[prev in list] [next in list] [prev in thread] [next in thread]
List: sr-dev
Subject: Re: [Serdev] auth_radius alias patch
From: Jan Janak <jan () iptel ! org>
Date: 2003-08-13 10:22:26
Message-ID: 20030813102226.GG390 () localhost ! localdomain
[Download RAW message or body]
Hello,
thanks a lot for the contribution ! We will review it and include it into
the main tree if it is OK. I'll let you know then.
Jan.
On 12-08 12:37, Alexander Mayrhofer wrote:
>
> Hi,
>
> I've just finished a working version of my auth_radius alias patch.
>
> * What is it?
>
> It allows to provision entries in the aliases table via attributes in
> the RADIUS authentication replies.
>
> * How to use it?
>
> ser.cfg:
>
> # switch radius_alias functionality on
> modparam("auth_radius", "radius_alias", 1)
> # set radius alias expiry to one day
> modparam("auth_radius", "alias_expiry", 86400)
>
> RADIUS:
>
> Add the following attribute to your RADIUS dictionary:
> ATTRIBUTE SER-AT43-SIP-Alias 215 string
>
> Add aliases to your RADIUS authentication responses:
> SER-AT43-SIP-Alias = 'joe.user@mydomain.tld'
> SER-AT43-SIP-Alias = 'juser@mydomain.tld'
>
> * What are the requirements?
>
> usrloc module must be loaded, aliases table must exist, RADIUS
> authentication must be used.
>
> * Bugs
>
> I'm sure there are some. Help me to find them.
>
> please find the patch below, any comments appreciated. iptel:
> Integration into mainstream sources (as always & if qualifies) welcome.
>
> axelm
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* auth_radius.orig/authrad_mod.c \
> auth_radius/authrad_mod.c
> --- auth_radius.orig/authrad_mod.c Fri May 2 23:36:29 2003
> +++ auth_radius/authrad_mod.c Tue Aug 12 11:18:48 2003
> @@ -41,8 +41,9 @@
> #include "../../sr_module.h"
> #include "../../error.h"
> #include "../../dprint.h"
> #include "../../mem/mem.h"
> +#include "../usrloc/usrloc.h"
> #include "authrad_mod.h"
> #include "authorize.h"
> #include <radiusclient.h>
> #include "ser_radius.h"
> @@ -60,9 +61,10 @@
> * Module parameter variables
> */
> char* radius_config = "/usr/local/etc/radiusclient/radiusclient.conf";
> int service_type = PW_SIP;
> -
> +int radius_alias = 0; /* if to honour aliases received via radius */
> +int alias_expiry = 86400; /* one day */
>
> /*
> * Exported functions
> */
> @@ -78,8 +80,10 @@
> */
> static param_export_t params[] = {
> {"radius_config", STR_PARAM, &radius_config},
> {"service_type", INT_PARAM, &service_type },
> + {"radius_alias", INT_PARAM, &radius_alias },
> + {"alias_expiry", INT_PARAM, &alias_expiry },
> {0, 0, 0}
> };
>
>
> @@ -121,8 +125,14 @@
> if (!(pre_auth_func && post_auth_func)) {
> LOG(L_ERR, "auth_radius: This module requires auth module\n");
> return -3;
> }
> +
> + /* if radius aliases enabled: bind usrloc functions */
> + if ((radius_alias) && (bind_usrloc() < 0)) {
> + LOG(L_ERR, "auth_radius: This module requires usrloc module\n");
> + return -1;
> + }
>
> return 0;
> }
>
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* auth_radius.orig/authrad_mod.h \
> auth_radius/authrad_mod.h
> --- auth_radius.orig/authrad_mod.h Fri May 2 14:21:54 2003
> +++ auth_radius/authrad_mod.h Tue Aug 12 11:06:06 2003
> @@ -45,6 +45,8 @@
> * Module parameter variables
> */
> extern char* radius_config; /* radiusclient configuration file */
> extern int service_type; /* radius service type used for access request */
> +extern int radius_alias; /* if to honour aliases received via radius */
> +extern int alias_expiry; /* expiration of radius aliases */
>
> #endif /* AUTHRAD_MOD_H */
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* \
> auth_radius.orig/doc/auth_radius.sgml \
> auth_radius/doc/auth_radius.sgml
> --- auth_radius.orig/doc/auth_radius.sgml Mon Jul 14 23:19:21 2003
> +++ auth_radius/doc/auth_radius.sgml Tue Aug 12 11:32:57 2003
> @@ -26,8 +26,14 @@
> <author>
> <firstname>Stelios</firstname>
> <surname>Sidiroglou-Douskos</surname>
> </author>
> + <author>
> + <firstname>Alexander</firstname>
> + <surname>Mayrhofer</surname>
> + <affiliation><orgname>nic.at</orgname></affiliation>
> + <email>axelm@nic.at</email>
> + </author>
> <editor>
> <firstname>Jan</firstname>
> <surname>Janak</surname>
> <email>jan@iptel.org</email>
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* \
> auth_radius.orig/doc/auth_radius_user.sgml \
> auth_radius/doc/auth_radius_user.sgml
> --- auth_radius.orig/doc/auth_radius_user.sgml Mon Jul 14 23:03:05 2003
> +++ auth_radius/doc/auth_radius_user.sgml Tue Aug 12 12:16:01 2003
> @@ -21,8 +21,9 @@
> radius server we perform some sanity checks over the credentials to make sure \
> that only
> well formed credentials will get to the server. We have implemented radius
> authentication according to draft-sterman-aaa-sip-00
> </para>
> + <para>Additionally, this module contains functionality to provision aliases \
> received via RADIUS replies into the aliases table. This functionality is optional \
> and requires the usrloc module.</para> <para>How to configure radius server -- \
> more detailed description -- TBD.</para> <warning>
> <para>The detailed description of radius authentication setup is important \
> since many people will use it and we want to make the setup painless.</para>
> @@ -36,8 +37,11 @@
> <itemizedlist>
> <listitem>
> <para><emphasis>auth</emphasis> -- Generic authentication functions</para>
> </listitem>
> + <listitem>
> + <para><emphasis>usrloc</emphasis> (only if <varname>radius_alias</varname> \
> enabled) + </listitem>
> </itemizedlist>
> </para>
> </section>
> <section>
> @@ -70,8 +74,38 @@
> <example>
> <title><varname>radius_config</varname> usage</title>
> <programlisting format="linespecific">
> modparam("auth_radius", "service_type", 15)
> +</programlisting>
> + </example>
> + </section>
> + <section>
> + <title><varname>radius_alias</varname> (integer)</title>
> + <para>
> + If this switch is set to 1, SIP URI's delivered in radius attribute 215 (e.g. \
> set to 'SER-AT43-SIP-Alias' in yur dictionary file) are being provisioned into the \
> aliases table (which must exist). + </para>
> + <para>
> + Default value is <quote>0</quote>.
> + </para>
> + <example>
> + <title><varname>radius_alias</varname> parameter usage</title>
> + <programlisting format="linespecific">
> +modparam("auth_radius", "radius_alias", 1)
> +</programlisting>
> + </example>
> + </section>
> + <section>
> + <title><varname>alias_expiry</varname> (integer)</title>
> + <para>
> + This is the expiry time (in seconds) of aliases provisioned via RADIUS replies.
> + </para>
> + <para>
> + Default value is <quote>86400</quote>.
> + </para>
> + <example>
> + <title><varname>alias_expiry</varname> parameter usage</title>
> + <programlisting format="linespecific">
> +modparam("auth_radius", "alias_expiry", 43200)
> </programlisting>
> </example>
> </section>
> </section>
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* auth_radius.orig/ser_radius.h \
> auth_radius/ser_radius.h
> --- auth_radius.orig/ser_radius.h Fri May 2 14:21:54 2003
> +++ auth_radius/ser_radius.h Wed Aug 6 13:52:19 2003
> @@ -60,6 +60,11 @@
> #define PW_DIGEST_CNONCE 1070 /* string */
> #define PW_DIGEST_NONCE_COUNT 1071 /* string */
> #define PW_DIGEST_USER_NAME 1072 /* string */
>
> +/* AT43 specific attributes */
> +#define AT43_SIP_ALIAS 215 /* string */
> +
> +/* AT43 specific defines */
> +#define AT43_MAX_ALIAS_LEN 255
>
> #endif /* SER_RADIUS_H */
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* auth_radius.orig/sterman.c \
> auth_radius/sterman.c
> --- auth_radius.orig/sterman.c Thu May 8 15:20:14 2003
> +++ auth_radius/sterman.c Tue Aug 12 11:31:37 2003
> @@ -28,20 +28,25 @@
> *
> * History:
> * -------
> * 2003-03-09: Based on digest.c from radius_auth module (janakj)
> + * 2003-08-12: Added radius alias support (Alexander Mayrhofer, axelm@nic.at)
> */
>
>
> #include <string.h>
> +#include "../../ut.h"
> #include "../../mem/mem.h"
> #include "../../dprint.h"
> +#include "../usrloc/usrloc.h"
> #include "../auth/api.h"
> #include "ser_radius.h"
> #include "sterman.h"
> #include "authrad_mod.h"
> #include <radiusclient.h>
> +#include <time.h>
>
> +str alias_dom = {"aliases", 7};
>
> /*
> * This function creates and submits radius authentication request as per
> * draft-sterman-aaa-sip-00.txt. In addition, _user parameter is included
> @@ -221,8 +226,88 @@
> return -20;
> }
> memcpy(_rpid->s, vp->strvalue, vp->lvalue);
> _rpid->len = vp->lvalue;
> + }
> +
> + /* AT43: Aliases received from RADIUS server */
> + /* switch that features on with radius_alias -> 1 */
> + if ((radius_alias) && (vp = rc_avpair_get(received, AT43_SIP_ALIAS))) {
> + VALUE_PAIR *cur, *first;
> + char *alias_tmp;
> + udomain_t *d;
> + urecord_t *r;
> + ucontact_t *c;
> + str alias_aor;
> + str alias_dest;
> + str alias_cid = {"auth-radius-alias", 17};
> +
> + cur = vp;
> + first = vp;
> + alias_tmp = pkg_malloc(AT43_MAX_ALIAS_LEN);
> + while(cur) {
> + if (cur->lvalue >= AT43_MAX_ALIAS_LEN) {
> + LOG(L_ERR, "radius_authorize_sterman(): alias buffer too small\n");
> + break;
> + }
> +
> + alias_aor.s = (char*)pkg_malloc(cur->lvalue);
> + memcpy(alias_aor.s, cur->strvalue, cur->lvalue);
> + alias_aor.len = cur->lvalue;
> +
> + strncpy(alias_tmp, cur->strvalue, cur->lvalue);
> + alias_tmp[cur->lvalue] = 0;
> + strcat(alias_tmp, " -> ");
> + strncat(alias_tmp, _cred->username.whole.s,
> + _cred->username.whole.len);
> + strcat(alias_tmp, "@");
> + strncat(alias_tmp, _cred->realm.s,
> + _cred->realm.len);
> +
> + alias_dest.len = _cred->username.whole.len + _cred->realm.len + 5;
> + alias_dest.s = (char*)pkg_malloc(alias_dest.len);
> + strncpy(alias_dest.s, "sip:", 4);
> + memcpy(alias_dest.s+4, alias_tmp+cur->lvalue+4, _cred->username.whole.len + \
> _cred->realm.len +1); +
> + LOG(L_INFO, "Alias (%.*s -> %.*s) in radius reply\n", alias_aor.len, \
> ZSW(alias_aor.s), alias_dest.len, ZSW(alias_dest.s)); +
> + if (ul_register_udomain("aliases", &d) > 0) {
> + LOG(L_ERR, "radius_authorize_sterman(): Alias domain not found\n");
> + break;
> + }
> +
> +
> + ul_lock_udomain(d);
> +
> + if (ul_get_urecord(d, &alias_aor, &r) > 0) {
> + /* not found, insert new record */
> + LOG(L_INFO, "Adding new record for %.*s\n", alias_aor.len, ZSW(alias_aor.s));
> + ul_insert_urecord(d, &alias_aor, &r);
> + }
> + if (r) {
> + if(!(r->contacts)) {
> + LOG(L_INFO, "Adding new contact to %.*s: %.*s\n", alias_aor.len, \
> ZSW(alias_aor.s), alias_dest.len, ZSW(alias_dest.s)); + ul_insert_ucontact(r, \
> &alias_dest, time(NULL)+alias_expiry, 0.0, &alias_cid, 42, &c); + }
> + /* warning if it has changed */
> + if(!((r->contacts) && (r->contacts->c.len == alias_dest.len) && \
> (!strncmp(r->contacts->c.s, alias_dest.s, alias_dest.len)))) { + LOG(L_INFO, \
> "Warning: Aliase destination has changed (originally %.*s).\n", r->contacts->c.len, \
> ZSW(r->contacts->c.s)); + /* TODO: change to newly received contact \
> information? */ + }
> + if((r->contacts) && (r->contacts->expires < (time(NULL)+(alias_expiry/2)))) {
> + /* half of expiration time */
> + LOG(L_INFO, "updateing expiration of %.*s.\n", alias_aor.len, \
> ZSW(alias_aor.s)); + ul_update_ucontact(r->contacts, time(NULL)+alias_expiry, \
> 0.0, &alias_cid, 42); + }
> + }
> +
> + ul_unlock_udomain(d);
> + cur = cur->next;
> + if (cur == first) {
> + break;
> + }
> + }
> + pkg_free(alias_tmp);
> }
>
> rc_avpair_free(received);
> return 1;
> diff -P -N -U 4 -r --exclude *.d --exclude *CVS* auth_radius.orig/usrloc.c \
> auth_radius/usrloc.c
> --- auth_radius.orig/usrloc.c Thu Jan 1 01:00:00 1970
> +++ auth_radius/usrloc.c Wed Aug 6 15:49:09 2003
> @@ -0,0 +1,76 @@
> +/*
> + * $Id: usrloc.c,v 1.4 2003/03/19 22:39:37 janakj Exp $
> + *
> + * Usrloc interface
> + *
> + * Copyright (C) 2001-2003 Fhg Fokus
> + *
> + * This file is part of ser, a free SIP server.
> + *
> + * ser is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version
> + *
> + * For a license to use the ser software under conditions
> + * other than those described here, or to purchase support for this
> + * software, please contact iptel.org by e-mail at the following addresses:
> + * info@iptel.org
> + *
> + * ser is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write to the Free Software
> + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> + */
> +
> +
> +#include "../usrloc/usrloc.h"
> +#include "../../sr_module.h"
> +
> +
> +struct usrloc_func ul_func;
> +
> +
> +int bind_usrloc(void)
> +{
> + ul_register_udomain = (register_udomain_t)find_export("~ul_register_udomain", 1, \
> 0); + if (ul_register_udomain == 0) return -1;
> +
> + ul_insert_urecord = (insert_urecord_t)find_export("~ul_insert_urecord", 1, 0);
> + if (ul_insert_urecord == 0) return -1;
> +
> + ul_delete_urecord = (delete_urecord_t)find_export("~ul_delete_urecord", 1, 0);
> + if (ul_delete_urecord == 0) return -1;
> +
> + ul_get_urecord = (get_urecord_t)find_export("~ul_get_urecord", 1, 0);
> + if (ul_get_urecord == 0) return -1;
> +
> + ul_lock_udomain = (lock_udomain_t)find_export("~ul_lock_udomain", 1, 0);
> + if (ul_lock_udomain == 0) return -1;
> +
> + ul_unlock_udomain = (unlock_udomain_t)find_export("~ul_unlock_udomain", 1, 0);
> + if (ul_unlock_udomain == 0) return -1;
> +
> +
> + ul_release_urecord = (release_urecord_t)find_export("~ul_release_urecord", 1, 0);
> + if (ul_release_urecord == 0) return -1;
> +
> + ul_insert_ucontact = (insert_ucontact_t)find_export("~ul_insert_ucontact", 1, 0);
> + if (ul_insert_ucontact == 0) return -1;
> +
> + ul_delete_ucontact = (delete_ucontact_t)find_export("~ul_delete_ucontact", 1, 0);
> + if (ul_delete_ucontact == 0) return -1;
> +
> + ul_get_ucontact = (get_ucontact_t)find_export("~ul_get_ucontact", 1, 0);
> + if (ul_get_ucontact == 0) return -1;
> +
> +
> + ul_update_ucontact = (update_ucontact_t)find_export("~ul_update_ucontact", 1, 0);
> + if (ul_update_ucontact == 0) return -1;
> +
> + return 0;
> +}
> _______________________________________________
> Serdev mailing list
> serdev@lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic