[OpenSIPS-Users] Issues using memcache auth
Bogdan-Andrei Iancu
bogdan at opensips.org
Tue Jun 9 17:47:47 CEST 2015
Hi Tito,
OK, so you have a plain text pwd in DB. You also load it to the script
during DB auth and push it into the cache. What I was asking is to do
some xlog from script to double check that whatever is stored and later
fetched from script is correct - have you checked that ?
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
On 03.06.2015 20:01, Tito Cumpen wrote:
> Bogdan,
>
>
> The password is provided in plaintext by the db. The working scenario
> looks likes this :
>
> loadmodule "auth.so"
>
> loadmodule "auth_db.so"
>
> modparam("auth_db", "calculate_ha1", yes)
>
>
> modparam("auth_db", "password_column", "password")
>
> #modparam("auth_db", "db_url",
>
> modparam("auth_db", "db_url",
>
> "http://myauthdb")
>
>
> modparam("auth_db", "load_credentials", "")
>
>
> On Wed, Jun 3, 2015 at 11:59 AM, Bogdan-Andrei Iancu
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
> Tito,
>
> In DB, what do you have - the plain text passwd or the HA1 ?
>
> Regards,
>
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
>
> On 03.06.2015 18:56, Tito Cumpen wrote:
>> Bogdan,
>>
>> The password is hashed into a numeric value it would seem. Though
>> my http db provides the password in raw unhashed string when
>> queried for the subscriber password. The debug shows that the md5
>> hashing is not being matched matching but I am not sure why since
>> the save function is only called if (!www_authorize("",
>> "subscriber")) is succeeded. Maybe something is being left out?
>>
>> Thanks,
>> Tito
>>
>>
>> On Wed, Jun 3, 2015 at 11:12 AM, Bogdan-Andrei Iancu
>> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>>
>> Hi Tito,
>>
>> Have you double checked if the passwd you push to
>> pv_www_authorize() (from cache) is the correct one ?
>>
>> Best Regards,
>>
>> Bogdan-Andrei Iancu
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>>
>> On 02.06.2015 01:58, Tito Cumpen wrote:
>>> my db http returns the password in plain string by the way.
>>>
>>> On Mon, Jun 1, 2015 at 6:57 PM, Tito Cumpen <tito at xsvoce.com
>>> <mailto:tito at xsvoce.com>> wrote:
>>>
>>> Hello group,
>>>
>>>
>>> I am attempting to add memcache auth validation in
>>> opensips 2.1. I was using http db which returns a string
>>> of the user password password. This was working prior to
>>> utilizing pv_www_authorize. I used this document as a
>>> guideline
>>> http://www.opensips.org/Documentation/Tutorials-MemoryCaching
>>>
>>> Here is my auth mod param config
>>> loadmodule "cachedb_local.so"
>>> loadmodule "auth.so"
>>> loadmodule "auth_db.so"
>>> modparam("auth","username_spec","$avp(i:54)")
>>> modparam("auth","password_spec","$avp(i:55)")
>>> modparam("auth","calculate_ha1",1)
>>>
>>> modparam("auth_db", "calculate_ha1", yes)
>>>
>>> modparam("auth_db", "password_column", "password")
>>> #modparam("auth_db", "db_url",
>>> modparam("auth_db", "db_url",
>>> "http://mysubscriberdatabase.com")
>>>
>>> modparam("auth_db", "load_credentials",
>>> "$avp(i:55)=password")
>>>
>>>
>>> if (is_method("REGISTER")) {
>>>
>>> # indicate that the client supports DTLS
>>> # so we know when he is called
>>> if (isflagset(SRC_WS))
>>> setbflag(DST_WS);
>>>
>>> if ( isflagset(uac_ws) ) {
>>> xlog("setting avp attribute in register for
>>> websocket \n");
>>>
>>> $avp(attr)="websocket";
>>> }
>>> if(cache_fetch("local","passwd_$tu",$avp(i:55))) {
>>> xlog("$tU 's credentials are stored in local cache using
>>> it for this register request \n");
>>> $avp(i:54) = $tU;
>>> xlog("SCRIPT: stored password is $avp(i:55)\n");
>>> # perform auth from variables
>>> # $avp(i:54) contains the username
>>> # $avp(i:55) contains the password
>>> if (!pv_www_authorize("")) {
>>> $var(rc2) = pv_www_authorize("");
>>> # $var(rc2) = www_authorize("", "subscriber");
>>> xlog("Return code is $var(rc2) \n");
>>> switch ( $var(rc2) ) {
>>> case 1 :
>>> # if ( proto==TCP || 0 ) {
>>> # setflag(TCP_PERSISTENT);
>>> # setflag(6);
>>> # }
>>>
>>> if (!save("location","f"))
>>> sl_reply_error();
>>>
>>> exit;
>>>
>>>
>>> # success
>>> break;
>>> case -1:
>>> sl_send_reply("404","User not found");
>>> exit;
>>> break;
>>> case -2:
>>> sl_send_reply("403","Forbidden (Bad auth)");
>>> exit;
>>> break;
>>> case -3:
>>> www_challenge("", "0");
>>> exit;
>>> #sl_send_reply("403","Forbidden auth ID");
>>> #break;
>>> default:
>>> www_challenge("", "0");
>>> exit;
>>>
>>> }
>>>
>>> };
>>>
>>> if (!save("location","f"))
>>> sl_reply_error();
>>>
>>> exit;
>>> }else{
>>> xlog("could not find the auth info in local cache for
>>> $tU\n");
>>> xlog("accessing the external db for auth info");
>>> # authenticate the REGISTER requests
>>> if (!www_authorize("", "subscriber"))
>>> {
>>> xlog("new challenger $tU\n");
>>>
>>>
>>> # www_challenge("", "0");
>>>
>>>
>>>
>>> $var(rc) = www_authorize("", "subscriber");
>>> xlog("Return code is $var(rc) \n");
>>>
>>> switch ( $var(rc) ) {
>>> case 1 :
>>> # if ( proto==TCP || 0 ) {
>>> # setflag(TCP_PERSISTENT);
>>> # setflag(6);
>>> # }
>>> # $avp(me) = $(tU{s.tolower});
>>>
>>> cache_store("local","passwd_$tu","$avp(i:55)",1200);
>>>
>>> if (!save("location","f"))
>>> sl_reply_error();
>>>
>>> exit;
>>>
>>>
>>> # success
>>> break;
>>> case -1:
>>> sl_send_reply("404","User not found");
>>> exit;
>>> break;
>>> case -2:
>>> sl_send_reply("403","Forbidden (Bad auth)");
>>> exit;
>>> break;
>>> case -3:
>>> www_challenge("", "0");
>>> exit;
>>> #sl_send_reply("403","Forbidden auth ID");
>>> #break;
>>> default:
>>> www_challenge("", "0");
>>> exit;
>>>
>>> }
>>> }
>>>
>>> xlog("should be storing local now that it has been
>>> authorized\n");
>>> cache_store("local","passwd_$tu","$avp(i:55)",1200);
>>> }
>>>
>>> if (!save("location","f"))
>>> sl_reply_error();
>>>
>>> exit;
>>> }
>>>
>>>
>>>
>>> The issue is the pv__www_authorize method after the
>>> verification wether the password is stored locally
>>> always returns -2 which means the password is incorrect.
>>> Can anyone provide any guidence as to why this is ?
>>>
>>>
>>> Thanks,
>>> Tito
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150609/33aec537/attachment-0001.htm>
More information about the Users
mailing list