Summary: | ASTERISK-18530: improper use of host LDAP attribute value as ToHost sip client value | ||
Reporter: | Oleg Gawriloff (barzog) | Labels: | |
Date Opened: | 2011-09-13 02:40:21 | Date Closed: | 2017-12-14 13:03:19.000-0600 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Resources/res_config_ldap |
Versions: | Frequency of Occurrence | Constant | |
Related Issues: | |||
Environment: | Attachments: | ( 0) asterisk-debug.txt ( 1) ldap-server-output.txt | |
Description: | On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions? res_ldap.conf: {noformat} [_general] host=ldap.telecom.by protocol=3 port=389 basedn=dc=telecom,dc=by user=cn=Asterisk,ou=people,dc=telecom,dc=by pass=<somepass> [sip] name = uid ;name = AstAccountName amaflags = AstAccountAMAFlags callgroup = AstAccountCallGroup callerid = AstAccountCallerID directmedia = AstAccountDirectMedia context = AstAccountContext dtmfmode = AstAccountDTMFMode fromuser = AstAccountFromUser fromdomain = AstAccountFromDomain fullcontact = gecos host = AstAccountHost insecure = AstAccountInsecure mailbox = AstAccountMailbox md5secret = AstAccountRealmedPassword nat = AstAccountNAT deny = AstAccountDeny permit = AstAccountPermit pickupgroup = AstAccountPickupGroup port = AstAccountPort qualify = AstAccountQualify restrictcid = AstAccountRestrictCID rtptimeout = AstAccountRTPTimeout rtpholdtimeout = AstAccountRTPHoldTimeout type = AstAccountType disallow = AstAccountDisallowedCodec allow = AstAccountAllowedCodec MusicOnHold = AstAccountMusicOnHold regseconds = AstAccountExpirationTimestamp regcontext = AstAccountRegistrationContext regexten = AstAccountRegistrationExten CanCallForward = AstAccountCanCallForward ipaddr = AstAccountIPAddress defaultuser = AstAccountDefaultUser regserver = AstAccountRegistrationServer lastms = AstAccountLastQualifyMilliseconds useragent = AstAccountUserAgent additionalFilter=(objectClass=AsteriskSIPUser) {noformat} extconfig: {noformat} [settings] sipusers => ldap,"dc=telecom,dc=by",sip sippeers => ldap,"dc=telecom,dc=by",sip {noformat} LDAP data: {noformat} dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM 9dGVsZWNvbSxkYz1ieQ== givenName:: 0J7Qu9C10LM= sn:: 0JPQsNCy0YDQuNC70L7Qsg== initials:: 0J7Qu9C10LPQvtCy0LjRhw== displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg== objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: hostObject objectClass: shadowAccount objectClass: ldapPublicKey objectClass: AsteriskSIPUser cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw== uid: gawriloff preferredLanguage: ru host: albatros2.telecom.by host: vulture4.telecom.by AstAccountContext: default AstAccountCanReinvite: no AstAccountCallerID: "Oleg Gawriloff" <528> AstAccountRealmedPassword: <somepassword> AstContext: default AstPriority: 1 AstApplication: Dial AstApplicationData: SIP/gawriloff AstExtension: 528 AstAccountDTMFMode: rfc2833 AstAccountHost: dynamic AstAccountQualify: yes AstAccountNAT: no AstAccountType: friend AstAccountLanguage: ru AstAccountIPAddress: 172.17.0.39 AstAccountPort: 46252 AstAccountExpirationTimestamp: 1315903024 AstAccountDefaultUser: gawriloff AstAccountUserAgent: eyeBeam release 1100l stamp 46320 gecos: sip:gawriloff@172.17.0.39:46252;rinstance=741634e136d663fb AstAccountRegistrationServer: voip-tmp AstAccountLastQualifyMilliseconds: 265 {noformat} CLI output: {noformat} voip-tmp*CLI> sip show peer gawriloff * Name : gawriloff Realtime peer: Yes, cached Secret : <Not set> MD5Secret : <Set> Remote Secret: <Not set> Context : default Subscr.Cont. : <Not set> Language : AMA flags : Unknown Transfer mode: open CallingPres : Presentation Allowed, Not Screened Callgroup : Pickupgroup : MOH Suggest : Mailbox : VM Extension : asterisk LastMsgsSent : 32767/65535 Call limit : 0 Max forwards : 0 Dynamic : Yes Callerid : "Oleg Gawriloff" <528> MaxCallBR : 384 kbps Expire : 3455 Insecure : no Force rport : No ACL : No DirectMedACL : No T.38 support : No T.38 EC mode : Unknown T.38 MaxDtgrm: -1 DirectMedia : Yes PromiscRedir : No User=Phone : No Video Support: Yes Text Support : No Ign SDP ver : No Trust RPID : No Send RPID : No Subscriptions: Yes Overlap dial : No DTMFmode : rfc2833 Timer T1 : 500 Timer B : 32000 ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP Addr->IP : 172.17.0.39:46252 Defaddr->IP : (null) Prim.Transp. : UDP Allowed.Trsp : UDP Reg. exten : Def. Username: gawriloff SIP Options : (none) Codecs : 0x4 (ulaw) Codec Order : (ulaw:20) Auto-Framing : No 100 on REG : No Status : OK (10 ms) Useragent : eyeBeam release 1100l stamp 46320 Reg. Contact : sip:gawriloff@172.17.0.39:46252;rinstance=741634e136d663fb Qualify Freq : 60000 ms Sess-Timers : Accept Sess-Refresh : uas Sess-Expires : 1800 secs Min-Sess : 90 secs RTP Engine : asterisk Parkinglot : Use Reason : No Encryption : No {noformat} | ||
Comments: | By: Leif Madsen (lmadsen) 2011-09-13 11:29:07.864-0500 Can you provide the error or log output from the LDAP server? I'm not sure what the LDAP server is seeing or attempting to write to the database. You're mentioning the ToHost output on the console, but that isn't really useful. I need to see what is going on from the LDAP point of view so I can see how the res_ldap.conf file needs to be updated to handle that field. By: Leif Madsen (lmadsen) 2011-09-13 11:34:29.763-0500 What I do see here is that in your LDAP data, you've got the host field defined twice: host: albatros2.telecom.by host: vulture4.telecom.by By: Leif Madsen (lmadsen) 2011-09-13 11:58:55.242-0500 Can you reproduce this with a static configuration and not in realtime? We need to determine if this is a bug, a misunderstanding of what data is stored (and where) or if this is a bug specifically in realtime. I've tried looking at this issue for a bit now, and I don't have enough information to determine what data is stored where, and what is being requested at the various points in time. A console output with debug level logging is likely going to be helpful here too. By: Oleg Gawriloff (barzog) 2011-09-13 13:59:15.971-0500 With the static configuration (not using ldap at all) we have following in sip.conf: {noformat} [gawriloff] qualify=yes callerid="Oleg Gawriloff" <528> nat=no dtmfmode=rfc2833 context=default type=friend md5secret=<some hash> host=dynamic {noformat} in this case ToHost field is not filled as intended: {noformat} voip-tmp*CLI> sip show peer gawriloff * Name : gawriloff Secret : <Not set> MD5Secret : <Set> Remote Secret: <Not set> Context : default Subscr.Cont. : <Not set> Language : AMA flags : Unknown Transfer mode: open CallingPres : Presentation Allowed, Not Screened Callgroup : Pickupgroup : MOH Suggest : Mailbox : VM Extension : asterisk LastMsgsSent : 32767/65535 Call limit : 0 Max forwards : 0 Dynamic : Yes Callerid : "Oleg Gawriloff" <528> MaxCallBR : 384 kbps Expire : 3592 Insecure : no Force rport : No ACL : No DirectMedACL : No T.38 support : No T.38 EC mode : Unknown T.38 MaxDtgrm: -1 DirectMedia : Yes PromiscRedir : No User=Phone : No Video Support: Yes Text Support : No Ign SDP ver : No Trust RPID : No Send RPID : No Subscriptions: Yes Overlap dial : No DTMFmode : rfc2833 Timer T1 : 500 Timer B : 32000 ToHost : Addr->IP : 172.17.0.39:37736 Defaddr->IP : (null) Prim.Transp. : UDP Allowed.Trsp : UDP Reg. exten : Def. Username: gawriloff SIP Options : (none) Codecs : 0x4 (ulaw) Codec Order : (ulaw:20) Auto-Framing : No 100 on REG : No Status : OK (4 ms) Useragent : eyeBeam release 1100l stamp 46320 Reg. Contact : sip:gawriloff@172.17.0.39:37736;rinstance=ab27b6487aba063d Qualify Freq : 60000 ms Sess-Timers : Accept Sess-Refresh : uas Sess-Expires : 1800 secs Min-Sess : 90 secs RTP Engine : asterisk Parkinglot : Use Reason : No Encryption : No {noformat} Regarding field host in LDAP server: yes for this user this field is filled multiple times in LDAP database and used in LDAP pam authorization control (as described here: https://help.ubuntu.com/community/LDAPClientAuthentication#pam_check_host_attr_.28limited.29) as far as I understand in res_ldap.conf it somewhat used twice: first time is properly as configured in res_ldap.conf (host = AstAccountHost) so that Dynamic=Yes is used and ipaddr = AstAccountIPAddress is filled during client auth) and second time is reading host LDA attr and filled ToHost, although there is no attempts to write this value to LDAP server. I've attached my LDAP server output as ldap-server-output.txt By: Oleg Gawriloff (barzog) 2011-09-13 14:14:16.763-0500 asterisk-debug.txt attached By: Sean Bright (seanbright) 2017-02-17 14:18:28.061-0600 It's a bit difficult for me to understand what problem you are having. With the configuration you have: {noformat} host = AstAccountHost {noformat} Asterisk should never be looking at the {{host}} attribute that your LDAP server returns. The only attribute Asterisk would care about would be the {{AstAccountHost}} one. Is this still occurring with Asterisk 13? |