push to
>>         pv_www_authorize() (from cache) is the correct one ?
>>
>>         Best Regards,
>>
>>         Bogdan-Andrei Iancu
>>         OpenSIPS Founder and Developer
>>         http://www.opensips-solutions.com
>>
>>         On 02.06.2015 01:58, Tito Cumpen wrote:
>>>         my db http returns the password in plain string by the way.
>>>
>>>         On Mon, Jun 1, 2015 at 6:57 PM, Tito Cumpen <tito at xsvoce.com
>>>         <mailto:tito at xsvoce.com>> wrote:
>>>
>>>             Hello group,
>>>
>>>
>>>             I am attempting to add memcache auth validation in
>>>             opensips 2.1. I was using http db which returns a string
>>>             of the user password password. This was working prior to
>>>             utilizing pv_www_authorize. I used this document as a
>>>             guideline
>>>             http://www.opensips.org/Documentation/Tutorials-MemoryCaching
>>>
>>>             Here is my auth mod param config
>>>             loadmodule "cachedb_local.so"
>>>             loadmodule "auth.so"
>>>             loadmodule "auth_db.so"
>>>             modparam("auth","username_spec","$avp(i:54)")
>>>             modparam("auth","password_spec","$avp(i:55)")
>>>             modparam("auth","calculate_ha1",1)
>>>
>>>             modparam("auth_db", "calculate_ha1", yes)
>>>
>>>             modparam("auth_db", "password_column", "password")
>>>             #modparam("auth_db", "db_url",
>>>             modparam("auth_db", "db_url",
>>>                      "http://mysubscriberdatabase.com")
>>>
>>>             modparam("auth_db", "load_credentials",
>>>             "$avp(i:55)=password")
>>>
>>>
>>>             if (is_method("REGISTER")) {
>>>
>>>             # indicate that the client supports DTLS
>>>             # so we know when he is called
>>>             if (isflagset(SRC_WS))
>>>             setbflag(DST_WS);
>>>
>>>             if ( isflagset(uac_ws) ) {
>>>                    xlog("setting avp attribute in register for
>>>             websocket \n");
>>>
>>>               $avp(attr)="websocket";
>>>             }
>>>             if(cache_fetch("local","passwd_$tu",$avp(i:55))) {
>>>             xlog("$tU 's credentials are stored in local cache using
>>>             it for this register request \n");
>>>             $avp(i:54) = $tU;
>>>             xlog("SCRIPT: stored password is $avp(i:55)\n");
>>>             # perform auth from variables
>>>             # $avp(i:54) contains the username
>>>             # $avp(i:55) contains the password
>>>             if (!pv_www_authorize("")) {
>>>             $var(rc2) = pv_www_authorize("");
>>>                          #  $var(rc2) = www_authorize("", "subscriber");
>>>                    xlog("Return code is $var(rc2) \n");
>>>              switch ( $var(rc2) ) {
>>>                 case 1 :
>>>                        # if ( proto==TCP ||  0 ) {
>>>                        # setflag(TCP_PERSISTENT);
>>>                         #        setflag(6);
>>>                          #   }
>>>
>>>                             if (!save("location","f"))
>>>             sl_reply_error();
>>>
>>>                             exit;
>>>
>>>
>>>                     # success
>>>                     break;
>>>                 case -1:
>>>             sl_send_reply("404","User not found");
>>>                     exit;
>>>                     break;
>>>                 case -2:
>>>             sl_send_reply("403","Forbidden (Bad auth)");
>>>                             exit;
>>>                     break;
>>>                       case -3:
>>>              www_challenge("", "0");
>>>                     exit;
>>>             #sl_send_reply("403","Forbidden auth ID");
>>>                     #break;
>>>                 default:
>>>                  www_challenge("", "0");
>>>                             exit;
>>>
>>>             }
>>>
>>>             };
>>>
>>>                      if (!save("location","f"))
>>>             sl_reply_error();
>>>
>>>                             exit;
>>>             }else{
>>>             xlog("could not find the auth info in local cache for
>>>             $tU\n");
>>>             xlog("accessing the external db for auth info");
>>>               # authenticate the REGISTER requests
>>>                             if (!www_authorize("", "subscriber"))
>>>                             {
>>>             xlog("new challenger  $tU\n");
>>>
>>>
>>>                             # www_challenge("", "0");
>>>
>>>
>>>
>>>                             $var(rc) = www_authorize("", "subscriber");
>>>                     xlog("Return code is $var(rc) \n");
>>>
>>>                     switch ( $var(rc) ) {
>>>                 case 1 :
>>>                        # if ( proto==TCP ||  0 ) {
>>>                        # setflag(TCP_PERSISTENT);
>>>                         #        setflag(6);
>>>                          #   }
>>>                           #  $avp(me) = $(tU{s.tolower});
>>>
>>>              cache_store("local","passwd_$tu","$avp(i:55)",1200);
>>>
>>>                             if (!save("location","f"))
>>>             sl_reply_error();
>>>
>>>                             exit;
>>>
>>>
>>>                     # success
>>>                     break;
>>>                 case -1:
>>>             sl_send_reply("404","User not found");
>>>                     exit;
>>>                     break;
>>>                 case -2:
>>>             sl_send_reply("403","Forbidden (Bad auth)");
>>>                             exit;
>>>                     break;
>>>                       case -3:
>>>              www_challenge("", "0");
>>>                     exit;
>>>             #sl_send_reply("403","Forbidden auth ID");
>>>                     #break;
>>>                 default:
>>>                  www_challenge("", "0");
>>>                             exit;
>>>
>>>             }
>>>             }
>>>
>>>             xlog("should be storing local now that it has been
>>>             authorized\n");
>>>              cache_store("local","passwd_$tu","$avp(i:55)",1200);
>>>             }
>>>
>>>             if (!save("location","f"))
>>>             sl_reply_error();
>>>
>>>             exit;
>>>             }
>>>
>>>
>>>
>>>             The issue is the pv__www_authorize method after the
>>>             verification wether the password is stored locally
>>>             always returns -2 which means the password is incorrect.
>>>             Can anyone provide any guidence as to why this is ?
>>>
>>>
>>>             Thanks,
>>>             Tito
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Users mailing list
>>>         Users at lists.opensips.org  <mailto:Users at lists.opensips.org>
>>>         http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150609/33aec537/attachment-0001.htm>


More information about the Users mailing list