ASTERISK-18530: improper use of host LDAP attribute value as ToHost sip client value

[Home]

Summary: ASTERISK-18530: improper use of host LDAP attribute value as ToHost sip client value

Reporter: Oleg Gawriloff (barzog) Labels:

Date Opened: 2011-09-13 02:40:21 Date Closed: 2017-12-14 13:03:19.000-0600

Priority: Major Regression?

Status: Closed/Complete Components: Resources/res_config_ldap

Versions: Frequency of
Occurrence Constant

Related
Issues:

Environment: Attachments: ( 0) asterisk-debug.txt
( 1) ldap-server-output.txt

Description: On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions?

res_ldap.conf:
{noformat}
[_general]
host=ldap.telecom.by
protocol=3
port=389
basedn=dc=telecom,dc=by
user=cn=Asterisk,ou=people,dc=telecom,dc=by
pass=<somepass>
[sip]
name = uid
;name = AstAccountName
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
useragent = AstAccountUserAgent
additionalFilter=(objectClass=AsteriskSIPUser)
{noformat}
extconfig:
{noformat}
[settings]
sipusers => ldap,"dc=telecom,dc=by",sip
sippeers => ldap,"dc=telecom,dc=by",sip
{noformat}
LDAP data:
{noformat}
dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM
9dGVsZWNvbSxkYz1ieQ==
givenName:: 0J7Qu9C10LM=
sn:: 0JPQsNCy0YDQuNC70L7Qsg==
initials:: 0J7Qu9C10LPQvtCy0LjRhw==
displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg==
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: ldapPublicKey
objectClass: AsteriskSIPUser
cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw==
uid: gawriloff
preferredLanguage: ru
host: albatros2.telecom.by
host: vulture4.telecom.by
AstAccountContext: default
AstAccountCanReinvite: no
AstAccountCallerID: "Oleg Gawriloff" <528>
AstAccountRealmedPassword: <somepassword>
AstContext: default
AstPriority: 1
AstApplication: Dial
AstApplicationData: SIP/gawriloff
AstExtension: 528
AstAccountDTMFMode: rfc2833
AstAccountHost: dynamic
AstAccountQualify: yes
AstAccountNAT: no
AstAccountType: friend
AstAccountLanguage: ru
AstAccountIPAddress: 172.17.0.39
AstAccountPort: 46252
AstAccountExpirationTimestamp: 1315903024
AstAccountDefaultUser: gawriloff
AstAccountUserAgent: eyeBeam release 1100l stamp 46320
gecos: sip:gawriloff@172.17.0.39:46252;rinstance=741634e136d663fb
AstAccountRegistrationServer: voip-tmp
AstAccountLastQualifyMilliseconds: 265
{noformat}

CLI output:
{noformat}
voip-tmp*CLI> sip show peer gawriloff

* Name : gawriloff
Realtime peer: Yes, cached
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3455
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP
Addr->IP : 172.17.0.39:46252
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (10 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff@172.17.0.39:46252;rinstance=741634e136d663fb
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
{noformat}

Comments: By: Leif Madsen (lmadsen) 2011-09-13 11:29:07.864-0500

Can you provide the error or log output from the LDAP server? I'm not sure what the LDAP server is seeing or attempting to write to the database. You're mentioning the ToHost output on the console, but that isn't really useful. I need to see what is going on from the LDAP point of view so I can see how the res_ldap.conf file needs to be updated to handle that field.
By: Leif Madsen (lmadsen) 2011-09-13 11:34:29.763-0500

What I do see here is that in your LDAP data, you've got the host field defined twice:

host: albatros2.telecom.by
host: vulture4.telecom.by
By: Leif Madsen (lmadsen) 2011-09-13 11:58:55.242-0500

Can you reproduce this with a static configuration and not in realtime? We need to determine if this is a bug, a misunderstanding of what data is stored (and where) or if this is a bug specifically in realtime. I've tried looking at this issue for a bit now, and I don't have enough information to determine what data is stored where, and what is being requested at the various points in time.

A console output with debug level logging is likely going to be helpful here too.
By: Oleg Gawriloff (barzog) 2011-09-13 13:59:15.971-0500

With the static configuration (not using ldap at all) we have following in sip.conf:

{noformat}
[gawriloff]
qualify=yes
callerid="Oleg Gawriloff" <528>
nat=no
dtmfmode=rfc2833
context=default
type=friend
md5secret=<some hash>
host=dynamic
{noformat}
in this case ToHost field is not filled as intended:

{noformat}
voip-tmp*CLI> sip show peer gawriloff

* Name : gawriloff
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3592
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost :
Addr->IP : 172.17.0.39:37736
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (4 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff@172.17.0.39:37736;rinstance=ab27b6487aba063d
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
{noformat}

Regarding field host in LDAP server: yes for this user this field is filled multiple times in LDAP database and used in LDAP pam authorization control (as described here: https://help.ubuntu.com/community/LDAPClientAuthentication#pam_check_host_attr_.28limited.29)

as far as I understand in res_ldap.conf it somewhat used twice:
first time is properly as configured in res_ldap.conf (host = AstAccountHost) so that Dynamic=Yes is used and ipaddr = AstAccountIPAddress is filled during client auth)
and second time is reading host LDA attr and filled ToHost, although there is no attempts to write this value to LDAP server.

I've attached my LDAP server output as ldap-server-output.txt
By: Oleg Gawriloff (barzog) 2011-09-13 14:14:16.763-0500

asterisk-debug.txt attached
By: Sean Bright (seanbright) 2017-02-17 14:18:28.061-0600

It's a bit difficult for me to understand what problem you are having. With the configuration you have:

{noformat}
host = AstAccountHost
{noformat}

Asterisk should never be looking at the {{host}} attribute that your LDAP server returns. The only attribute Asterisk would care about would be the {{AstAccountHost}} one.

Is this still occurring with Asterisk 13?