auth.sgml

H.323网守实现

sigip:192.168.242.165:1720
</verb></tscreen>

<item><tt/allow/ - always accept the alias.

<item><tt/deny/ - always reject the alias.

</itemize>

<sect1>Section &lsqb;SQLAliasAuth&rsqb;
<label id="sqlaliasauth">
<p>
Authenticate endpoints using rules stored in the SQL database
(the rules conform to the format defined in the <ref id="rrqauth" name="[RasSrv::RRQAuth]"> section). 
This section defines SQL driver to use, SQL database connection parameters 
and the query to use to retrieve the patterns.

<itemize>
<item><tt/Driver=MySQL | PostgreSQL/<newline>
Default: N/A
<p>
SQL database driver to use. Currently, <tt/MySQL/ and <tt/PostgreSQL/ drivers
are implemented.

<item><tt/Host=DNS[:PORT] | IP[:PORT]/<newline>
Default: <tt/localhost/
<p>
SQL server host address. Can be in the form of <tt/DNS[:PORT]/ or <tt/IP[:PORT]/.
Like <tt/sql.mycompany.com/ or <tt/sql.mycompany.com:3306/ or <tt/192.168.3.100/.

<item><tt/Database=billing/<newline>
Default: <tt/billing/
<p>
The database name to connect to.

<item><tt/Username=gnugk/<newline>
<p>
The username used to connect to the database.

<item><tt/Password=secret/<newline>
<p>
The password used to connect to the database.
If the password is not specified, a database connection attempt 
without any password will be made.
If <tt/EncryptAllPasswords/ is enabled, or a <tt/KeyFilled/ variable is defined
in this section, the password is in encrypted form and should be created using
the <tt/addpasswd/ utility.

<item><tt/CacheTimeout=120/<newline>
Default: <tt/0/
<p>
This field defines how long (alias;authrule) pairs retrieved from the database 
will be cached in the local memory. The cache timeout value is expressed in seconds.
<tt/0/ means to not cache rules, while a negative value
means the cache never expires (only <tt/reload/ command will refresh the cache).

<item><tt/MinPoolSize=5/<newline>
Default: <tt/1/
<p>
Define the number of active SQL connections. This allows better peformance
under heave load, because more than 1 concurrent query can be executed 
at the same time. <tt/MinPoolSize=1/ setting simulates old behaviour, 
when access to the SQL database is serialized (one query at time).

<item><tt/Query=SELECT .../<newline>
Default: <tt>N/A</tt>
<p>
Defines SQL query used to retrieve alias rule from the database. The query
is parametrized - that means parameter replacement is made before each query
is executed. Parameter placeholders are denoted by <bf/%1/, <bf/%2/, ... strings.
Specify %% to embed a percent character before a digit into string (like <bf/%%1/),
specify <bf/%{1}/ to allow expansion inside complex expressions like <bf/%{1}123/.
For <tt/SQLAliasAuth/ two parameters are defined:
<itemize>
<item><tt/%1/ - the actual alias to query the rule for
<item><tt/%2/ - the gatekeeper identifier
</itemize>
<p>
Sample query strings:
<tscreen><verb>
SELECT authrule FROM users WHERE alias = '%1' AND active
SELECT 'sigip:' || host(ip) || port FROM users WHERE alias = '%1'
</verb></tscreen>

</itemize>

<sect1>Section &lsqb;SQLAuth&rsqb;
<label id="sqlauth">
<p>
Authenticate and authorize endpoints/calls using an SQL database.
Support for RRQ, ARQ, LRQ and Setup events is provided.

<itemize>
<item><tt/Driver=MySQL | PostgreSQL/<newline>
Default: N/A
<p>
SQL database driver to use. Currently, <tt/MySQL/ and <tt/PostgreSQL/ drivers
are implemented.

<item><tt/Host=DNS[:PORT] | IP[:PORT]/<newline>
Default: <tt/localhost/
<p>
SQL server host address. Can be in the form of <tt/DNS[:PORT]/ or <tt/IP[:PORT]/.
Like <tt/sql.mycompany.com/ or <tt/sql.mycompany.com:3306/ or <tt/192.168.3.100/.

<item><tt/Database=billing/<newline>
Default: <tt/billing/
<p>
The database name to connect to.

<item><tt/Username=gnugk/<newline>
<p>
The username used to connect to the database.

<item><tt/Password=secret/<newline>
<p>
The password used to connect to the database.
If the password is not specified, a database connection attempt 
without any password will be made.
If <tt/EncryptAllPasswords/ is enabled, or a <tt/KeyFilled/ variable is defined
in this section, the password is in encrypted form and should be created using
the <tt/addpasswd/ utility.

<item><tt/MinPoolSize=5/<newline>
Default: <tt/1/
<p>
Define the number of active SQL connections. This allows better peformance
under heave load, because more than 1 concurrent query can be executed 
at the same time. <tt/MinPoolSize=1/ setting simulates old behaviour, 
when access to the SQL database is serialized (one query at time).

<item><tt/RegQuery=SELECT .../<newline>
Default: <tt>N/A</tt>
<p>
Define an SQL qeury to be used to perform authentication and authorization
of endpoint registrations. The query is parametrized - that means parameter
replacement is made before each query is executed. The following parameters are defined:
<itemize>
<item><tt/%g/ - the gatekeeper identifier
<item><tt/%{gkip}/ - a gatekeeper IP the request has been received on
<item><tt/%u/ - username associated with an endpoint (usually an H.323 ID)
<item><tt/%{callerip}/ - caller's IP (the request has been received from - NAT IP for natted endpoints)
<item><tt/%{aliases}/ - a comma separated list of endpoint aliases
</itemize>
<p>
If the query returns no rows, the result is undefined, which basically
means failure for <tt/required/ rules and "try next" for optional rules.
Otherwise, the first result row is examined to determine authentication
result and get additional information:
<enum>
<item>The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true)
      and is an authentication result (accept/reject).
<item>If the registration is authenticated successfully, remaining columns 
      are examined:
<enum>
	<item>If there exists a column called <tt/'aliases'/, replace original endpoint
		aliases with these new ones
	<item>If there exists a column called <tt/'billingmode'/, set a billing mode
		associated with the endpoint (0 - credit, <>0 - debit)
	<item>If there exists a column called <tt/'creditamount'/, set account balance
		associated with the endpoint (this is an arbitrary string)
</enum>
</enum>
<p>
Query string examples:
<tscreen><verb>
SELECT 1, 0 AS billingmode, '12.00 USD' AS creditamount
SELECT NOT disabled, assignaliases AS aliases, balance FROM users WHERE h323id = '%u'
SELECT * FROM get_registration_auth('%g', '%u', '%{callerip}', '%{aliases}') AS result(accept, aliases, billingmode, creditamount)
</verb></tscreen>

<item><tt/NbQuery=SELECT .../<newline>
Default: <tt>N/A</tt>
<p>
Define an SQL qeury to be used to perform authentication and authorization
of location requests sent from neighbors. The query is parametrized - that means parameter
replacement is made before each query is executed. The following parameters are defined:
<itemize>
<item><tt/%g/ - the gatekeeper identifier
<item><tt/%{gkip}/ - a gatekeeper IP the request has been received on
<item><tt/%{nbid/ - neighbor identifier from the config
<item><tt/%{nbip}/ - neighbor IP (the request has been received from)
<item><tt/%{Calling-Station-Id}/ - caller's number, if available
<item><tt/%{src-info}/ - content of sourceInfo LRQ field, if available
<item><tt/%{Called-Station-Id}/ - destination number
<item><tt/%{dest-info}/ - content of destinationInfo LRQ field
<item><tt/%{bandwidth}/ - requested bandwidth, if present in the LRQ
</itemize>
<p>
If the query returns no rows, the result is undefined, which basically
means failure for <tt/required/ rules and "try next" for optional rules.
Otherwise, the first result row is examined to determine authentication
result and get additional information:
<enum>
<item>The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true)
      and is an authentication result (accept/reject).
<item>If the request is authenticated successfully, remaining columns 
      are examined:
<enum>
	<item>If there exists a column called <tt/'destination'/, populate the original
		destinationInfo field with these new aliases - this may affect routing
		decision, which is made after auth step
</enum>
</enum>
<p>
Query string examples:
<tscreen><verb>
SELECT active FROM neighbors WHERE name = '%{nbid}' AND ip = '%{nbip}' UNION SELECT 0
</verb></tscreen>

<item><tt/CallQuery=SELECT .../<newline>
Default: <tt>N/A</tt>
<p>
Define an SQL qeury to be used to perform authentication and authorization
of calls (ARQ and Setup). The query is parametrized - that means parameter
replacement is made before each query is executed. The following parameters are defined:
<itemize>
<item><tt/%g/ - the gatekeeper identifier
<item><tt/%{gkip}/ - a gatekeeper IP the request has been received on
<item><tt/%u/ - an username associated with the caller
<item><tt/%{callerip}/ - caller's IP (the request has been received from - NAT IP for natted endpoints)
<item><tt/%{Calling-Station-Id}/ - caller's number, if available
<item><tt/%{Called-Station-Id}/ - destination number
<item><tt/%{Dialed-Number}/ - original destination number (before rewrite)
<item><tt/%{bandwidth}/ - requested bandwidth, if present in the ARQ
<item><tt/%{answer}/ - 1, if the request is an answering ARQ
<item><tt/%{arq}/ - 1 for ARQ triggered query, 0 for Setup triggered query
</itemize>
<p>
If the query returns no rows, the result is undefined, which basically
means failure for <tt/required/ rules and "try next" for optional rules.
Otherwise, the first result row is examined to determine authentication
result and get additional information:
<enum>
<item>The first column is converted into a boolean value (1, T, TRUE, allow, y, yes means true)
      and is an authentication result (accept/reject the call).
<item>If the request is authenticated successfully, remaining columns 
      are examined:
<enum>
	<item>If there exists a column called <tt/'billingmode'/, set a billing mode
		associated with the endpoint (0 - credit, <>0 - debit)
	<item>If there exists a column called <tt/'creditamount'/, set account balance
		associated with the endpoint (this is an arbitrary string)
	<item>If there exists a column called <tt/'credittime'/, use its integer
          value to set call duration limit
	<item>If there exists a column called <tt/'redirectnumber'/, replace
          the original destination number with this one
	<item>If there exists a column called <tt/'redirectip'/, force the call
          to be sent to the specified IP
	<item>If there exists a column called <tt/'proxy'/, force the gatekeeper
          to enable/disable (depends on the 'proxy' column value) RTP proxy
          for this call
</enum>
</enum>
<p>
Query string examples:
<tscreen><verb>
SELECT 1, 360 AS credittime, 0 AS proxy
SELECT * FROM auth_call('%g', '%u', '%{Calling-Station-Id}', '%{callerip}', '%{Called-Station-Id}') AS result(accept, credittime)
SELECT 1, '1234' AS redirectnumber, '192.168.1.1' AS redirectip
</verb></tscreen>

</itemize>


<sect1>Section &lsqb;PrefixAuth&rsqb;
<label id="prefixauth">
<p>
The section defines the authentication rule for <tt/PrefixAuth/ module.
Currently, only ARQs and LRQs can be authorized by this module.

First, a most specific prefix is selected according to the <bf/destinationInfo/
field of the received request. Then the request is accepted or rejected
according to the matched rules with most specific netmask.
If no matched prefix is found,
and the <tt/default/ option is specified, the request is accepted
or rejected according to that. Otherwise
it is rejected or passed to next authentication module
according to the module requirement.

<descrip>
<tag/Format:/
<tscreen><verb>
prefix=authrule[|authrule|...]
</verb></tscreen>

<tag/Syntax:/
<tscreen><verb>
&lt;authrule&gt; :=  &lt;result&gt; &lt;authrule&gt;

  &lt;result&gt;    := deny | allow
  &lt;authrule&gt;  := [!]ipv4:&lt;iprule&gt; | [!]alias:&lt;aliasrule&gt;
</verb></tscreen>
</descrip>
Where <tt/&lt;iprule&gt;/ can be specified in decimal dot notation or
CIDR notation, <tt/&lt;aliasrule&gt;/ is expressed in regular expression.
If the `<tt/!/' flag precedes the rule, the sense is inverted.

<descrip>
<tag/Example:/
<tscreen><verb>
555=deny ipv4:10.0.0.0/27|allow ipv4:0/0
5555=allow ipv4:192.168.1.1|deny ipv4:192.168.1.0/255.255.255.0
86=deny !ipv4:172.16.0.0/24
09=deny alias:^188884.*
ALL=allow ipv4:ALL
</verb></tscreen>
</descrip>

In this configuration, all endpoints except from network <tt>10.0.0.0/27</tt>
are allow to call prefix 555 (except 5555).
Endpoints from <tt>192.168.1.0/24</tt> are not allowed to call prefix 5555,
except <tt/192.168.1.1/.
Endpoints <bf/not/ from <tt>172.16.0.0/24</tt> are denied to call prefix 86.
Endpoints having an alias beginning with 188884 are not allowed to call
prefix 09. All other situations are allowed.

<sect1>Section &lsqb;RadAuth&rsqb;
<label id="radauth">
<p>
This section defines configuration settings that enable
RADIUS authentication based on H.235 CATs (Cisco Access Tokens)
present in RRQ, ARQ RAS requests and Q.931 Setup messages.
<itemize>
<item><tt/Servers=SERVER1[:AUTH_PORT[:ACCT_PORT[:SECRET]]];SERVER2[:AUTH_PORT[:ACCT_PORT[:SECRET]]];.../<newline>
Default: <tt>N/A</tt>
<p>
RADIUS servers to be used for authentication. The list can contain an arbitrary 
number of servers. The order of servers is important, because servers will