OpenSIPS DB-Authentication with Multi-Domain Support

OpenSIPS DB-Authentication with Multi-Domain Support

Starting from the basics, I'm going to show how to use the factory default opensips.cfg file and make it use MySQL DB to authenticate any incoming SIP REGISTER attempt. The default file without any changes will successfully register any user with any password, which in most of the cases is obviously not required.

open up the opensips.cfg file

root@Osips-SBC:~#vim /etc/opensips/opensips.cfg

Starting from enabling the required modules to be loaded

Un-comment  (remove the #)  this line to load the MySQL DB connector module
#loadmodule "db_mysql.so"

Uncomment these modules to load the authentication mechanism
#loadmodule "auth.so"
#loadmodule "auth_db.so"
#loadmodule "alias_db.so"

Uncomment the domain module to enable multi-domain support
#loadmodule "domain.so"

Enable the presence modules

#loadmodule "presence.so"
#loadmodule "presence_xml.so"

Set "usrloc" module parameters to save the SIP user-locations into MySQL DB persistently.

#modparam("usrloc", "db_mode",   2)
#modparam("usrloc", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")

Set the authentication_db modules parameters to point to the desired Database.  

#modparam("auth_db", "calculate_ha1", yes)
#modparam("auth_db", "password_column", "password")
#modparam("auth_db", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("auth_db", "load_credentials", "")


Uncomment DB parameters of Aliases_DB module

#modparam("alias_db", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")

Uncomment DB parameters of Domain module

#modparam("domain", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("domain", "db_mode", 1)   # Use caching


Enable modules to differentiate between different domains.
#modparam("auth_db|usrloc|uri", "use_domain", 1)

Set presence modules parameters.


#modparam("presence|presence_xml", "db_url",
#     "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.30.3:5060")


Now in the main route uncomment the following code blocks so that whenever we receive a REGISTER request it verifies its credentials (from DB). If you let these blocks commented any SIP REGISTER request will be successful without any verification.

This is required to authenticate the incoming methods except REGISTER, this is useful in case any undefined user(hacker) tries to make calls from your SIP-Proxy.

       ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
       ##{
       ##      if (!proxy_authorize("", "subscriber")) {
       ##              proxy_challenge("", "0");
       ##              exit;
       ##      }
       ##      if (!db_check_from()) {
       ##              sl_send_reply("403","Forbidden auth ID");
       ##              exit;
       ##      }
       ##
       ##      consume_credentials();
       ##      # caller authenticated
       ##}

NOTE: Don't uncomment the "# caller authenticated" line.

And this block needs to be uncommented to Authenticate REGISTER requests.

 ##if (!www_authorize("", "subscriber"))
               ##{
               ##      www_challenge("", "0");
               ##      exit;
               ##}
               ##
               ##if (!db_check_to())
               ##{
               ##      sl_send_reply("403","Forbidden auth ID");
               ##      exit;
               ##}
  

Once done, Save and Exit. Optionally its Always good to add few extra log lines to see whats going on inside your OpenSIPS. logs lines are important to debug and troubleshoot the configuration file.

xlog("L_NOTICE","[$pr:$fU@$si:$sp]: Processing '$rm' \n");

Put this line Just before the if conditions we uncommented above then save the file.

next thing is define SIP users in OpenSIPS DB
For this first edit the follwoing file.

root@Osips-SBC:~# vim /etc/opensips/opensipsctlrc

Set the SIP DOMAIN and OpenSIPS Database Username/Password.
## your SIP domain
SIP_DOMAIN=192.168.30.3
This will be default domain used if no domain at user definition time is given.

## database read/write user
DBRWUSER=opensips

## password for database read/write user
DBRWPW="opensipsrw"

Save and Exit

Add domains to be used by opensips

root@Osips-SBC:~#mysql -uopensips -popensipsrw opensips

mysql>insert into domain(domain,last_modified) VALUES ("192.16.30.3", now())
mysql>insert into domain(domain,last_modified) VALUES ("saevolgo.com", now())

Restart OpenSIPS

root@Osips-SBC:~#/etc/init.d/opensips restart

Now Add SIP Users.

root@Osips-SBC:~# opensipsctl add 10022 pass10022word
new user '10022' added

root@Osips-SBC:~# opensipsctl add 10022@bestquality.vn passw0rd

new user '10022@bestquality.vn' added

Now try registering both users changing realm and password for both and make sure that 10022 user defined for realm "bestquality.vn" works with only its defined passw0rd and not with "pass10022word".