Hi Pat,
I see 2 scenarios here (in both cases, the calledID and the auth user
are completely different, they cannot be calculated one from the other):
* if the caller sends in FROM the auth username and in PAI/RPID the CLI,
you should be fine.
* if the caller sends in FROM the CLI, then it should send in the auth
answer the (as "username" attribute) the right auth username. The
authentication should be successful, but you should check if the
advertised CLI (in FROM) is allowed to use authentication username
So, bottom line (I think you are on the second scenario), you have to
keep the db_check_from(), re-configure the URI module to perform the
check against a predefined set of mappings (auth username as per
subscriber and SIP username as per FROM hdr) vi DB table "uri" - see the
"db_table" and "use_uri_table" parameters:
http://www.opensips.org/html/docs/modules/2.3.x/uri.html#use-uri-table
Or using avp_db_query() you can make your one SQL query for checking
(via custom table) if the auth username is allowed with a certain CLI
(FROM username)
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com
OpenSIPS Bootcamp 2017, Houston, US
http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
On 07/25/2017 03:32 AM, Pat Burke wrote:
Hello,
As a SIP Provider, we implementing the ability to provide SIP trunks
to customers with a PBX or Dialer that require Registration. With
this in mind,
the customer wants to be able to set the CallerID on at least on the
basis of the devices connected tho them, but potentially on a per call
basis.
For the challenge-response to the non-Register methods, we have
implemented the script as follows (seems to be a very standard way).
My question is
for the case of the CallerID not being the same as the
username/authorization name, how do we do this? Because the "FROM"
user is different from the
authorized user, the db_check_from fails. I don't believe all phone
systems support P-Asserted-ID, so we can't really go that route. So
can we just remove
the "db_check_from"? What risk does that expose us to?
if ( !(is_method("REGISTER")) ) {
if (is_from_local("$var(reg_domain_attr)")) { # from Registered device
$avp(callee_number_type) := "Registered";
# authenticate if from local subscriber
# authenticate all initial non-REGISTER request that pretend to be
# generated by local subscriber (domain from FROM URI is local)
if (!proxy_authorize("", "subscriber")) {
proxy_challenge("", "0");
exit;
}
if (!db_check_from()) {
sl_send_reply("403","Forbidden auth ID");
exit;
}
consume_credentials();
# caller authenticated
}
}
Regards,
*Pat Burke*
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
