[OpenSIPS-Users] uac_auth to uac_registrant module

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Jul 29 11:44:23 CEST 2014


Hi,

If you try it from a failure route, you need to do :
     $(<reply>hdr(Proxy-Authenticate))

(see http://www.opensips.org/Documentation/Script-CoreVar-1-11)

In failure route, the context is of the request message, so if you want 
to access the reply, you need to switch to its context.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 29.07.2014 12:41, Igor Olhovskiy wrote:
> Hi again.
> Seems to be,  $hdr(Proxy-Authenticate) is NULL at 401 response.
>
> failure_route[1] {
>     ...
>     if ( t_check_status("40[17]") ) {
>     ...
>     xlog("L_INFO", "Asterisk flavour $hdr(WWW-Authenticate), Proxy 
> flavour $hdr(Proxy-Authenticate)");
>     }
> }
>
> becomes
>
> /usr/sbin/opensips[18983]: Asterisk flavour <null>, Proxy flavour <null>
>
> It's logic, cause in failure_route we work with initial INVITE, but 
> not 401 reply. Cause, if we working with reply directly, we can't 
> apply uac_auth function to it.
>
> 28.07.14 21:10, Игорь Ольховский написав(ла):
>> Hi,
>>
>> Many thanks on your answer, will wait for a new feature and look at $hdr var more close.
>> Anyway, I have a little trouble with CSeq change (means it is need to do accurate), but for now it’s a solution.
>> Many thanks again.
>> 28 июля 2014, в 20:46, Bogdan-Andrei Iancu<bogdan at opensips.org>  написал(а):
>>
>>> Hi,
>>>
>>> 1) on changing cseq as a simple text - this is not wise as you break the sequence of cseq number in the dialog; we are working on a feature to allow you do that in sip-wise way.
>>>
>>> 2) about realm, the proxy/www -Authenticate header (in the 401/407 reply) has the realm parameter; you can grab it by transformations; on $hdr(Proxy-Authenticate) apply a regexp transformation (seehttp://www.opensips.org/Documentation/Script-Tran-1-11#toc72) to get the realm param from there.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>> OpenSIPS Founder and Developer
>>> http://www.opensips-solutions.com
>>>
>>> On 21.07.2014 20:15, Igor Olkhovskii wrote:
>>>> Made it work via modification of CSeq (remove_hf -> append_hf) and now is a question, how to get correct realm from response. OpenSIPs is very limitated to text processing....
>>>>
>>>> 21.07.2014 18:39, Igor Olhovskiy пишет:
>>>>> Found this tread, but seems to be no luck in to work with INVITE on
>>>>> Asterisk.
>>>>> Is there any luck to get Asterisk auth (without touching Asterisk)
>>>>>
>>>>> https://www.mail-archive.com/users@lists.opensips.org/msg25236.html
>>>>> On 21.07.2014 16:14, Igor Olhovskiy wrote:
>>>>>> Hi!
>>>>>> I'm trying to get OpenSIPS 1.11 act as registrar proxy. Means it's not
>>>>>> only register on external servers, but take care of INVITE's and so.
>>>>>> I've configured modules as:
>>>>>>
>>>>>> loadmodule "uac_auth.so"
>>>>>> loadmodule "uac.so"
>>>>>> loadmodule "uac_registrant.so"
>>>>>> modparam("uac","restore_mode","auto")
>>>>>> modparam("uac_auth","auth_realm_avp","$avp(uac_realm)")
>>>>>> modparam("uac_auth","auth_username_avp","$avp(uac_username)")
>>>>>> modparam("uac_auth","auth_password_avp","$avp(uac_password)")
>>>>>> modparam("uac_registrant", "timer_interval", 120)
>>>>>> modparam("uac_registrant", "hash_size", 2)
>>>>>> modparam("uac_registrant", "db_url",
>>>>>> "mysql://opensips:opensips@localhost/opensips")
>>>>>>
>>>>>> ....
>>>>>> failure_route[1] {
>>>>>>                  ......
>>>>>>                  # have we already tried to authenticate?
>>>>>>                  if (isflagset(8)) {
>>>>>>                          xlog("L_INFO", "FAILUREROUTE_STATUS40X_SETFLAG8:
>>>>>> [F=$fu R=$ru D=$du M=$rm IP=($si:$sp $Ri:$Rp) ID=$ci]");
>>>>>>                          t_reply("503","Authentication failed");
>>>>>>                          exit;
>>>>>>                  }
>>>>>>                  if (is_method("INVITE")) {
>>>>>>                          # mark that auth was performed
>>>>>>                          setflag(8);
>>>>>>                          # trigger again the failure route
>>>>>>                          t_on_failure("1");
>>>>>>                          # repeat the request with auth response this time
>>>>>>                          $avp(uac_realm) = $td;
>>>>>>                          $avp(uac_username) = $fU;
>>>>>>                          avp_db_query("SELECT password FROM registrant
>>>>>> WHERE (registrar = 'sip:$avp(uac_realm)') AND ( username =
>>>>>> '$avp(uac_username)')","$avp(uac_password)");
>>>>>>                          xlog("L_INFO",
>>>>>> "FAILUREROUTE_STATUS40X_UACAUTHINVITE_DEBUG_VARIABLES: AVP_UAC_REALM:
>>>>>> $avp(uac_realm) AVP_UAC_USERNAME: $avp(uac_username) AVP_UAC_PASSWORD
>>>>>> :$avp(uac_password)");
>>>>>>                          uac_auth();
>>>>>>                          t_relay();
>>>>>>                  }
>>>>>>          }
>>>>>> .....
>>>>>> }
>>>>>>
>>>>>>
>>>>>> I see correct vars in debug message, but uac_auth() not to append branch
>>>>>> to reply INVITE.
>>>>>>
>>>>>> For example, I have  such string
>>>>>> AVP_UAC_REALM: some-dns.example.net.ua AVP_UAC_USERNAME: 2225678
>>>>>> AVP_UAC_PASSWORD :SuperStrongPassword
>>>>>>
>>>>>> What is wrong in this config/AVP's?
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20140729/18d37b0e/attachment-0001.htm>


More information about the Users mailing list