[Freeswitch-users] Directory and ACL authentication

Steven Ayre steveayre at gmail.com
Wed May 7 14:27:45 MSD 2014


However since you're actually asking about CIDR, that parameter is ignored
for those users. The authentication by ACL occurs before checking the
password given (if any), if the users match the CIDR then they'll never
reach the allow-empty-passwords check.


On 6 May 2014 20:31, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:

>  Great, thank you Antony. I confirm it works either way now....it was a
> super quick one.
>
> On a similar topic, do I have to set this in the domain params?
> <param name="allow-empty-password" value="false"/>
>
> This is to keep things failproof, given I only set CIDR and no password
> for my users.
>
>
>
> On 14-05-06 03:07 PM, Anthony Minessale wrote:
>
> Patch added to make it work either way but previously you don't need:
>
>  <domain>
>  <users>
>    <user>...</user>
>     <user>...</user>
>   </users>
> </domain>
>
>  Just:
>
>  <domain>
>   <user>...</user>
>   <user>...</user>
>  </domain>
>
>
>
>
>
>
>
> On Tue, May 6, 2014 at 1:47 PM, Victor Chukalovskiy <
> victor.chukalovskiy at gmail.com> wrote:
>
>>  Ok, done: https://jira.freeswitch.org/browse/FS-6506
>>
>> Also, added comment to the WiKi until this is fixed:
>> https://wiki.freeswitch.org/wiki/XML_User_Directory_Guide#Groups
>>
>>
>> On 14-05-06 12:32 PM, Steven Ayre wrote:
>>
>> I'd go with a Jira. Either it's an oversight, or there's a reason for it
>> that can be tracked in Jira and then the wiki updated referencing the
>> ticket.
>>
>>
>>  On 5 May 2014 21:38, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:
>>
>>>  Alright, thank you! Domains ACL works BUT requires "users" to be in
>>> "groups". If "users" are directly in the "domain" section, ACL remains
>>> empty.
>>>
>>> This is contradictory to the WiKi saying that: "Using groups is optional
>>> -- you can put your users straight into the domain section if you desire".
>>> Should I file Jira or should I edit WiKi instead? :)
>>>
>>> With regards to directory, I intend to keep it minimalistic:
>>>
>>> <user id="foo" cidr="1.2.3.4/32">
>>>   <variables>
>>>     <variable name="accountcode" value="customer_1"/>
>>>   </variables>
>>> </user>
>>>
>>> Will someone from a different CIDR be able to place calls as user "foo"
>>> bypassing any authentication? Note that I don't set any password in params.
>>> If so, how to secure this on the SIP profile level and keep user entries
>>> as concise as possible?
>>>
>>> Thanks again!
>>> -Victor
>>>
>>>
>>> On 14-05-05 12:24 PM, Steven Ayre wrote:
>>>
>>> You need this:
>>>     <param name="apply-inbound-acl" value="domains"/>
>>>
>>>
>>>
>>> On 5 May 2014 17:13, Victor Chukalovskiy <victor.chukalovskiy at gmail.com>wrote:
>>>
>>>> Hello,
>>>>
>>>> Coming from wholesale background, my FS's run without any registrations.
>>>> So far everything was ACL-based using "apply-inbound-acl" and I did not
>>>> use any directory entries.
>>>>
>>>> The only problem with this is that once I have all IPs together in one
>>>> big ALC, I can't identify which customer the call came from. E.g. need
>>>> to set my_channel_variable=customer1 if a call came from particular IPs
>>>> and my_channel_variable=customer2 if a call came from other IPs.
>>>>
>>>> So I'm trying to move ACL logic into directory by means of defining a
>>>> user with cidr attribute. So far, no matter what I do FS challenges
>>>> INVITE with "407" even-though the INVITE comes from the IP that is
>>>> included in CIDR attribute for a user. I suppose for whatever reason
>>>> switch does not match INVITEs against CIDR's in the directory. Please
>>>> help me with that. WiKi is written from a somewhat different logic /
>>>> perspective, so it's hard to apply.
>>>>
>>>> My SIP profile is:
>>>>
>>>> <profile name="test">
>>>>    <gateways>
>>>>    </gateways>
>>>>    <domains>
>>>>    </domains>
>>>>    <settings>
>>>>      <param name="parse-invite-tel-params" value="true"/>
>>>>      <param name="user-agent-string" value="test"/>
>>>>      <param name="debug" value="0"/>
>>>>      <param name="sip-trace" value="no"/>
>>>>      <param name="log-auth-failures" value="true"/>
>>>>      <param name="rfc2833-pt" value="101"/>
>>>>      <param name="sip-port" value="5060"/>
>>>>      <param name="dialplan" value="XML"/>
>>>>      <param name="context" value="test"/>
>>>>      <param name="country" value="e164"/>
>>>>      <param name="dtmf-duration" value="2000"/>
>>>>      <param name="inbound-codec-prefs" value="$${default_codec_prefs}"/>
>>>>      <param name="outbound-codec-prefs"
>>>> value="$${default_codec_prefs}"/>
>>>>      <param name="caller-id-type" value="none"/>
>>>>      <param name="rtp-timer-name" value="soft"/>
>>>>      <param name="rtp-ip" value="192.168.1.2"/>
>>>>      <param name="sip-ip" value="192.168.1.2"/>
>>>>      <param name="manage-presence" value="false"/>
>>>>      <param name="manage-shared-appearance" value="false"/>
>>>>      <param name="inbound-codec-negotiation" value="greedy"/>
>>>>      <param name="disable-transcoding" value="true"/>
>>>>      <param name="manual-redirect" value="false"/>
>>>>      <param name="disable-transfer" value="true"/>
>>>>      <param name="disable-register" value="false"/>
>>>>      <param name="auth-calls" value="true"/>
>>>>      <param name="rtp-timeout-sec" value="300"/>
>>>>      <param name="rtp-hold-timeout-sec" value="1800"/>
>>>>      <param name="pass-callee-id" value="false"/>
>>>>    </settings>
>>>> </profile>
>>>>
>>>>
>>>> Thanks!
>>>> -Victor
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>>
>>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>>
>>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>>
>> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>>
>> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>>
>> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
>
>  --
> Anthony Minessale II       ♬ @anthmfs  ♬ @FreeSWITCH  ♬
>
>http://freeswitch.org/http://cluecon.com/> http://twitter.com/FreeSWITCH
>  ☞ irc.freenode.net #freeswitch ☞ *http://freeswitch.org/g+
> <http://freeswitch.org/g+>*
>
>  ClueCon Weekly Development Call
>  ☎ sip:888 at conference.freeswitch.org  ☎ +19193869900
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:consulting at freeswitch.orghttp://www.freeswitchsolutions.com
>
> FreeSWITCH-powered IP PBX: The CudaTel Communication Server
>
> Official FreeSWITCH Siteshttp://www.freeswitch.orghttp://wiki.freeswitch.orghttp://www.cluecon.com
>
> FreeSWITCH-users mailing listFreeSWITCH-users at lists.freeswitch.orghttp://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-usershttp://www.freeswitch.org
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140507/dbed8f12/attachment-0001.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list