[Freeswitch-users] Directory and ACL authentication
Victor Chukalovskiy
victor.chukalovskiy at gmail.com
Tue May 6 00:38:14 MSD 2014
Alright, thank you! Domains ACL works BUT requires "users" to be in
"groups". If "users" are directly in the "domain" section, ACL remains
empty.
This is contradictory to the WiKi saying that: "Using groups is optional
-- you can put your users straight into the domain section if you
desire". Should I file Jira or should I edit WiKi instead? :)
With regards to directory, I intend to keep it minimalistic:
<user id="foo" cidr="1.2.3.4/32">
<variables>
<variable name="accountcode" value="customer_1"/>
</variables>
</user>
Will someone from a different CIDR be able to place calls as user "foo"
bypassing any authentication? Note that I don't set any password in params.
If so, how to secure this on the SIP profile level and keep user entries
as concise as possible?
Thanks again!
-Victor
On 14-05-05 12:24 PM, Steven Ayre wrote:
> You need this:
> <param name="apply-inbound-acl" value="domains"/>
>
>
>
> On 5 May 2014 17:13, Victor Chukalovskiy
> <victor.chukalovskiy at gmail.com <mailto:victor.chukalovskiy at gmail.com>>
> wrote:
>
> Hello,
>
> Coming from wholesale background, my FS's run without any
> registrations.
> So far everything was ACL-based using "apply-inbound-acl" and I
> did not
> use any directory entries.
>
> The only problem with this is that once I have all IPs together in one
> big ALC, I can't identify which customer the call came from. E.g. need
> to set my_channel_variable=customer1 if a call came from
> particular IPs
> and my_channel_variable=customer2 if a call came from other IPs.
>
> So I'm trying to move ACL logic into directory by means of defining a
> user with cidr attribute. So far, no matter what I do FS challenges
> INVITE with "407" even-though the INVITE comes from the IP that is
> included in CIDR attribute for a user. I suppose for whatever reason
> switch does not match INVITEs against CIDR's in the directory. Please
> help me with that. WiKi is written from a somewhat different logic /
> perspective, so it's hard to apply.
>
> My SIP profile is:
>
> <profile name="test">
> <gateways>
> </gateways>
> <domains>
> </domains>
> <settings>
> <param name="parse-invite-tel-params" value="true"/>
> <param name="user-agent-string" value="test"/>
> <param name="debug" value="0"/>
> <param name="sip-trace" value="no"/>
> <param name="log-auth-failures" value="true"/>
> <param name="rfc2833-pt" value="101"/>
> <param name="sip-port" value="5060"/>
> <param name="dialplan" value="XML"/>
> <param name="context" value="test"/>
> <param name="country" value="e164"/>
> <param name="dtmf-duration" value="2000"/>
> <param name="inbound-codec-prefs"
> value="$${default_codec_prefs}"/>
> <param name="outbound-codec-prefs"
> value="$${default_codec_prefs}"/>
> <param name="caller-id-type" value="none"/>
> <param name="rtp-timer-name" value="soft"/>
> <param name="rtp-ip" value="192.168.1.2"/>
> <param name="sip-ip" value="192.168.1.2"/>
> <param name="manage-presence" value="false"/>
> <param name="manage-shared-appearance" value="false"/>
> <param name="inbound-codec-negotiation" value="greedy"/>
> <param name="disable-transcoding" value="true"/>
> <param name="manual-redirect" value="false"/>
> <param name="disable-transfer" value="true"/>
> <param name="disable-register" value="false"/>
> <param name="auth-calls" value="true"/>
> <param name="rtp-timeout-sec" value="300"/>
> <param name="rtp-hold-timeout-sec" value="1800"/>
> <param name="pass-callee-id" value="false"/>
> </settings>
> </profile>
>
>
> Thanks!
> -Victor
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140505/48fdc7ff/attachment.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list