Hello Daniel,
Thank you for answer,
Regard my last message where Alex is answer me.
Can you please verify that this ldap authentication routing section is should
work. Because call between two registered extension not working at all I don't
see any attempts of negotiations, always get 404. I am trying don't use mysql
for user management.
Error from debug.
7(2668) DEBUG: tm [t_lookup.c:1373]: t_newtran(): DEBUG: t_newtran: msg id=1 ,
global msg id=1 , T on entrance=(nil)
7(2668) DEBUG: tm [t_lookup.c:527]: t_lookup_request(): t_lookup_request: start
searching: hash=24684, isACK=0
7(2668) DEBUG: tm [t_lookup.c:485]: matching_3261(): DEBUG: RFC3261 transaction
matching failed
7(2668) DEBUG: tm [t_lookup.c:709]: t_lookup_request(): DEBUG:
t_lookup_request: no transaction found
7(2668) DEBUG: tm [t_hooks.c:374]: run_reqin_callbacks_internal(): DBG:
trans=0x7f272e75acc0, callback type 1, id 0 entered
7(2668) DEBUG: <core> [md5utils.c:67]: MD5StringArray(): DEBUG: MD5 calculated:
56120e176eec0cd31c62bcba6270de35
7(2668) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio-ldap.cfg] l=697 a=21
n=switch
7(2668) ERROR: *** cfgtrace: c=[/etc/kamailio/kamailio-ldap.cfg] l=692 a=26
n=send_reply
7(2668) DEBUG: tm [t_lookup.c:1072]: t_check_msg(): DEBUG: t_check_msg: msg
id=1 global id=1 T start=0x7f272e75acc0
7(2668) DEBUG: tm [t_lookup.c:1144]: t_check_msg(): DEBUG: t_check_msg: T
already found!
7(2668) DEBUG: <core> [msg_translator.c:204]: check_via_address():
check_via_address(10.237.236.150, 10.237.236.150, 0)
7(2668) DEBUG: <core> [mem/shm_mem.c:111]: _shm_resize(): WARNING:vqm_resize:
resize(0) called
7(2668) DEBUG: tm [t_reply.c:1663]: cleanup_uac_timers(): DEBUG:
cleanup_uac_timers: RETR/FR timers reset
7(2668) DEBUG: tm [t_hooks.c:288]: run_trans_callbacks_internal(): DBG:
trans=0x7f272e75acc0, callback type 512, id 0 entered
7(2668) DEBUG: acc [acc_logic.c:557]: tmcb_func(): acc callback called for
t(0x7f272e75acc0) event type 512, reply code 404
7(2668) DEBUG: tm [t_reply.c:728]: _reply_light(): DEBUG: reply sent out.
buf=0x7f2738acb530: SIP/2.0 404 Not Foun..., shmem=0x7f272e753128: SIP/2.0 404
Not Foun
7(2668) DEBUG: tm [t_reply.c:738]: _reply_light(): DEBUG: _reply_light:
finished
7(2668) DEBUG: sl [sl.c:280]: send_reply(): reply in stateful mode (tm)
#!ifdef WITH_LDAP
route[LDAP] {
if(is_method("REGISTER")) {
if(!(is_present_hf("Authorization") || is_present_hf("Proxy-Authorization"))) {
# no credentials header - send back challenge
auth_challenge("$fd", "1");
exit;
}
# ldap search
ldap_search("ldap://sipaccounts/ou=People,dc=networklab,dc=loc?sipDomain,sipMobileExtension,sipPassword?one?(&(objectClass=phonesipuser)(sipMobileExtension=$fU))");
$var(rc) = $rc;
if ($var(rc)<0) {
switch ($var(rc))
{
case -1:
# no LDAP entry found
sl_send_reply("404", "User Not Found");
exit;
case -2:
# internal error
sl_send_reply("500", "Internal server error");
exit;
default:
sl_send_reply("403", "Not allowed");
exit;
}
}
ldap_result("sipDomain/$avp(domain)");
ldap_result("sipMobileExtension/$avp(s:username)");
if (!ldap_result("sipPassword/$avp(s:password)")) {
sl_send_reply("404", "User Not Found");
exit;
}
if ($fd != $avp(domain)) {
xlog("L_INFO", "Got ldap result $avp(domain). For user $avp(s:username) Not
allowed $fd");
sl_send_reply("403","Not allowed $fd");
exit;
}
xlog("L_INFO", "[Extension=$au] have $avp(s:password)\n"); # For test get ha1
from ldap
if (!pv_auth_check("$fd", "$avp(s:password)", "1", "0")) {
#if (!pv_www_authenticate("$fd", "$avp(s:password)", "1")) {
if $rc == -1 xlog("L_WARN", "Authentication: RetVal -1 Invalid Auth User
[Extension=$au]\n");
else if $rc == -2 xlog("L_WARN", "Authentication: RetVal -2 Invalid Password
[Extension=$au]\n");
else if $rc == -3 xlog("L_INFO", "Authentication: RetVal -3 Stale nonce
[Extension=$au]\n");
else if $rc == -5 xlog("L_WARN", "Authentication: RetVal -5 Generic Error
[Extension=$au]\n");
# www_challenge("$td", "0");
# exit;
# sl_send_reply("200", "ok");
# exit;
#} else {
# www_challenge("$td", "1");
# exit;
#}
auth_challenge("$fd", "1");
exit;
sl_send_reply("403","Not allowed");
exit;
} else {
sl_send_reply("200", "ok");
exit;
}
if (!is_method("REGISTER|PUBLISH")) {
consume_credentials();
}
}
return;
}
#!endif
Thank you,
Slava.
----- Original Message -----
From: "Daniel-Constantin Mierla" <mico...@gmail.com>
To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.sip-router.org>
Sent: Monday, March 24, 2014 4:47:36 AM
Subject: Re: [SR-Users] Ldap auth
Hello,
remove the double quotes in the IF expressions:
if ("$avp(s:domain)" =~ "$fd") {
Values in between double quotes are strings.
Cheers,
Daniel
On 21/03/14 21:41, Slava Bendersky wrote:
Hello Everyone,
I am trying compare domain part of uri with ldap query result, getting some
syntax warning
1.
arn_at(): warning in config file /etc/kamailio/kamailio-ldap.cfg, line 992,
column 17-39: constant value in if(...)
2.
3.
4.
ldap_result("sipExtension/$avp(extension)");
5.
ldap_result("sipDomain/$avp(domain)");
6.
ldap_result("password/$avp(password)");
7.
8.
}
9.
10.
if ("$avp(s:domain)" =~ "$fd") {
11.
xlog("L_INFO", "Not alllowed $fd");
12.
sl_send_reply("403","Not allowed $fd");
13.
exit;
14.
}
15.
any help thank you
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda
- http://www.linkedin.com/in/miconda Kamailio World Conference - April 2-4,
2014, Berlin, Germany http://www.kamailioworld.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
