Hi I found some 'unexpected' behaviour with SQLPasswordAuth in 2.0.9 - maybe someone knows if i did some misconfiguration or if it's a bug? Here's what i did: I have (parent) gatekeeper (2.0.9) (signaling mode) (routing done by an external application) that works fine so far. Now i set up another gatekeeper (2.0.9) (full proxy mode) and registered it to the parent as endpoint typ terminal. [Endpoint] Gatekeeper= xxx.xxx.xxx.xxx Type=Terminal H323ID=abcdefg Password=aaa TimeToLive=900 RRQRetryInterval=30 ARQTimeout=10 UnregisterOnReload=1 Registration works fine and call routing from parent to child gk works too. But when i try to set up a call from the child to the parent the ARQ gets rejected on the parent with reason security denial. A debug trc 5 shows the following: 2005/04/17 17:22:22.332 1 RasSrv.cxx(1653) GK ARQ Received 2005/04/17 17:22:22.332 5 gksql.cxx(326) SQLPasswordAuth Executing query: SELECT H235Password FROM subscribers WHERE H323ID = 'abcdefg' 2005/04/17 17:22:22.332 5 gksql.cxx(326) SQLPasswordAuth Executing query: SELECT H235Password FROM subscribers WHERE H323ID = '2527_gkfi' 2005/04/17 17:22:22.332 4 sqlauth.cxx(482) SQLPasswordAuth Password not found for alias '2527_gkfi' 2005/04/17 17:22:22.332 5 gksql.cxx(326) SQLPasswordAuth Executing query: SELECT H235Password FROM subscribers WHERE H323ID = '123456789' 2005/04/17 17:22:22.332 4 sqlauth.cxx(482) SQLPasswordAuth Password not found for alias '123456789' 2005/04/17 17:22:22.332 3 gkauth.cxx(1710) GKAUTH SQLPasswordAuth password not found for '123456789' 2005/04/17 17:22:22.332 3 gkauth.cxx(1243) GKAUTH SQLPasswordAuth ARQ check failed 2005/04/17 17:22:22.332 2 RasSrv.cxx(1924) ARJ|62.167.xxx.xxx:1720|99999999:dialedDigits|123456789:dialedDigits|false|s ecurityDenial; The parent gk first looks up the H323ID (alias) in the DB. There is no "result"; could the gk find a password or not? If you look at the two following lookups for the EndpointId and the E164Number which both fails. What happend to the first lookup? It should have passed the password test, since I'm sure the H323ID and password are correct and this is already proven by the fact that the child gk could actually register with the parent using the same username/password. So this check should succeed and there is no need to lookup with the EndpointId or caller phonenumber (which is IMHO a security issue - caller phonenumbers should only be used for authentication in a RRQ but not in an ARQ). This only happens in that specific situation with child gk/parent gk. If an ARQ from an Endpoint that is directly registered with the parent gk is received, only H323Id/password is checked and the check succeeds, so an ACF is issued. Anyone has an idea what happend here? Bug or configuration issue? Thanks a lot for your help in advance! Greetings Frank ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
