[Freeswitch-users] Directory and ACL authentication
Victor Chukalovskiy
victor.chukalovskiy at gmail.com
Tue May 6 22:47:18 MSD 2014
Ok, done: https://jira.freeswitch.org/browse/FS-6506
Also, added comment to the WiKi until this is fixed:
https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
On 14-05-06 12:32 PM, Steven Ayre wrote:
> I'd go with a Jira. Either it's an oversight, or there's a reason for
> it that can be tracked in Jira and then the wiki updated referencing
> the ticket.
>
>
> On 5 May 2014 21:38, Victor Chukalovskiy
> <victor.chukalovskiy at gmail.com <mailto:victor.chukalovskiy at gmail.com>>
> wrote:
>
> Alright, thank you! Domains ACL works BUT requires "users" to be
> in "groups". If "users" are directly in the "domain" section, ACL
> remains empty.
>
> This is contradictory to the WiKi saying that: "Using groups is
> optional -- you can put your users straight into the domain
> section if you desire". Should I file Jira or should I edit WiKi
> instead? :)
>
> With regards to directory, I intend to keep it minimalistic:
>
> <user id="foo" cidr="1.2.3.4/32 <http://1.2.3.4/32>">
> <variables>
> <variable name="accountcode" value="customer_1"/>
> </variables>
> </user>
>
> Will someone from a different CIDR be able to place calls as user
> "foo" bypassing any authentication? Note that I don't set any
> password in params.
> If so, how to secure this on the SIP profile level and keep user
> entries as concise as possible?
>
> Thanks again!
> -Victor
>
>
> On 14-05-05 12:24 PM, Steven Ayre wrote:
>> You need this:
>> <param name="apply-inbound-acl" value="domains"/>
>>
>>
>>
>> On 5 May 2014 17:13, Victor Chukalovskiy
>> <victor.chukalovskiy at gmail.com
>> <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>
>> Hello,
>>
>> Coming from wholesale background, my FS's run without any
>> registrations.
>> So far everything was ACL-based using "apply-inbound-acl" and
>> I did not
>> use any directory entries.
>>
>> The only problem with this is that once I have all IPs
>> together in one
>> big ALC, I can't identify which customer the call came from.
>> E.g. need
>> to set my_channel_variable=customer1 if a call came from
>> particular IPs
>> and my_channel_variable=customer2 if a call came from other IPs.
>>
>> So I'm trying to move ACL logic into directory by means of
>> defining a
>> user with cidr attribute. So far, no matter what I do FS
>> challenges
>> INVITE with "407" even-though the INVITE comes from the IP
>> that is
>> included in CIDR attribute for a user. I suppose for whatever
>> reason
>> switch does not match INVITEs against CIDR's in the
>> directory. Please
>> help me with that. WiKi is written from a somewhat different
>> logic /
>> perspective, so it's hard to apply.
>>
>> My SIP profile is:
>>
>> <profile name="test">
>> <gateways>
>> </gateways>
>> <domains>
>> </domains>
>> <settings>
>> <param name="parse-invite-tel-params" value="true"/>
>> <param name="user-agent-string" value="test"/>
>> <param name="debug" value="0"/>
>> <param name="sip-trace" value="no"/>
>> <param name="log-auth-failures" value="true"/>
>> <param name="rfc2833-pt" value="101"/>
>> <param name="sip-port" value="5060"/>
>> <param name="dialplan" value="XML"/>
>> <param name="context" value="test"/>
>> <param name="country" value="e164"/>
>> <param name="dtmf-duration" value="2000"/>
>> <param name="inbound-codec-prefs"
>> value="$${default_codec_prefs}"/>
>> <param name="outbound-codec-prefs"
>> value="$${default_codec_prefs}"/>
>> <param name="caller-id-type" value="none"/>
>> <param name="rtp-timer-name" value="soft"/>
>> <param name="rtp-ip" value="192.168.1.2"/>
>> <param name="sip-ip" value="192.168.1.2"/>
>> <param name="manage-presence" value="false"/>
>> <param name="manage-shared-appearance" value="false"/>
>> <param name="inbound-codec-negotiation" value="greedy"/>
>> <param name="disable-transcoding" value="true"/>
>> <param name="manual-redirect" value="false"/>
>> <param name="disable-transfer" value="true"/>
>> <param name="disable-register" value="false"/>
>> <param name="auth-calls" value="true"/>
>> <param name="rtp-timeout-sec" value="300"/>
>> <param name="rtp-hold-timeout-sec" value="1800"/>
>> <param name="pass-callee-id" value="false"/>
>> </settings>
>> </profile>
>>
>>
>> Thanks!
>> -Victor
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140506/9193db28/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list