[Freeswitch-users] Directory and ACL authentication

Victor Chukalovskiy victor.chukalovskiy at gmail.com
Tue May 6 22:47:18 MSD 2014


Ok, done: https://jira.freeswitch.org/browse/FS-6506

Also, added comment to the WiKi until this is fixed:
https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups

On 14-05-06 12:32 PM, Steven Ayre wrote:
> I'd go with a Jira. Either it's an oversight, or there's a reason for 
> it that can be tracked in Jira and then the wiki updated referencing 
> the ticket.
>
>
> On 5 May 2014 21:38, Victor Chukalovskiy 
> <victor.chukalovskiy at gmail.com <mailto:victor.chukalovskiy at gmail.com>> 
> wrote:
>
>     Alright, thank you! Domains ACL works BUT requires "users" to be
>     in "groups". If "users" are directly in the "domain" section, ACL
>     remains empty.
>
>     This is contradictory to the WiKi saying that: "Using groups is
>     optional -- you can put your users straight into the domain
>     section if you desire". Should I file Jira or should I edit WiKi
>     instead? :)
>
>     With regards to directory, I intend to keep it minimalistic:
>
>     <user id="foo" cidr="1.2.3.4/32 <http://1.2.3.4/32>">
>       <variables>
>         <variable name="accountcode" value="customer_1"/>
>       </variables>
>     </user>
>
>     Will someone from a different CIDR be able to place calls as user
>     "foo" bypassing any authentication? Note that I don't set any
>     password in params.
>     If so, how to secure this on the SIP profile level and keep user
>     entries as concise as possible?
>
>     Thanks again!
>     -Victor
>
>
>     On 14-05-05 12:24 PM, Steven Ayre wrote:
>>     You need this:
>>         <param name="apply-inbound-acl" value="domains"/>
>>
>>
>>
>>     On 5 May 2014 17:13, Victor Chukalovskiy
>>     <victor.chukalovskiy at gmail.com
>>     <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>
>>         Hello,
>>
>>         Coming from wholesale background, my FS's run without any
>>         registrations.
>>         So far everything was ACL-based using "apply-inbound-acl" and
>>         I did not
>>         use any directory entries.
>>
>>         The only problem with this is that once I have all IPs
>>         together in one
>>         big ALC, I can't identify which customer the call came from.
>>         E.g. need
>>         to set my_channel_variable=customer1 if a call came from
>>         particular IPs
>>         and my_channel_variable=customer2 if a call came from other IPs.
>>
>>         So I'm trying to move ACL logic into directory by means of
>>         defining a
>>         user with cidr attribute. So far, no matter what I do FS
>>         challenges
>>         INVITE with "407" even-though the INVITE comes from the IP
>>         that is
>>         included in CIDR attribute for a user. I suppose for whatever
>>         reason
>>         switch does not match INVITEs against CIDR's in the
>>         directory. Please
>>         help me with that. WiKi is written from a somewhat different
>>         logic /
>>         perspective, so it's hard to apply.
>>
>>         My SIP profile is:
>>
>>         <profile name="test">
>>            <gateways>
>>            </gateways>
>>            <domains>
>>            </domains>
>>            <settings>
>>              <param name="parse-invite-tel-params" value="true"/>
>>              <param name="user-agent-string" value="test"/>
>>              <param name="debug" value="0"/>
>>              <param name="sip-trace" value="no"/>
>>              <param name="log-auth-failures" value="true"/>
>>              <param name="rfc2833-pt" value="101"/>
>>              <param name="sip-port" value="5060"/>
>>              <param name="dialplan" value="XML"/>
>>              <param name="context" value="test"/>
>>              <param name="country" value="e164"/>
>>              <param name="dtmf-duration" value="2000"/>
>>              <param name="inbound-codec-prefs"
>>         value="$${default_codec_prefs}"/>
>>              <param name="outbound-codec-prefs"
>>         value="$${default_codec_prefs}"/>
>>              <param name="caller-id-type" value="none"/>
>>              <param name="rtp-timer-name" value="soft"/>
>>              <param name="rtp-ip" value="192.168.1.2"/>
>>              <param name="sip-ip" value="192.168.1.2"/>
>>              <param name="manage-presence" value="false"/>
>>              <param name="manage-shared-appearance" value="false"/>
>>              <param name="inbound-codec-negotiation" value="greedy"/>
>>              <param name="disable-transcoding" value="true"/>
>>              <param name="manual-redirect" value="false"/>
>>              <param name="disable-transfer" value="true"/>
>>              <param name="disable-register" value="false"/>
>>              <param name="auth-calls" value="true"/>
>>              <param name="rtp-timeout-sec" value="300"/>
>>              <param name="rtp-hold-timeout-sec" value="1800"/>
>>              <param name="pass-callee-id" value="false"/>
>>            </settings>
>>         </profile>
>>
>>
>>         Thanks!
>>         -Victor
>>
>>
>>
>>
>>         _________________________________________________________________________
>>         Professional FreeSWITCH Consulting Services:
>>         consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>         http://www.freeswitchsolutions.com
>>
>>         
>>         
>>
>>         Official FreeSWITCH Sites
>>         http://www.freeswitch.org
>>         http://wiki.freeswitch.org
>>         http://www.cluecon.com
>>
>>         FreeSWITCH-users mailing list
>>         FreeSWITCH-users at lists.freeswitch.org
>>         <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>         http://www.freeswitch.org
>>
>>
>>
>>
>>     _________________________________________________________________________
>>     Professional FreeSWITCH Consulting Services:
>>     consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
>>     http://www.freeswitchsolutions.com
>>
>>     
>>     
>>
>>     Official FreeSWITCH Sites
>>     http://www.freeswitch.org
>>     http://wiki.freeswitch.org
>>     http://www.cluecon.com
>>
>>     FreeSWITCH-users mailing list
>>     FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>     http://www.freeswitch.org
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140506/9193db28/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list