[asterisk-bugs] [JIRA] (ASTERISK-18530) improper use of host LDAP attribute value as ToHost sip client value
Sean Bright (JIRA)
noreply at issues.asterisk.org
Fri Feb 17 14:24:10 CST 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-18530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=182240#comment-182240 ]
Sean Bright edited comment on ASTERISK-18530 at 2/17/17 2:23 PM:
-----------------------------------------------------------------
With the static configuration (not using ldap at all) we have following in sip.conf:
{noformat}
[gawriloff]
qualify=yes
callerid="Oleg Gawriloff" <528>
nat=no
dtmfmode=rfc2833
context=default
type=friend
md5secret=<some hash>
host=dynamic
{noformat}
in this case ToHost field is not filled as intended:
{noformat}
voip-tmp*CLI> sip show peer gawriloff
* Name : gawriloff
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3592
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost :
Addr->IP : 172.17.0.39:37736
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (4 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff at 172.17.0.39:37736;rinstance=ab27b6487aba063d
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
{noformat}
Regarding field host in LDAP server: yes for this user this field is filled multiple times in LDAP database and used in LDAP pam authorization control (as described here: https://help.ubuntu.com/community/LDAPClientAuthentication#pam_check_host_attr_.28limited.29)
as far as I understand in res_ldap.conf it somewhat used twice:
first time is properly as configured in res_ldap.conf (host = AstAccountHost) so that Dynamic=Yes is used and ipaddr = AstAccountIPAddress is filled during client auth)
and second time is reading host LDA attr and filled ToHost, although there is no attempts to write this value to LDAP server.
I've attached my LDAP server output as ldap-server-output.txt
was (Author: barzog):
With the static configuration (not using ldap at all) we have following in sip.conf:
[gawriloff]
qualify=yes
callerid="Oleg Gawriloff" <528>
nat=no
dtmfmode=rfc2833
context=default
type=friend
md5secret=<some hash>
host=dynamic
in this case ToHost field is not filled as intended:
voip-tmp*CLI> sip show peer gawriloff
* Name : gawriloff
Secret : <Not set>
MD5Secret : <Set>
Remote Secret: <Not set>
Context : default
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox :
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "Oleg Gawriloff" <528>
MaxCallBR : 384 kbps
Expire : 3592
Insecure : no
Force rport : No
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : Yes
PromiscRedir : No
User=Phone : No
Video Support: Yes
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : No
DTMFmode : rfc2833
Timer T1 : 500
Timer B : 32000
ToHost :
Addr->IP : 172.17.0.39:37736
Defaddr->IP : (null)
Prim.Transp. : UDP
Allowed.Trsp : UDP
Reg. exten :
Def. Username: gawriloff
SIP Options : (none)
Codecs : 0x4 (ulaw)
Codec Order : (ulaw:20)
Auto-Framing : No
100 on REG : No
Status : OK (4 ms)
Useragent : eyeBeam release 1100l stamp 46320
Reg. Contact : sip:gawriloff at 172.17.0.39:37736;rinstance=ab27b6487aba063d
Qualify Freq : 60000 ms
Sess-Timers : Accept
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : No
Regarding field host in LDAP server: yes for this user this field is filled multiple times in LDAP database and used in LDAP pam authorization control (as described here: https://help.ubuntu.com/community/LDAPClientAuthentication#pam_check_host_attr_.28limited.29)
as far as I understand in res_ldap.conf it somewhat used twice:
first time is properly as configured in res_ldap.conf (host = AstAccountHost) so that Dynamic=Yes is used and ipaddr = AstAccountIPAddress is filled during client auth)
and second time is reading host LDA attr and filled ToHost, although there is no attempts to write this value to LDAP server.
I've attached my LDAP server output as ldap-server-output.txt
> improper use of host LDAP attribute value as ToHost sip client value
> --------------------------------------------------------------------
>
> Key: ASTERISK-18530
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-18530
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_config_ldap
> Reporter: Oleg Gawriloff
> Assignee: Oleg Gawriloff
> Attachments: asterisk-debug.txt, ldap-server-output.txt
>
>
> On our LDAP setup user object in LDAP tree belongs to hostObject (used in our server authrorization) and AsteriskSIPUsers object classess.
> When asterisk gets user information from LDAP it fills value of last host attribute value to ToHost and after 'sip reload' and 'sip show peer gawriloff load' it requests this host instead of AstAccountIPAddress. There is no mention of host attribute in any asterisks docs. Any suggestions?
> res_ldap.conf:
> {noformat}
> [_general]
> host=ldap.telecom.by
> protocol=3
> port=389
> basedn=dc=telecom,dc=by
> user=cn=Asterisk,ou=people,dc=telecom,dc=by
> pass=<somepass>
> [sip]
> name = uid
> ;name = AstAccountName
> amaflags = AstAccountAMAFlags
> callgroup = AstAccountCallGroup
> callerid = AstAccountCallerID
> directmedia = AstAccountDirectMedia
> context = AstAccountContext
> dtmfmode = AstAccountDTMFMode
> fromuser = AstAccountFromUser
> fromdomain = AstAccountFromDomain
> fullcontact = gecos
> host = AstAccountHost
> insecure = AstAccountInsecure
> mailbox = AstAccountMailbox
> md5secret = AstAccountRealmedPassword
> nat = AstAccountNAT
> deny = AstAccountDeny
> permit = AstAccountPermit
> pickupgroup = AstAccountPickupGroup
> port = AstAccountPort
> qualify = AstAccountQualify
> restrictcid = AstAccountRestrictCID
> rtptimeout = AstAccountRTPTimeout
> rtpholdtimeout = AstAccountRTPHoldTimeout
> type = AstAccountType
> disallow = AstAccountDisallowedCodec
> allow = AstAccountAllowedCodec
> MusicOnHold = AstAccountMusicOnHold
> regseconds = AstAccountExpirationTimestamp
> regcontext = AstAccountRegistrationContext
> regexten = AstAccountRegistrationExten
> CanCallForward = AstAccountCanCallForward
> ipaddr = AstAccountIPAddress
> defaultuser = AstAccountDefaultUser
> regserver = AstAccountRegistrationServer
> lastms = AstAccountLastQualifyMilliseconds
> useragent = AstAccountUserAgent
> additionalFilter=(objectClass=AsteriskSIPUser)
> {noformat}
> extconfig:
> {noformat}
> [settings]
> sipusers => ldap,"dc=telecom,dc=by",sip
> sippeers => ldap,"dc=telecom,dc=by",sip
> {noformat}
> LDAP data:
> {noformat}
> dn:: Y249w+Di8Ojr7uIgzuvl4yxvdT3E5e/g8PLg7OXt8iD96vHv6/Pg8uD26Ogsb3U9zOjt8eosZGM
> 9dGVsZWNvbSxkYz1ieQ==
> givenName:: 0J7Qu9C10LM=
> sn:: 0JPQsNCy0YDQuNC70L7Qsg==
> initials:: 0J7Qu9C10LPQvtCy0LjRhw==
> displayName:: 0J7Qu9C10LMg0JPQsNCy0YDQuNC70L7Qsg==
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: hostObject
> objectClass: shadowAccount
> objectClass: ldapPublicKey
> objectClass: AsteriskSIPUser
> cn:: 0JPQsNCy0YDQuNC70L7QsiDQntC70LXQsw==
> uid: gawriloff
> preferredLanguage: ru
> host: albatros2.telecom.by
> host: vulture4.telecom.by
> AstAccountContext: default
> AstAccountCanReinvite: no
> AstAccountCallerID: "Oleg Gawriloff" <528>
> AstAccountRealmedPassword: <somepassword>
> AstContext: default
> AstPriority: 1
> AstApplication: Dial
> AstApplicationData: SIP/gawriloff
> AstExtension: 528
> AstAccountDTMFMode: rfc2833
> AstAccountHost: dynamic
> AstAccountQualify: yes
> AstAccountNAT: no
> AstAccountType: friend
> AstAccountLanguage: ru
> AstAccountIPAddress: 172.17.0.39
> AstAccountPort: 46252
> AstAccountExpirationTimestamp: 1315903024
> AstAccountDefaultUser: gawriloff
> AstAccountUserAgent: eyeBeam release 1100l stamp 46320
> gecos: sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
> AstAccountRegistrationServer: voip-tmp
> AstAccountLastQualifyMilliseconds: 265
> {noformat}
> CLI output:
> {noformat}
> voip-tmp*CLI> sip show peer gawriloff
> * Name : gawriloff
> Realtime peer: Yes, cached
> Secret : <Not set>
> MD5Secret : <Set>
> Remote Secret: <Not set>
> Context : default
> Subscr.Cont. : <Not set>
> Language :
> AMA flags : Unknown
> Transfer mode: open
> CallingPres : Presentation Allowed, Not Screened
> Callgroup :
> Pickupgroup :
> MOH Suggest :
> Mailbox :
> VM Extension : asterisk
> LastMsgsSent : 32767/65535
> Call limit : 0
> Max forwards : 0
> Dynamic : Yes
> Callerid : "Oleg Gawriloff" <528>
> MaxCallBR : 384 kbps
> Expire : 3455
> Insecure : no
> Force rport : No
> ACL : No
> DirectMedACL : No
> T.38 support : No
> T.38 EC mode : Unknown
> T.38 MaxDtgrm: -1
> DirectMedia : Yes
> PromiscRedir : No
> User=Phone : No
> Video Support: Yes
> Text Support : No
> Ign SDP ver : No
> Trust RPID : No
> Send RPID : No
> Subscriptions: Yes
> Overlap dial : No
> DTMFmode : rfc2833
> Timer T1 : 500
> Timer B : 32000
> ToHost : vulture4.telecom.by <--- this is last host attribute from LDAP
> Addr->IP : 172.17.0.39:46252
> Defaddr->IP : (null)
> Prim.Transp. : UDP
> Allowed.Trsp : UDP
> Reg. exten :
> Def. Username: gawriloff
> SIP Options : (none)
> Codecs : 0x4 (ulaw)
> Codec Order : (ulaw:20)
> Auto-Framing : No
> 100 on REG : No
> Status : OK (10 ms)
> Useragent : eyeBeam release 1100l stamp 46320
> Reg. Contact : sip:gawriloff at 172.17.0.39:46252;rinstance=741634e136d663fb
> Qualify Freq : 60000 ms
> Sess-Timers : Accept
> Sess-Refresh : uas
> Sess-Expires : 1800 secs
> Min-Sess : 90 secs
> RTP Engine : asterisk
> Parkinglot :
> Use Reason : No
> Encryption : No
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list