Re: [SR-Users] auth_db authorize realm

Thu, 06 May 2010 14:36:55 -0700 


On 5/6/10 11:31 PM, Alex Balashov wrote:

There is a peculiar and confusing aspect to the documented 
significance of the "realm" argument to www_authorize(), and 
presumably proxy_authorize() as well.



The documentation says that if this value is empty, the digest realm 
will be generated from the domain part of the To or From URI, 
whichever is applicable to the given situation (REGISTER vs. any other 
request).  This is the way *_authorize() is invoked in most cases, and 
works fine.



However, we recently ran into a situation where www_authorize() would 
always fail and claim that it could not find the user in 'subscriber' 
despite being provided correct username and domain, with the 
appropriate options -- return value -1.  We were sending the public 
host IP as the domain of the To URI, using it as the realm, and 
setting it in the domain column of the 'subscriber' table.  The 
problem was, the public IP of the host was not in /etc/hosts -- 
/etc/hosts consisted solely of:


   127.0.0.1  localhost.localdomain localhost


For some reason, it wasn't until I added the public IP into it that 
www_authorize() started working properly:


   127.0.0.1          localhost.localdomain
   xxx.xxx.xxx.xxx    public_host.domain.tld public_host


I don't see anything different in the anatomy of the 401 Unauthorized 
challenges;  the realm is still xxx.xxx.xxx.xxx in both cases.  It 
just seems that unless Kamailio detects a DNS reverse alias for the 
domain, it won't properly authenticate requests.



This aspect of the behaviour is not documented, and I am also confused 
as to why it happens this way.  Any clarification would be appreciated.



should be no relation between dns and realm, realm is practically just a 
token.



Can you ngrep the sql traffic to see the query and if the record is 
returned to auth db module?


Cheers,
Daniel

--
Daniel-Constantin Mierla
* http://www.asipto.com/



_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users






















					Reply via email to