[asterisk-bugs] [JIRA] (ASTERISK-18530) improper use of host LDAP attribute value as ToHost sip client value
Sean Bright (JIRA)
noreply at issues.asterisk.org
Fri Feb 17 14:24:10 CST 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-18530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Bright updated ASTERISK-18530:
-----------------------------------
Description:
On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions?
res_ldap.conf:
{noformat}
[_general]
host=ldap.telecom.by
protocol=3
port=389
basedn=dc=telecom,dc=by
user=cn=Asterisk,ou=people,dc=telecom,dc=by
pass=<somepass>
[sip]
name = uid
;name = AstAccountName
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
useragent = AstAccountUserAgent
additionalFilter=(objectClass=AsteriskSIPUser)
{noformat}
extconfig:
{noformat}
[settings]
sipusers => ldap,"dc=telecom,dc=by",sip
sippeers => ldap,"dc=telecom,dc=by",sip
{noformat}
LDAP data:
{noformat}
dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM
9dGVsZWNvbSxkYz1ieQ==
givenName:: 0J7Qu9C10LM=
sn:: 0JPQsNCy0YDQuNC70L7Qsg==
initials:: 0J7Qu9C10LPQvtCy0LjRhw==
displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg==
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: ldapPublicKey
objectClass: AsteriskSIPUser
cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw==
uid: gawriloff
preferredLanguage: ru
host: albatros2.telecom.by
host: vulture4.telecom.by
AstAccountContext: default
AstAccountCanReinvite: no
AstAccountCallerID: "Oleg Gawriloff" <528>
AstAccountRealmedPassword: <somepassword>
AstContext: default
AstPriority: 1
AstApplication: Dial
AstApplicationData: SIP/gawriloff
AstExtension: 528
AstAccountDTMFMode: rfc2833
AstAccountHost: dynamic
AstAccountQualify: yes
AstAccountNAT: no
AstAccountType: friend
AstAccountLanguage: ru
AstAccountIPAddress: 172.17.0.39
AstAccountPort: 46252
AstAccountExpirationTimestamp: 1315903024
AstAccountDefaultUser: gawriloff
AstAccountUserAgent: eyeBeam release 1100l stamp 46320
gecos: sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
AstAccountRegistrationServer: voip-tmp
AstAccountLastQualifyMilliseconds: 265
{noformat}
CLI output:
{noformat}
voip-tmp*CLI> sip show peer gawriloff
* Name : gawriloff
Realtime peer: Yes, cached
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3455
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP
Addr->IP : 172.17.0.39:46252
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (10 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
{noformat}
was:
On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions?
res_ldap.conf:
[_general]
host=ldap.telecom.by
protocol=3
port=389
basedn=dc=telecom,dc=by
user=cn=Asterisk,ou=people,dc=telecom,dc=by
pass=<somepass>
[sip]
name = uid
;name = AstAccountName
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
useragent = AstAccountUserAgent
additionalFilter=(objectClass=AsteriskSIPUser)
extconfig:
[settings]
sipusers => ldap,"dc=telecom,dc=by",sip
sippeers => ldap,"dc=telecom,dc=by",sip
LDAP data:
dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM
9dGVsZWNvbSxkYz1ieQ==
givenName:: 0J7Qu9C10LM=
sn:: 0JPQsNCy0YDQuNC70L7Qsg==
initials:: 0J7Qu9C10LPQvtCy0LjRhw==
displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg==
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: hostObject
objectClass: shadowAccount
objectClass: ldapPublicKey
objectClass: AsteriskSIPUser
cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw==
uid: gawriloff
preferredLanguage: ru
host: albatros2.telecom.by
host: vulture4.telecom.by
AstAccountContext: default
AstAccountCanReinvite: no
AstAccountCallerID: "Oleg Gawriloff" <528>
AstAccountRealmedPassword: <somepassword>
AstContext: default
AstPriority: 1
AstApplication: Dial
AstApplicationData: SIP/gawriloff
AstExtension: 528
AstAccountDTMFMode: rfc2833
AstAccountHost: dynamic
AstAccountQualify: yes
AstAccountNAT: no
AstAccountType: friend
AstAccountLanguage: ru
AstAccountIPAddress: 172.17.0.39
AstAccountPort: 46252
AstAccountExpirationTimestamp: 1315903024
AstAccountDefaultUser: gawriloff
AstAccountUserAgent: eyeBeam release 1100l stamp 46320
gecos: sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
AstAccountRegistrationServer: voip-tmp
AstAccountLastQualifyMilliseconds: 265
voip-tmp*CLI> sip show peer gawriloff
* Name : gawriloff
Realtime peer: Yes, cached
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3455
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP
Addr->IP : 172.17.0.39:46252
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (10 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
> improper use of host LDAP attribute value as ToHost sip client value
> --------------------------------------------------------------------
>
> Key: ASTERISK-18530
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-18530
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_config_ldap
> Reporter: Oleg Gawriloff
> Assignee: Oleg Gawriloff
> Attachments: asterisk-debug.txt, ldap-server-output.txt
>
>
> On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
> When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions?
> res_ldap.conf:
> {noformat}
> [_general]
> host=ldap.telecom.by
> protocol=3
> port=389
> basedn=dc=telecom,dc=by
> user=cn=Asterisk,ou=people,dc=telecom,dc=by
> pass=<somepass>
> [sip]
> name = uid
> ;name = AstAccountName
> amaflags = AstAccountAMAFlags
> callgroup = AstAccountCallGroup
> callerid = AstAccountCallerID
> directmedia = AstAccountDirectMedia
> context = AstAccountContext
> dtmfmode = AstAccountDTMFMode
> fromuser = AstAccountFromUser
> fromdomain = AstAccountFromDomain
> fullcontact = gecos
> host = AstAccountHost
> insecure = AstAccountInsecure
> mailbox = AstAccountMailbox
> md5secret = AstAccountRealmedPassword
> nat = AstAccountNAT
> deny = AstAccountDeny
> permit = AstAccountPermit
> pickupgroup = AstAccountPickupGroup
> port = AstAccountPort
> qualify = AstAccountQualify
> restrictcid = AstAccountRestrictCID
> rtptimeout = AstAccountRTPTimeout
> rtpholdtimeout = AstAccountRTPHoldTimeout
> type = AstAccountType
> disallow = AstAccountDisallowedCodec
> allow = AstAccountAllowedCodec
> MusicOnHold = AstAccountMusicOnHold
> regseconds = AstAccountExpirationTimestamp
> regcontext = AstAccountRegistrationContext
> regexten = AstAccountRegistrationExten
> CanCallForward = AstAccountCanCallForward
> ipaddr = AstAccountIPAddress
> defaultuser = AstAccountDefaultUser
> regserver = AstAccountRegistrationServer
> lastms = AstAccountLastQualifyMilliseconds
> useragent = AstAccountUserAgent
> additionalFilter=(objectClass=AsteriskSIPUser)
> {noformat}
> extconfig:
> {noformat}
> [settings]
> sipusers => ldap,"dc=telecom,dc=by",sip
> sippeers => ldap,"dc=telecom,dc=by",sip
> {noformat}
> LDAP data:
> {noformat}
> dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM
> 9dGVsZWNvbSxkYz1ieQ==
> givenName:: 0J7Qu9C10LM=
> sn:: 0JPQsNCy0YDQuNC70L7Qsg==
> initials:: 0J7Qu9C10LPQvtCy0LjRhw==
> displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg==
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: hostObject
> objectClass: shadowAccount
> objectClass: ldapPublicKey
> objectClass: AsteriskSIPUser
> cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw==
> uid: gawriloff
> preferredLanguage: ru
> host: albatros2.telecom.by
> host: vulture4.telecom.by
> AstAccountContext: default
> AstAccountCanReinvite: no
> AstAccountCallerID: "Oleg Gawriloff" <528>
> AstAccountRealmedPassword: <somepassword>
> AstContext: default
> AstPriority: 1
> AstApplication: Dial
> AstApplicationData: SIP/gawriloff
> AstExtension: 528
> AstAccountDTMFMode: rfc2833
> AstAccountHost: dynamic
> AstAccountQualify: yes
> AstAccountNAT: no
> AstAccountType: friend
> AstAccountLanguage: ru
> AstAccountIPAddress: 172.17.0.39
> AstAccountPort: 46252
> AstAccountExpirationTimestamp: 1315903024
> AstAccountDefaultUser: gawriloff
> AstAccountUserAgent: eyeBeam release 1100l stamp 46320
> gecos: sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
> AstAccountRegistrationServer: voip-tmp
> AstAccountLastQualifyMilliseconds: 265
> {noformat}
> CLI output:
> {noformat}
> voip-tmp*CLI> sip show peer gawriloff
> * Name : gawriloff
> Realtime peer: Yes, cached
> Secret : <Not set>
> MD5Secret : <Set>
> Remote Secret: <Not set>
> Context : default
> Subscr.Cont. : <Not set>
> Language :
> AMA flags : Unknown
> Transfer mode: open
> CallingPres : Presentation Allowed, Not Screened
> Callgroup :
> Pickupgroup :
> MOH Suggest :
> Mailbox :
> VM Extension : asterisk
> LastMsgsSent : 32767/65535
> Call limit : 0
> Max forwards : 0
> Dynamic : Yes
> Callerid : "Oleg Gawriloff" <528>
> MaxCallBR : 384 kbps
> Expire : 3455
> Insecure : no
> Force rport : No
> ACL : No
> DirectMedACL : No
> T.38 support : No
> T.38 EC mode : Unknown
> T.38 MaxDtgrm: -1
> DirectMedia : Yes
> PromiscRedir : No
> User=Phone : No
> Video Support: Yes
> Text Support : No
> Ign SDP ver : No
> Trust RPID : No
> Send RPID : No
> Subscriptions: Yes
> Overlap dial : No
> DTMFmode : rfc2833
> Timer T1 : 500
> Timer B : 32000
> ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP
> Addr->IP : 172.17.0.39:46252
> Defaddr->IP : (null)
> Prim.Transp. : UDP
> Allowed.Trsp : UDP
> Reg. exten :
> Def. Username: gawriloff
> SIP Options : (none)
> Codecs : 0x4 (ulaw)
> Codec Order : (ulaw:20)
> Auto-Framing : No
> 100 on REG : No
> Status : OK (10 ms)
> Useragent : eyeBeam release 1100l stamp 46320
> Reg. Contact : sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
> Qualify Freq : 60000 ms
> Sess-Timers : Accept
> Sess-Refresh : uas
> Sess-Expires : 1800 secs
> Min-Sess : 90 secs
> RTP Engine : asterisk
> Parkinglot :
> Use Reason : No
> Encryption : No
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list