[OpenSIPS-Users] Registered trunks

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jul 25 08:59:32 EDT 2017

Hi Pat,

I see 2 scenarios here (in both cases, the calledID and the auth user 
are completely different, they cannot be calculated one from the other):

* if the caller sends in FROM the auth username and in PAI/RPID the CLI, 
you should be fine.

* if the caller sends in FROM the CLI, then it should send in the auth 
answer the (as "username" attribute) the right auth username. The 
authentication should be successful, but you should check if the 
advertised CLI (in FROM) is allowed to use authentication username

So, bottom line (I think you are on the second scenario), you have to 
keep the db_check_from(), re-configure the URI module to perform the 
check against a predefined set of mappings (auth username as per 
subscriber and SIP username as per FROM hdr) vi DB table "uri" - see the 
"db_table" and "use_uri_table" parameters:

Or using avp_db_query() you can make your one SQL query for checking 
(via custom table) if the auth username is allowed with a certain CLI 
(FROM username)

Best regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer

OpenSIPS Bootcamp 2017, Houston, US

On 07/25/2017 03:32 AM, Pat Burke wrote:
> Hello,
> As a SIP Provider, we implementing the ability to provide SIP trunks 
> to customers with a PBX or Dialer that require Registration.  With 
> this in mind,
> the customer wants to be able to set the CallerID on at least on the 
> basis of the devices connected tho them, but potentially on a per call 
> basis.
> For the challenge-response to the non-Register methods, we have 
> implemented the script as follows (seems to be a very standard way).  
> My question is
> for the case of the CallerID not being the same as the 
> username/authorization name, how do we do this?  Because the "FROM" 
> user is different from the
> authorized user, the db_check_from fails.  I don't believe all phone 
> systems support P-Asserted-ID, so we can't really go that route.  So 
> can we just remove
> the "db_check_from"?   What risk does that expose us to?
> if ( !(is_method("REGISTER")) ) {
>    if (is_from_local("$var(reg_domain_attr)")) { # from Registered device
>        $avp(callee_number_type) := "Registered";
>        # authenticate if from local subscriber
>        # authenticate all initial non-REGISTER request that pretend to be
>        # generated by local subscriber (domain from FROM URI is local)
>        if (!proxy_authorize("", "subscriber")) {
>           proxy_challenge("", "0");
>           exit;
>        }
>        if (!db_check_from()) {
>           sl_send_reply("403","Forbidden auth ID");
>           exit;
>        }
>        consume_credentials();
>        # caller authenticated
>     }
> }
> Regards,
> *Pat Burke*
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170725/b5f197a0/attachment.html>

More information about the Users mailing list