[Freeswitch-users] Directory and ACL authentication
Victor Chukalovskiy
victor.chukalovskiy at gmail.com
Tue May 6 23:31:35 MSD 2014
Great, thank you Antony. I confirm it works either way now....it was a
super quick one.
On a similar topic, do I have to set this in the domain params?
<param name="allow-empty-password" value="false"/>
This is to keep things failproof, given I only set CIDR and no password
for my users.
On 14-05-06 03:07 PM, Anthony Minessale wrote:
> Patch added to make it work either way but previously you don't need:
>
> <domain>
> <users>
> <user>...</user>
> <user>...</user>
> </users>
> </domain>
>
> Just:
>
> <domain>
> <user>...</user>
> <user>...</user>
> </domain>
>
>
>
>
>
>
>
> On Tue, May 6, 2014 at 1:47 PM, Victor Chukalovskiy
> <victor.chukalovskiy at gmail.com <mailto:victor.chukalovskiy at gmail.com>>
> wrote:
>
> Ok, done: https://jira.freeswitch.org/browse/FS-6506
>
> Also, added comment to the WiKi until this is fixed:
> https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
>
>
> On 14-05-06 12:32 PM, Steven Ayre wrote:
>> I'd go with a Jira. Either it's an oversight, or there's a reason
>> for it that can be tracked in Jira and then the wiki updated
>> referencing the ticket.
>>
>>
>> On 5 May 2014 21:38, Victor Chukalovskiy
>> <victor.chukalovskiy at gmail.com
>> <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>
>> Alright, thank you! Domains ACL works BUT requires "users" to
>> be in "groups". If "users" are directly in the "domain"
>> section, ACL remains empty.
>>
>> This is contradictory to the WiKi saying that: "Using groups
>> is optional -- you can put your users straight into the
>> domain section if you desire". Should I file Jira or should I
>> edit WiKi instead? :)
>>
>> With regards to directory, I intend to keep it minimalistic:
>>
>> <user id="foo" cidr="1.2.3.4/32 <http://1.2.3.4/32>">
>> <variables>
>> <variable name="accountcode" value="customer_1"/>
>> </variables>
>> </user>
>>
>> Will someone from a different CIDR be able to place calls as
>> user "foo" bypassing any authentication? Note that I don't
>> set any password in params.
>> If so, how to secure this on the SIP profile level and keep
>> user entries as concise as possible?
>>
>> Thanks again!
>> -Victor
>>
>>
>> On 14-05-05 12:24 PM, Steven Ayre wrote:
>>> You need this:
>>> <param name="apply-inbound-acl" value="domains"/>
>>>
>>>
>>>
>>> On 5 May 2014 17:13, Victor Chukalovskiy
>>> <victor.chukalovskiy at gmail.com
>>> <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>>
>>> Hello,
>>>
>>> Coming from wholesale background, my FS's run without
>>> any registrations.
>>> So far everything was ACL-based using
>>> "apply-inbound-acl" and I did not
>>> use any directory entries.
>>>
>>> The only problem with this is that once I have all IPs
>>> together in one
>>> big ALC, I can't identify which customer the call came
>>> from. E.g. need
>>> to set my_channel_variable=customer1 if a call came from
>>> particular IPs
>>> and my_channel_variable=customer2 if a call came from
>>> other IPs.
>>>
>>> So I'm trying to move ACL logic into directory by means
>>> of defining a
>>> user with cidr attribute. So far, no matter what I do FS
>>> challenges
>>> INVITE with "407" even-though the INVITE comes from the
>>> IP that is
>>> included in CIDR attribute for a user. I suppose for
>>> whatever reason
>>> switch does not match INVITEs against CIDR's in the
>>> directory. Please
>>> help me with that. WiKi is written from a somewhat
>>> different logic /
>>> perspective, so it's hard to apply.
>>>
>>> My SIP profile is:
>>>
>>> <profile name="test">
>>> <gateways>
>>> </gateways>
>>> <domains>
>>> </domains>
>>> <settings>
>>> <param name="parse-invite-tel-params" value="true"/>
>>> <param name="user-agent-string" value="test"/>
>>> <param name="debug" value="0"/>
>>> <param name="sip-trace" value="no"/>
>>> <param name="log-auth-failures" value="true"/>
>>> <param name="rfc2833-pt" value="101"/>
>>> <param name="sip-port" value="5060"/>
>>> <param name="dialplan" value="XML"/>
>>> <param name="context" value="test"/>
>>> <param name="country" value="e164"/>
>>> <param name="dtmf-duration" value="2000"/>
>>> <param name="inbound-codec-prefs"
>>> value="$${default_codec_prefs}"/>
>>> <param name="outbound-codec-prefs"
>>> value="$${default_codec_prefs}"/>
>>> <param name="caller-id-type" value="none"/>
>>> <param name="rtp-timer-name" value="soft"/>
>>> <param name="rtp-ip" value="192.168.1.2"/>
>>> <param name="sip-ip" value="192.168.1.2"/>
>>> <param name="manage-presence" value="false"/>
>>> <param name="manage-shared-appearance" value="false"/>
>>> <param name="inbound-codec-negotiation"
>>> value="greedy"/>
>>> <param name="disable-transcoding" value="true"/>
>>> <param name="manual-redirect" value="false"/>
>>> <param name="disable-transfer" value="true"/>
>>> <param name="disable-register" value="false"/>
>>> <param name="auth-calls" value="true"/>
>>> <param name="rtp-timeout-sec" value="300"/>
>>> <param name="rtp-hold-timeout-sec" value="1800"/>
>>> <param name="pass-callee-id" value="false"/>
>>> </settings>
>>> </profile>
>>>
>>>
>>> Thanks!
>>> -Victor
>>>
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
> Anthony Minessale II ? @anthmfs ? @FreeSWITCH ?
>
> ? http://freeswitch.org/ ? http://cluecon.com/ ?
> http://twitter.com/FreeSWITCH
> ? irc.freenode.net <http://irc.freenode.net> #freeswitch ?
> _http://freeswitch.org/g+_
>
> ClueCon Weekly Development Call
> ? sip:888 at conference.freeswitch.org
> <mailto:sip%3A888 at conference.freeswitch.org> ? +19193869900
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
>
>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140506/fdf70586/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list