[Freeswitch-users] Directory and ACL authentication

Victor Chukalovskiy victor.chukalovskiy at gmail.com
Tue May 6 23:31:35 MSD 2014


Great, thank you Antony. I confirm it works either way now....it was a 
super quick one.

On a similar topic, do I have to set this in the domain params?
<param name="allow-empty-password" value="false"/>

This is to keep things failproof, given I only set CIDR and no password 
for my users.


On 14-05-06 03:07 PM, Anthony Minessale wrote:
> Patch added to make it work either way but previously you don't need:
>
> <domain>
>  <users>
>    <user>...</user>
>    <user>...</user>
>  </users>
> </domain>
>
> Just:
>
> <domain>
>   <user>...</user>
>   <user>...</user>
> </domain>
>
>
>
>
>
>
>
> On Tue, May 6, 2014 at 1:47 PM, Victor Chukalovskiy 
> <victor.chukalovskiy at gmail.com <mailto:victor.chukalovskiy at gmail.com>> 
> wrote:
>
>     Ok, done: https://jira.freeswitch.org/browse/FS-6506
>
>     Also, added comment to the WiKi until this is fixed:
>     https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
>
>
>     On 14-05-06 12:32 PM, Steven Ayre wrote:
>>     I'd go with a Jira. Either it's an oversight, or there's a reason
>>     for it that can be tracked in Jira and then the wiki updated
>>     referencing the ticket.
>>
>>
>>     On 5 May 2014 21:38, Victor Chukalovskiy
>>     <victor.chukalovskiy at gmail.com
>>     <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>
>>         Alright, thank you! Domains ACL works BUT requires "users" to
>>         be in "groups". If "users" are directly in the "domain"
>>         section, ACL remains empty.
>>
>>         This is contradictory to the WiKi saying that: "Using groups
>>         is optional -- you can put your users straight into the
>>         domain section if you desire". Should I file Jira or should I
>>         edit WiKi instead? :)
>>
>>         With regards to directory, I intend to keep it minimalistic:
>>
>>         <user id="foo" cidr="1.2.3.4/32 <http://1.2.3.4/32>">
>>           <variables>
>>             <variable name="accountcode" value="customer_1"/>
>>           </variables>
>>         </user>
>>
>>         Will someone from a different CIDR be able to place calls as
>>         user "foo" bypassing any authentication? Note that I don't
>>         set any password in params.
>>         If so, how to secure this on the SIP profile level and keep
>>         user entries as concise as possible?
>>
>>         Thanks again!
>>         -Victor
>>
>>
>>         On 14-05-05 12:24 PM, Steven Ayre wrote:
>>>         You need this:
>>>             <param name="apply-inbound-acl" value="domains"/>
>>>
>>>
>>>
>>>         On 5 May 2014 17:13, Victor Chukalovskiy
>>>         <victor.chukalovskiy at gmail.com
>>>         <mailto:victor.chukalovskiy at gmail.com>> wrote:
>>>
>>>             Hello,
>>>
>>>             Coming from wholesale background, my FS's run without
>>>             any registrations.
>>>             So far everything was ACL-based using
>>>             "apply-inbound-acl" and I did not
>>>             use any directory entries.
>>>
>>>             The only problem with this is that once I have all IPs
>>>             together in one
>>>             big ALC, I can't identify which customer the call came
>>>             from. E.g. need
>>>             to set my_channel_variable=customer1 if a call came from
>>>             particular IPs
>>>             and my_channel_variable=customer2 if a call came from
>>>             other IPs.
>>>
>>>             So I'm trying to move ACL logic into directory by means
>>>             of defining a
>>>             user with cidr attribute. So far, no matter what I do FS
>>>             challenges
>>>             INVITE with "407" even-though the INVITE comes from the
>>>             IP that is
>>>             included in CIDR attribute for a user. I suppose for
>>>             whatever reason
>>>             switch does not match INVITEs against CIDR's in the
>>>             directory. Please
>>>             help me with that. WiKi is written from a somewhat
>>>             different logic /
>>>             perspective, so it's hard to apply.
>>>
>>>             My SIP profile is:
>>>
>>>             <profile name="test">
>>>                <gateways>
>>>                </gateways>
>>>                <domains>
>>>                </domains>
>>>                <settings>
>>>                  <param name="parse-invite-tel-params" value="true"/>
>>>                  <param name="user-agent-string" value="test"/>
>>>                  <param name="debug" value="0"/>
>>>                  <param name="sip-trace" value="no"/>
>>>                  <param name="log-auth-failures" value="true"/>
>>>                  <param name="rfc2833-pt" value="101"/>
>>>                  <param name="sip-port" value="5060"/>
>>>                  <param name="dialplan" value="XML"/>
>>>                  <param name="context" value="test"/>
>>>                  <param name="country" value="e164"/>
>>>                  <param name="dtmf-duration" value="2000"/>
>>>                  <param name="inbound-codec-prefs"
>>>             value="$${default_codec_prefs}"/>
>>>                  <param name="outbound-codec-prefs"
>>>             value="$${default_codec_prefs}"/>
>>>                  <param name="caller-id-type" value="none"/>
>>>                  <param name="rtp-timer-name" value="soft"/>
>>>                  <param name="rtp-ip" value="192.168.1.2"/>
>>>                  <param name="sip-ip" value="192.168.1.2"/>
>>>                  <param name="manage-presence" value="false"/>
>>>                  <param name="manage-shared-appearance" value="false"/>
>>>                  <param name="inbound-codec-negotiation"
>>>             value="greedy"/>
>>>                  <param name="disable-transcoding" value="true"/>
>>>                  <param name="manual-redirect" value="false"/>
>>>                  <param name="disable-transfer" value="true"/>
>>>                  <param name="disable-register" value="false"/>
>>>                  <param name="auth-calls" value="true"/>
>>>                  <param name="rtp-timeout-sec" value="300"/>
>>>                  <param name="rtp-hold-timeout-sec" value="1800"/>
>>>                  <param name="pass-callee-id" value="false"/>
>>>                </settings>
>>>             </profile>
>>>
>>>
>>>             Thanks!
>>>             -Victor
>>>
>>>
>>>
>>>
>>>             _________________________________________________________________________
>>>             Professional FreeSWITCH Consulting Services:
>>>             consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>             http://www.freeswitchsolutions.com
>>>
>>>             
>>>             
>>>
>>>             Official FreeSWITCH Sites
>>>             http://www.freeswitch.org
>>>             http://wiki.freeswitch.org
>>>             http://www.cluecon.com
>>>
>>>             FreeSWITCH-users mailing list
>>>             FreeSWITCH-users at lists.freeswitch.org
>>>             <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>             http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>             UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>             http://www.freeswitch.org
>>>
>>>
>>>
>>>
>>>         _________________________________________________________________________
>>>         Professional FreeSWITCH Consulting Services:
>>>         consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
>>>         http://www.freeswitchsolutions.com
>>>
>>>         
>>>         
>>>
>>>         Official FreeSWITCH Sites
>>>         http://www.freeswitch.org
>>>         http://wiki.freeswitch.org
>>>         http://www.cluecon.com
>>>
>>>         FreeSWITCH-users mailing list
>>>         FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>         http://www.freeswitch.org
>>
>>
>>         _________________________________________________________________________
>>         Professional FreeSWITCH Consulting Services:
>>         consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>         http://www.freeswitchsolutions.com
>>
>>         
>>         
>>
>>         Official FreeSWITCH Sites
>>         http://www.freeswitch.org
>>         http://wiki.freeswitch.org
>>         http://www.cluecon.com
>>
>>         FreeSWITCH-users mailing list
>>         FreeSWITCH-users at lists.freeswitch.org
>>         <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>         http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>         UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>         http://www.freeswitch.org
>>
>>
>>
>>
>>     _________________________________________________________________________
>>     Professional FreeSWITCH Consulting Services:
>>     consulting at freeswitch.org  <mailto:consulting at freeswitch.org>
>>     http://www.freeswitchsolutions.com
>>
>>     
>>     
>>
>>     Official FreeSWITCH Sites
>>     http://www.freeswitch.org
>>     http://wiki.freeswitch.org
>>     http://www.cluecon.com
>>
>>     FreeSWITCH-users mailing list
>>     FreeSWITCH-users at lists.freeswitch.org  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>     http://www.freeswitch.org
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> -- 
> Anthony Minessale II       ? @anthmfs  ? @FreeSWITCH  ?
>
> ? http://freeswitch.org/  ? http://cluecon.com/  ? 
> http://twitter.com/FreeSWITCH
> ? irc.freenode.net <http://irc.freenode.net> #freeswitch ? 
> _http://freeswitch.org/g+_
>
> ClueCon Weekly Development Call
> ? sip:888 at conference.freeswitch.org 
> <mailto:sip%3A888 at conference.freeswitch.org>  ? +19193869900
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140506/fdf70586/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list