[OpenSIPS-Users] Help proxy authentication/www_authroize
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Fri Feb 20 18:44:18 CET 2009
Hi Khan,
Here is the problem:
Feb 19 23:28:09 [12798] DBG:auth:pre_auth: credentials with given
realm not found
The auth module looks for the credentials based on realm - so the Auth
hdr must have the realm value equal to the TO URI domain.
Check the request you received.
Regards,
Bogdan
Khan wrote:
> Bogdan,
>
> I made the changes: you suggested, and then i made call within network
> but I get 407 error. The UAC bounce error "Call rejected: 407 Proxy
> authenticaion Required...
>
> I have the following data in domain table:
> +--------+----+----------------+---------------------+
> | domain | id | domain | last_modified |
> +--------+----+----------------+---------------------+
> | domain | 1 | 192.168.1.2 | 2009-02-04 22:35:22 |
> | domain | 2 | xxxxxxxxxx.com | 2009-02-04 22:35:54 |
> | domain | 3 | 127.0.0.1 | 2009-02-18 23:29:28 |
> | domain | 4 | localhost | 2009-02-18 23:29:56 |
> +--------+----+----------------+---------------------+
>
>
>
>
>
>
>
> On Thu, Feb 19, 2009 at 4:14 AM, Bogdan-Andrei Iancu
> <bogdan at voice-system.ro> wrote:
>
>> Hi Khan,
>>
>> If it doesn't work, enable full logging (debug=6) and post the opensips's
>> logs while trying to authenticate.
>>
>> Regards,
>> Bogdan
>>
>>
>> Khan wrote:
>>
>>> Hi Bogdan,
>>>
>>> Thanks for your prompt reply, I have generated users as follows:
>>>
>>> OPENSIPSCTL add 11111110000 1234
>>> database engine 'MYSQL' loaded
>>> Control engine 'FIFO' loaded
>>> is_user: user counter=0
>>> check_db_alias: alias counter=0
>>> new user '11111110000' added
>>>
>>>
>>> my contents of table in MySQL looks like this:
>>>
>>> +-------------+----------------+----------+----------------------------------+
>>> | username | domain | password | ha1
>>> |
>>>
>>> +-------------+----------------+----------+----------------------------------+
>>> | 11111110000 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234 |
>>> 5ff58df2ebbad1408412dd01c2b285e0 |
>>> | 11111110001 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234 |
>>> 2640b80036659c6b34354f8026ef3067 |
>>> | 11111110002 | xxxxxxxxxx.com <http://xxxxxxxxxx.com> | 1234 |
>>> 6cdf8849b8b75d657bb217b5ab820a44
>>>
>>>
>>> there are no values in email column, rpid has null, but ha1b do have
>>> values:
>>>
>>>
>>> OPENSIPS.CFG
>>> #############
>>> modparam("auth_db", "user_column", "username")
>>> modparam("auth_db", "domain_column", "domain")
>>> modparam("auth_db", "password_column", "password")
>>> modparam("auth_db", "password_column_2", "ha1b")
>>> modparam("auth_db", "calculate_ha1", 1)
>>> modparam("auth_db", "use_domain", 0)
>>> modparam("auth_db", "load_credentials", "rpid")
>>>
>>> ... ...
>>> ... ...
>>>
>>> sl_send_reply("100", "Trying");
>>> if(!www_authorize("", "subscriber")) {
>>> xlog("L_INFO", "Register auth failed (subscribe) - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>> www_challenge("", "0");
>>> exit;
>>> } else {
>>> xlog("L_INFO", "@@@ Register auth success @@@ - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>> }
>>>
>>> # --->
>>> if(!check_to()) {
>>> xlog("L_INFO", "Spoofed To-URI detected - M=$rm RURI=$ru
>>> F=$fu T=$tu IP=$si ID=$ci\n");
>>> sl_send_reply("403", "Spoofed To-URI Detected");
>>> exit;
>>> }
>>>
>>> #
>>> xlog("L_INFO", "consume_credentials!!! - M=$rm RURI=$ru F=$fu T=$tu
>>> IP=$si ID=$ci\n");
>>> consume_credentials();
>>>
>>> ... ...
>>> ... ...
>>>
>>> if(proxy_authorize("", "subscriber")) xlog("L_INFO", "@@@ Proxy
>>> authentication success @@@ - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>>
>>> if(!proxy_authorize("", "subscriber")) {
>>> xlog("L_INFO", "Proxy authentication failed R8- M=$rm
>>> RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>> proxy_challenge("", "0");
>>> exit;
>>> }
>>> if(!check_from()) {
>>> xlog("L_INFO", "Spoofed From-URI detected -
>>> M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>>> sl_send_reply("403", "Spoofed From-URI Detected");
>>> exit;
>>> }
>>>
>>>
>>> The config file was generated from sipwize for 1.2 ver and made the
>>> necessary changes according to my needs and newer version of OpenSIPS.
>>>
>>> The way my box is laid out is as follows:
>>>
>>> ubuntu --> MySQL --> OpenSIPS 1.4.4 --> RTPProxy
>>>
>>>
>>> Is there anything I missed in the process, because according to what you
>>> said I do have them exactly the same way except some additional stuff...
>>>
>>> Thanks for help in advance.
>>>
>>>
>>> Khan
>>>
>>>
>>> On Wed, Feb 18, 2009 at 12:59 PM, Bogdan-Andrei Iancu
>>> <bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>> wrote:
>>>
>>> Hi Khan,
>>>
>>> do you set the "calculate_ha1" parameter in auth_db? because the
>>> default value indicates that you have in DB a HA1 and not a plain
>>> text password. (see:
>>> http://www.opensips.org/html/docs/modules/1.4.x/auth_db.html#id228159).
>>>
>>> So, if you have the plain-text passwords in the "password" field add:
>>> modparam("auth_db", "calculate_ha1", 1)
>>> modparam("auth_db", "password_column", "password")
>>>
>>> Regards,
>>> Bogdan
>>>
>>> Khan wrote:
>>>
>>> Hello everyone,
>>>
>>> Can someone help me or point me in direction to resolve some
>>> authenticaion errors.
>>> Currently I m having problems with UAC outside network, it
>>> gives me
>>> authentication problem. I need to understand the followings:
>>>
>>> 1. www_authorize("", "subscriber") checks in subscriber table
>>> but what
>>> fields, what should exist in table, what parameters function
>>> passes
>>> for mattching existence
>>> 2. proxy_authorize("", "subscriber") checks what in
>>> subscriber? what
>>> column should exist in table and match to what
>>>
>>> I'm getting 407, I checked subscriber table, it has records with
>>> mydomain, user, pwd but i keep getting error since
>>> authentication keep
>>> failing.
>>>
>>> ##########
>>> My xlog outputs:
>>>
>>> New request and force_rport - M=REGISTER RURI=sip:mydomain.com
>>> <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> My request... M=REGISTER sip:mydomain.com <http://mydomain.com>
>>> method REGISTER from R0 ... R6 - M=REGISTER
>>> RURI=sip:mydomain.com <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> Register auth failed (subscribe) - M=REGISTER
>>> RURI=sip:mydomain.com <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> New request and force_rport - M=REGISTER RURI=sip:mydomain.com
>>> <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> My request... M=REGISTER sip:mydomain.com <http://mydomain.com>
>>>
>>> method REGISTER from R0 ... R6 - M=REGISTER
>>> RURI=sip:mydomain.com <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> consume_credentials!!! - M=REGISTER RURI=sip:mydomain.com
>>> <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>
>>> Request Username in RURI - rU=<null>
>>>
>>> Registration successful 6 - M=REGISTER RURI=sip:mydomain.com
>>> <http://mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> New request and force_rport - M=SUBSCRIBE
>>> RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>>
>>> method is NOT REGISTER from R0 ... NAT test - M=SUBSCRIBE
>>> RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.c
>>> om IP=
>>> My request... M=SUBSCRIBE sip:10009 at mydomain.com
>>> <mailto:sip%3A10009 at mydomain.com>
>>>
>>> Requested Service Unavailable PUBLISH/SUBSCRIBE/NOTIFY -
>>> M=SUBSCRIBE
>>>
>>> New request and force_rport - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> IP=
>>> My request... M=INVITE sip:10000 at mydomain.com
>>> <mailto:sip%3A10000 at mydomain.com>
>>>
>>> method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>> P=
>>> Proxy authentication failed R8- M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> New request and force_rport - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> IP=
>>>
>>> My request... M=INVITE sip:10000 at mydomain.com
>>> <mailto:sip%3A10000 at mydomain.com>
>>> method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>> P=
>>> Proxy authentication failed R8- M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> New request and force_rport - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> method is NOT REGISTER from R0 ... NAT test - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> IP=
>>> My request... M=INVITE sip:10000 at mydomain.com
>>> <mailto:sip%3A10000 at mydomain.com>
>>>
>>> method INVITE from R0 ...R8 pre-set 24, 25 - M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> I
>>> P=
>>> Proxy authentication failed R8- M=INVITE
>>> RURI=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10000 at mydomain.com <mailto:sip%3A10000 at mydomain.com> IP=
>>> New request and force_rport - M=SUBSCRIBE
>>> RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com> IP=
>>> method is NOT REGISTER from R0 ... NAT test - M=SUBSCRIBE
>>> RURI=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> F=sip:10009 at mydomain.com <mailto:sip%3A10009 at mydomain.com>
>>> T=sip:10009 at mydomain.c
>>> om IP=
>>> My request... M=SUBSCRIBE sip:10009 at mydomain.com
>>> <mailto:sip%3A10009 at mydomain.com>
>>> Requested Service Unavailable PUBLISH/SUBSCRIBE/NOTIFY -
>>> M=SUBSCRIBE
>>>
>>> Khan
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>>
>>>
>>
>
>
More information about the Users
mailing list