I am forwarding this thread from the OpenSER-Users list. Should
information be added in the documentation about the return codes of the
proxy_authorize, radius_proxy_authorize and diameter_proxy_authorize
functions?
Regards,
Anatoly.
-------- Original Message --------
Subject: Re: [OpenSER-Users] Logging failed registration attempt
Date: Tue, 14 Aug 2007 10:38:58 -0400
From: Anatoly Pidruchny <[EMAIL PROTECTED]>
To: Edoardo Serra <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Edoardo,
I am looking at the documentation for the auth_db module for the
development version: http://www.openser.org/docs/modules/devel/auth_db.html
Yes, the information about return codes is included in the description
of the www_authorize function, but it is not included in the description
of proxy_authorize function. In fact, proxy_authorize function returns
the same error codes as the www_authorize function. Similar problem with
documentation for the radius_proxy_authorize (auth_radius module) and
diameter_proxy_authorize (auth_diameter module) functions. The return
codes are described for the ..._www_... functions, but not for
..._proxy_... functions.
Regards,
Anatoly.
GREAT
that's exactly was I was thinking at
(shame on me for not having searched the tracker nor the online doc
which IS updated for devel section)
Tnx for help
Regards
Anatoly Pidruchny ha scritto:
Please take a look at this patch:
http://sourceforge.net/tracker/index.php?func=detail&aid=1693132&group_id=139143&atid=743022
This patch was uploaded into the trunk. This patch allows to check
the reason why the www/proxy_authorize function fails. It now returns
the following negative codes:
-1 - non existent user;
-2 - invalid passwd
-3 - stale nonce
-4 - no credentials
-5 - error
You can use "switch" and "$retval" to test the return code in your
script.
It does not look like the documentation was updated though to include
this information.
Anatoly.
Ok, that's how I did
if (!proxy_authorize("exorsa", "openser_view")) {
if(search("Proxy-Authorization")) {
xlog("L_ERR", "REGISTER: Auth error from - $au");
}
proxy_challenge("exorsa", "0");
exit;
}
so, if the packet contains credentials but they're wrong the attempt
is logged
Now I'm facing the following problem...
When the nonce axpires and the client reREGISTER the packet will
contain wrong credential and the UA is challenged again.
This way that's logged as a bad authentication
I also tried to do
if(search("Proxy-Authorization")) {
if(!registered("location")) {
xlog("L_ERR", "REGISTER: Auth error from - $au");
}
}
...but without good results....
Any idea ?
Tnx in advance
Edoardo
Iñaki Baz Castillo ha scritto:
El Monday 13 August 2007 22:11:34 Edoardo Serra escribió:
Hi all,
I'd like to log failed SIP REGISTER attempt either with xlog
or with
sip_trace() but I cannot understand where to put related code to
catch
the authentication error
With XLOG is easy :)
Here is the part of my opensr.cfg dedicated to REGISTER handling
if (method=="REGISTER") {
if (!proxy_authorize("exorsa", "openser_view")) {
xlog("L_INFO", "REGISTER: auth required\n");
proxy_challenge("exorsa", "0");
exit;
}
if (!check_to()) {
xlog("L_WARN", "REGISTER: !check_to()\n");
sl_send_reply("403", "Digest username and URI
username
do NOT match! Stay away!");
exit;
}
xlog("L_INFO", "REGISTER: authorized\n");
save("location");
exit;
};
Regards.
_______________________________________________
Users mailing list
[EMAIL PROTECTED]
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[EMAIL PROTECTED]
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[EMAIL PROTECTED]
http://openser.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Devel mailing list
Devel@openser.org
http://openser.org/cgi-bin/mailman/listinfo/devel
