Saturday, May 19, 2012

OpenSIPS DB-Authentication with Multi-Domain Support

OpenSIPS DB-Authentication with Multi-Domain Support

Starting from the basics, I'm going to show how to use the factory default opensips.cfg file and make it use MySQL DB to authenticate any incoming SIP REGISTER attempt. The default file without any changes will successfully register any user with any password, which in most of the cases is obviously not required.

open up the opensips.cfg file

root@Osips-SBC:~#vim /etc/opensips/opensips.cfg


Starting from enabling the required modules to be loaded

Un-comment  (remove the #)  this line to load the MySQL DB connector module
#loadmodule "db_mysql.so"

Uncomment these modules to load the authentication mechanism
#loadmodule "auth.so"
#loadmodule "auth_db.so"
#loadmodule "alias_db.so"

Uncomment the domain module to enable multi-domain support
#loadmodule "domain.so"

Enable the presence modules

#loadmodule "presence.so"
#loadmodule "presence_xml.so"

Set "usrloc" module parameters to save the SIP user-locations into MySQL DB persistently.

#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")

Set the authentication_db modules parameters to point to the desired Database.  

#modparam("auth_db", "calculate_ha1", yes)
#modparam("auth_db", "password_column", "password")
#modparam("auth_db", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("auth_db", "load_credentials", "")


Uncomment DB parameters of Aliases_DB module

#modparam("alias_db", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")

Uncomment DB parameters of Domain module

#modparam("domain", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching


Enable modules to differentiate between different domains.
#modparam("auth_db|usrloc|uri", "use_domain", 1)

Set presence modules parameters.


#modparam("presence|presence_xml", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.30.3:5060")


Now in the main route uncomment the following code blocks so that whenever we receive a REGISTER request it verifies its credentials (from DB). If you let these blocks commented any SIP REGISTER request will be successful without any verification.

This is required to authenticate the incoming methods except REGISTER, this is useful in case any undefined user(hacker) tries to make calls from your SIP-Proxy.

       ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
       ##{
       ##      if (!proxy_authorize("", "subscriber")) {
       ##              proxy_challenge("", "0");
       ##              exit;
       ##      }
       ##      if (!db_check_from()) {
       ##              sl_send_reply("403","Forbidden auth ID");
       ##              exit;
       ##      }
       ##
       ##      consume_credentials();
       ##      # caller authenticated
       ##}

NOTE: Don't uncomment the "# caller authenticated" line.

And this block needs to be uncommented to Authenticate REGISTER requests.

 ##if (!www_authorize("", "subscriber"))
               ##{
               ##      www_challenge("", "0");
               ##      exit;
               ##}
               ##
               ##if (!db_check_to())
               ##{
               ##      sl_send_reply("403","Forbidden auth ID");
               ##      exit;
               ##}
  

Once done, Save and Exit. Optionally its Always good to add few extra log lines to see whats going on inside your OpenSIPS. logs lines are important to debug and troubleshoot the configuration file.

xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' \n");

Put this line Just before the if conditions we uncommented above then save the file.

next thing is define SIP users in OpenSIPS DB
For this first edit the follwoing file.


root@Osips-SBC:~# vim /etc/opensips/opensipsctlrc


Set the SIP DOMAIN and OpenSIPS Database Username/Password.
## your SIP domain
SIP_DOMAIN=192.168.30.3
This will be default domain used if no domain at user definition time is given.

## database read/write user
DBRWUSER=opensips

## password for database read/write user
DBRWPW="opensipsrw"

Save and Exit

Add domains to be used by opensips


root@Osips-SBC:~#mysql -uopensips -popensipsrw opensips


mysql>insert into domain(domain,last_modified) VALUES ("192.16.30.3", now())
mysql>insert into domain(domain,last_modified) VALUES ("saevolgo.com", now())


Restart OpenSIPS

root@Osips-SBC:~#/etc/init.d/opensips restart

Now Add SIP Users.

root@Osips-SBC:~# opensipsctl add 10022 pass10022word
new user '10022' added

root@Osips-SBC:~# opensipsctl add 10022@saevolgo.com passw0rd
new user '10022@saevolgo.com' added

Now try registering both users changing realm and password for both and make sure that 10022 user defined for realm "saevolgo.com" works with only its defined passw0rd and not with "pass10022word".

30 comments:

  1. hi Gohar Ahmed.
    help me! please
    when i use X-lite to make a call, it doesn't work. And wireshark capture that
    192.168.1.33 192.168.1.36 SIP/SDP 998 Request: INVITE sip:123456@192.168.1.36, with session description

    192.168.1.36 192.168.1.33 SIP 453 Status: 404 Not Found

    192.168.1.33 192.168.1.36 SIP 394 Request: ACK sip:123456@192.168.1.36

    ReplyDelete
    Replies
    1. It has something to do with the "123456", the To-User,part. When you dial it and if its not an online/REGISTERED users then you get this 404-Not Found.

      Delete
  2. when I use X-lite connect to opensips
    registration error 401 unauthorized

    ReplyDelete
    Replies
    1. Verify your Domain/Realm in your x-lite. Also make sure your are entering the right password for the right username. It has to be just these three things or your opensips' DB containing the "location" table is not online.

      Delete
    2. I am facing the same error can you help me Please...
      I am using Xlite phone and its giving 401 Unauthorized...

      Delete
    3. Hi Husnain,
      Good to see that you;ve reached the very end step of this tutorial. Please verify these things quickly.

      1- You've defined the user in your DB.
      2- You've configurations to use the DB for SIP REGISTERs.
      3- The Domain is defined in your DB table domain.
      4- The username/password + realm(Domain) is the same as step 1.

      Print our any log files where you've the function save("location").

      AFAIK the functions for www_authorize() have been changed in newer opensips 1.9 version, please confirm.

      Let me know what you get.

      --
      Gohar

      Delete
  3. thank you very much !
    now. my opensips is runing

    thanks!

    ReplyDelete
  4. can you install call forwarding on opensips ? thank very much !!

    ReplyDelete
    Replies
    1. Please explain your scenario - I'll see if I can get time for this.

      Delete
  5. i have 3 users : 1000, 2000, 3000.
    My scenario are mplementing call forward on busy or
    unanswered.
    example : when user1000 call user 2000,user2000 is busy or unanswered

    ReplyDelete
    Replies
    1. Sorry it isn't a complete description on what you need to do next on busy or unanswered.

      Your specific solution would be something like this:

      Use Reply-route and Failure Route :

      for capturing Busy SIP responses and once you detect that just simply consult a DB table on what destination to t_relay the call to !!

      Unanswered call can also be captured from these two routes. All you need to do is flag a Ringing call in reply route. And in failure route when you see a 408 AND ringing flag is On you can consult DB again and do w.e you like to do with it.

      Delete
  6. Hi Gohar Ahmed

    i complete setting opensips now i want to use call fowarding. in file opensipscfg, what i need to load and add what command

    Thanks very much @@

    ReplyDelete
    Replies
    1. What exactly do you mean by call forwarding !?
      explain in simple easy steps what is call-forwarding to you !

      Delete
  7. Hello everyone, I am working with opensips, and I want to configure it done callforwarding.For example, forwarding from 192.168.1.88 to 192.168.1.99 in the case.

    ReplyDelete
    Replies
    1. LOL @ Tin : This is not a Users list. I'm not sure what is so hard in reading the Chapter:8 of the book "Building Telephony Systems with OpenSIPS"

      Read the chapter 8 and you'll see that they suggest using some DB table to store the destination number's preferences of call forwarding.
      Then use the failure-route to detect the "BUSY" and "NO-ANSWER" from destination to route the call to the desired destination number.

      I'm very busy to do a new writeup.

      See in the opensips.cfg file:


      if(!lookup("location"))
      {
      ...
      }

      Just before the above condition consult the DB table for any preferences for $tU.

      If any type of forwarding is found i.e "always","on_busy","on_no_answer" then pick up the desired string from DB. And either send the call directly, OR use Failure_route to detect the "BUSY"/"NO-ANSWER" SIP code and relay the call tom the desired new destination.


      Delete
    2. Sorry for bothering you.But my idea of ​​making the call forwarding has the following steps.You can consider it correct?
      Step 1: load module avpops.so in /usr/local/bin/opensips/modules
      Step 2: create usr_precenses table in mysql
      Step 3: write a script call forwarding, add it to opensips.cfg

      Delete
    3. I think it will be a long discussion here,
      Email your specific logic/flow suggestions on OpenSIPS users list
      OR
      Send a Private message to me.
      Anyway like I told you I'm busy to make any blog/tutorial these days so all I can do is give you rough quick idea to make this work.

      Delete
    4. well, hope that you will complete his work.I look forward to hear from you. thank you.

      Delete
  8. Hi all!
    This is my usr_preferences table:
    +----+------+----------+--------------+-----------+------+-----------------------+---------------------+
    | id | uuid | username | domain | attribute | type | value | last_modified |
    +----+------+----------+--------------+-----------+------+-----------------------+---------------------+
    | 10 | | 1001 | 192.168.1.55 | callfwd | 0 | sip:1004@192.168.1.55 | 1900-01-01 00:00:01 |
    | 11 | | 1001 | 192.168.1.55 | fwdbusy | 0 | sip:1004@192.168.1.55 | 1900-01-01 00:00:01 |
    | 12 | | 1001 | 192.168.1.55 | fwdnoansw | 0 | sip:1004@192.168.1.55 | 1900-01-01 00:00:01 |
    +----+------+----------+--------------+-----------+------+-----------------------+---------------------+
    And file opensips.cfg
    http://www.mediafire.com/view/?ut5yqwyeun9yu7w

    I call from 1000 to 1001, and test case:
    case fwdbusy and fwdnoansw, but it 's not forward. Help me!
    Thanks very much!

    ReplyDelete
  9. Well, it was forwarded! LOL

    ReplyDelete
    Replies
    1. Let me know if you still need my code which is just in progress by one of my fellows.

      Delete
  10. Yes, thank you. Now I'm studying more about the open IMS core.Do you learn more about this field?

    ReplyDelete
    Replies
    1. Ok right - I'm writing a new how to which includes media-proxy as well as your call forwarding scenario together. Hopefully by start of next week you'll read about it here.

      Yes I do know few things about OpenIMS, but nothing very cool. I suggest you look at integrating OpenIMS core with kamailio IMS modules.

      Delete
  11. Oh, great.Thank you. I will read your article .And I will find out more about do you say.

    ReplyDelete
    Replies
    1. http://pastebin.pk/30

      This configuration worked. Please see.

      Delete
  12. Very cool, you are very great!

    ReplyDelete
  13. Hi all, I have a problem, after Opensips authen user, how it forward REGISTER message to FreeSwitch(a media server in dispatcher list) and FS send back 200OK, ignore authen user that FS know user registed or not?

    ReplyDelete
  14. I want to use open-sips to register my soft phone . For example I have two media server A and B and open-sips has IP like 192.168.0.1 . I want that when I register my soft with opensip IP as domain then request should be sent to either media server A or B where the phone is created .Is that possible ? Give me some light in right way , thanks in advance...Baum

    ReplyDelete