[Freeswitch-users] Directory and ACL authentication

Steven Ayre steveayre at gmail.com
Wed May 7 14:15:22 MSD 2014


I would assume that's the default.


On 6 May 2014 20:31, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:

>  Great, thank you Antony. I confirm it works either way now....it was a
> super quick one.
>
> On a similar topic, do I have to set this in the domain params?
> <param name="allow-empty-password" value="false"/>
>
> This is to keep things failproof, given I only set CIDR and no password
> for my users.
>
>
>
> On 14-05-06 03:07 PM, Anthony Minessale wrote:
>
> Patch added to make it work either way but previously you don't need:
>
>  <domain>
>  <users>
>    <user>...</user>
>     <user>...</user>
>   </users>
> </domain>
>
>  Just:
>
>  <domain>
>   <user>...</user>
>   <user>...</user>
>  </domain>
>
>
>
>
>
>
>
> On Tue, May 6, 2014 at 1:47 PM, Victor Chukalovskiy <
> victor.chukalovskiy at gmail.com> wrote:
>
>>  Ok, done: https://jira.freeswitch.org/browse/FS-6506
>>
>> Also, added comment to the WiKi until this is fixed:
>> https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
>>
>>
>> On 14-05-06 12:32 PM, Steven Ayre wrote:
>>
>> I'd go with a Jira. Either it's an oversight, or there's a reason for it
>> that can be tracked in Jira and then the wiki updated referencing the
>> ticket.
>>
>>
>>  On 5 May 2014 21:38, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:
>>
>>>  Alright, thank you! Domains ACL works BUT requires "users" to be in
>>> "groups". If "users" are directly in the "domain" section, ACL remains
>>> empty.
>>>
>>> This is contradictory to the WiKi saying that: "Using groups is optional
>>> -- you can put your users straight into the domain section if you desire".
>>> Should I file Jira or should I edit WiKi instead? :)
>>>
>>> With regards to directory, I intend to keep it minimalistic:
>>>
>>> <user id="foo" cidr="1.2.3.4/32">
>>>   <variables>
>>>     <variable name="accountcode" value="customer_1"/>
>>>   </variables>
>>> </user>
>>>
>>> Will someone from a different CIDR be able to place calls as user "foo"
>>> bypassing any authentication? Note that I don't set any password in params.
>>> If so, how to secure this on the SIP profile level and keep user entries
>>> as concise as possible?
>>>
>>> Thanks again!
>>> -Victor
>>>
>>>
>>> On 14-05-05 12:24 PM, Steven Ayre wrote:
>>>
>>> You need this:
>>>     <param name="apply-inbound-acl" value="domains"/>
>>>
>>>
>>>
>>> On 5 May 2014 17:13, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:
>>>
>>>> Hello,
>>>>
>>>> Coming from wholesale background, my FS's run without any registrations.
>>>> So far everything was ACL-based using "apply-inbound-acl" and I did not
>>>> use any directory entries.
>>>>
>>>> The only problem with this is that once I have all IPs together in one
>>>> big ALC, I can't identify which customer the call came from. E.g. need
>>>> to set my_channel_variable=customer1 if a call came from particular IPs
>>>> and my_channel_variable=customer2 if a call came from other IPs.
>>>>
>>>> So I'm trying to move ACL logic into directory by means of defining a
>>>> user with cidr attribute. So far, no matter what I do FS challenges
>>>> INVITE with "407" even-though the INVITE comes from the IP that is
>>>> included in CIDR attribute for a user. I suppose for whatever reason
>>>> switch does not match INVITEs against CIDR's in the directory. Please
>>>> help me with that. WiKi is written from a somewhat different logic /
>>>> perspective, so it's hard to apply.
>>>>
>>>> My SIP profile is:
>>>>
>>>> <profile name="test">
>>>>    <gateways>
>>>>    </gateways>
>>>>    <domains>
>>>>    </domains>
>>>>    <settings>
>>>>      <param name="parse-invite-tel-params" value="true"/>
>>>>      <param name="user-agent-string" value="test"/>
>>>>      <param name="debug" value="0"/>
>>>>      <param name="sip-trace" value="no"/>
>>>>      <param name="log-auth-failures" value="true"/>
>>>>      <param name="rfc2833-pt" value="101"/>
>>>>      <param name="sip-port" value="5060"/>
>>>>      <param name="dialplan" value="XML"/>
>>>>      <param name="context" value="test"/>
>>>>      <param name="country" value="e164"/>
>>>>      <param name="dtmf-duration" value="2000"/>
>>>>      <param name="inbound-codec-prefs" value="$${default_codec_prefs}"/>
>>>>      <param name="outbound-codec-prefs"
>>>> value="$${default_codec_prefs}"/>
>>>>      <param name="caller-id-type" value="none"/>
>>>>      <param name="rtp-timer-name" value="soft"/>
>>>>      <param name="rtp-ip" value="192.168.1.2"/>
>>>>      <param name="sip-ip" value="192.168.1.2"/>
>>>>      <param name="manage-presence" value="false"/>
>>>>      <param name="manage-shared-appearance" value="false"/>
>>>>      <param name="inbound-codec-negotiation" value="greedy"/>
>>>>      <param name="disable-transcoding" value="true"/>
>>>>      <param name="manual-redirect" value="false"/>
>>>>      <param name="disable-transfer" value="true"/>
>>>>      <param name="disable-register" value="false"/>
>>>>      <param name="auth-calls" value="true"/>
>>>>      <param name="rtp-timeout-sec" value="300"/>
>>>>      <param name="rtp-hold-timeout-sec" value="1800"/>
>>>>      <param name="pass-callee-id" value="false"/>
>>>>    </settings>
>>>> </profile>
>>>>
>>>>
>>>> Thanks!
>>>> -Victor
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>
>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>
>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>
>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
>  --
> Anthony Minessale II       ♬ @anthmfs  ♬ @FreeSWITCH  ♬
>
>http://freeswitch.org/http://cluecon.com/> http://twitter.com/FreeSWITCH
>  ☞ irc.freenode.net #freeswitch ☞ *http://freeswitch.org/g+
> <http://freeswitch.org/g+>*
>
>  ClueCon Weekly Development Call
>  ☎ sip:888 at conference.freeswitch.org  ☎ +19193869900
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140507/81a6b04f/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list