reference.txt

开发h323ip电话的朋友

Currently supported modules:

  SimplePasswordAuth/
  LDAPPasswordAuth    The module checks the tokens or cryptoTokens
                      fields of RAS message. The tokens should contain
                      at least generalID and password. For cryptoTokens,
                      cryptoEPPwdHash tokens hashed by simple MD5 and 
                      nestedcryptoToken tokens hashed by HMAC-SHA1-96
                      (libssl must be installed!) are supported now.
                      The ID and password are read from [Password] section 
                      / LDAP (default: plaintextpassword attribute).
		      Support for other backend databases is easily to add.

  AliasAuth/
  MySQLAliasAuth/
  LDAPAliasAuth       The IP of an endpoint with given alias should
                      match a specified pattern. For AliasAuth the pattern 
                      is defined in [RasSrv::RRQAuth] section.
                      For MySQLAliasAuth, the pattern is retrieved from
                      MySQL database, defined in [MySQLAliasAuth] section.
                      For LDAPAliasAuth the alias (default: mail attribute)
                      and IP (default: voIPIpAddress attribute) must be 
                      found in one LDAP entry.

You can also configure a rule to check only for some particular RAS
messages. For example, to configure SimplePasswordAuth as a required
rule to check RRQ, ARQ and LRQ:
SimplePasswordAuth=required;RRQ,ARQ,LRQ

  Example:
    SimplePasswordAuth=optional
    AliasAuth=sufficient;RRQ
    default=reject

B.14 Section [Password]

The section defines the userid and password pairs used by SimplePasswordAuth.
Use 'make addpasswd' to generate the utility addpasswd.
Usage:
   addpasswd config userid password

KeyFilled=123           Default: 0

Default value to initialize the encryption key.

CkeckID=TRUE            Default: FALSE

Check if the aliases match the ID in the tokens.

PasswordTimeout=120	Default: -1

SimplePasswordAuth will cache an authenticated password.
This field define the cache timeout value in second.
0 means never cache the password, while a negative value
means the cache never expires.

B.15 Section [CallTable]

GenerateNBCDR=FALSE	Default: TRUE

Allow generate CDR for call that calling from neighbor zones.
The IP and endpoint ID of the calling party is printed
as empty. This is usually used for debug purpose.

GenerateUCCDR=FALSE	Default: FALSE

Allow generate CDR for call that is unconnected. This is usually
used for debug purpose. Note a call is considered unconnected
only if the GK is in routed mode and Q.931 connect message is not
received by the GK. In direct mode, a call is always considered
connected.

DefaultCallTimeout	Default: 0

Default timeout value in seconds to tear down a call.
Set it to 0 to disable this feature.

B.16 Section [MySQLAuth]

Host=localhost          Default: localhost

Host name or IP of the MySQL server.

Database=billing        Default: billing

The database to connect.

User=cwhuang
Password=123456

Isn't it clear?

Table=customer

The table in the database to query.

IDField=IPN

The field name of user id.

PasswordField=Password

The password field name.

ExtraCriterion=Kind>0	Default: n/a

Specify extra criterion.

The GK will issue the SQL command:
SELECT $PasswordField FROM $Table WHERE $IDField = %alias [AND $ExtraCriterion]


B.17 Section [MySQLAliasAuth]

Host=localhost          Default: localhost
Database=billing        Default: billing
User=cwhuang
Password=123456
Table=customer
IDField=IPN
IPField=Address
ExtraCriterion=Kind>0	Default: n/a

The SQL command is
SELECT $IPField FROM $Table WHERE $IDField = %alias [AND $ExtraCriterion]

The format is exactly as MySQLAuth, except the selected result
is used as a specified pattern to match the IP of endpoint,
as described in section [RasSrv::RRQAuth].

CacheTimeout=100	Default: -1

Timeout value in second to cache the result. See option
PasswordTimeout in section [SimplePasswordAuth] for details.


B.18 Section [GkAuthorize]

This section authorizes arq by source call signal address.

default=deny  #Defaul: allow
#default policy for unclassified arq

prf: 555
#phone prefix
deny ipv4:10.0.0.0/27
#deny access for network to the perfix
allow ipv4:ALL
#allow access for all to the prefix

prf: 5555
deny ipv4:192.168.1.0/255.255.255.0
#deny access for network to the perfix
allow ipv4:192.168.1.1
#allow access for a host to the prefix

prf: ALL
allow ipv4:0/0
#allow access for all networks to all prefixes


#We choose the most specific prefix and then
#we choose the most specific network from list

B.19 Section [Proxy]

The section defines the H.323 proxy features. It means the gatekeeper will
route all the traffic between the calling and called endpoints, so there
is no traffic between the two endpoints directly. Thus it is very useful
if you have some endpoints using private IP behind an NAT box and some
endpoints using real IP outside the box.

Enable=1		Default: 0

Whether to enable the proxy function. You have to enable gatekeeper
routed mode first (see Section B.2). You don't have to specify
H.245 routed. It will automatically be used if required.

InternalNetwork=10.0.1.0/24	Default: n/a

Define the networks behind the proxy. Multiple internal networks are allow.
The proxy route channels only of the communications between one endpoint
in the internal network and one external. If you don't specify it, all calls
will be proxied.

  Format:
    InternalNetwork=network address/netmask[,network address/netmask,...]

    The netmask can be expressed in decimal dot notation or
    CIDR notation (prefix length), as shown in the example.

  Example:
    InternalNetwork=10.0.0.0/255.0.0.0,192.168.0.0/24

B.20 Section [Endpoint]

The gatekeeper can work as an endpoint by registering to another gatekeeper.
With this feature, you can easily build gatekeeper hierarchies.
The section defines the endpoint features for the gatekeeper.

Gatekeeper=10.0.1.1		Default: no

Define a parent gatekeeper for the endpoint(gatekeeper) to register to.
Don't try to register to yourself, unless you want to be confusing.
To disable this feature, set the field to be no.

Type=Gateway			Default: Gateway

Define the terminal type for the endpoint.
The valid values are Gateway or Terminal.

H323ID=CitronProxy
E164=18888600000,18888700000

Define the H.323 ID and E.164 (dialedDigits) aliases for the endpoint.
Multiple aliases can be specified.

Password=123456

Specify a password to be sent to the parent gatekeeper.
All RAS requests will contain the password in the cryptoTokens field.

Besides, the password is also used in LRQs sent to neighbor gatekeepers.

Prefix=188886,188887

Register the specified prefixes to the parent gatekeeper.
Only take effect when the Type is Gateway.

TimeToLive=900

Suggest a time-to-live value in second for the registration.
Note that the real time-to-live value is assigned by the parent
gatekeeper in the RCF replied to the RRQ.

RRQRetryInterval=10		Default: 10

Define a retry interval in second for RRQs if no response
received from the parent gatekeeper.

ARQTimeout=2			Default: 2

Define the timeout value for ARQs in second.


B.21 Section [Endpoint::RewriteE164]

Once you specify prefix(es) for your gatekeeper endpoint, the parent
gatekeeper will route calls with dialed digits beginning with that prefixes.
The child gatekeeper can rewrite the destination according to the rules
specified in this section. By contrast, when an internal endpoint calls
an endpoint registered to the parent gatekeeper, the source will be
rewritten reversely.

  Format:
    external prefix=internal prefix

For example, if you have the following configuration,

				[Parent GK]
				ID=CitronGK
				/	  \
			       /	   \
			      /		    \
			     /		     \
			[Child GK]	    [EP3]
			ID=ProxyGK	    E164=18888200
			Prefix=188886
			/	\
		       /	 \
		      /		  \
		   [EP1]	 [EP2]
		   E164=601	 E164=602

With this rule:

    188886=6

When EP1 calls EP3 by 18888200, the CallingPartyNumber in the Q.931 Setup
will be rewritten to 18888601. Conversely, EP3 can reach EP1 and EP2
by calling 18888601 and 18888602, respectively. In consequence, an
endpoint registered to the child GK with prefix '6' will appear
as an endpoint with prefix '188886', for endpoints registered to
the parent gatekeeper.

The section does not relate to the section RasSvr::RewriteE164,
though the later will take effect first.


B.22 Section [GkLDAP::LDAPAttributeNames]

This section defines which LDAP attribute names to use.

H323ID:		the endpoint's H.323 alias. Needs to be unique within
		the used LDAP tree (this i why we use the mail address by default).
TelephonNo:	the endpoint's E.164 alias
voIPIpAddress:	the IP address to be compared against when using LDAPAliasAuth
		Format: 1.2.3.4.
		For now, only a single value is allowed here.
H235PassWord:	the plaintext password to be compared against when using H.235 
		(LDAPPasswordAuth in Gatekeeper::Auth).
		For now, only a single value is allowed here.

Defaults:
H323ID=mail
TelephonNo=telephoneNumber
IPAddress=voIPIpAddress
H235PassWord=plaintextPassword


B.23 Section [GkLDAP::Settings]

This section defines the LDAP server and standard LDAP client operating
parameters to be used.

ServerName:	The LDAP server's DNS name.
ServerPort:	The LDAP server's TCP port (usually 389).
SearchBaseDN:	entry point into the server's LDAP tree structure.
             	Searches are only made below this root node.
BindUserDN:	The distinguished name the gatekeeper uses to bind
           	to the LDAP server. Leave empty if you want to access
           	the LDAP server anonymously.
BindUserPW:	If you specified BindUserDN, then specify the corresponding
           	password to be used for binding here.
sizelimit:	Maximum number of results the server may return in response
          	to a single search query. The gatekeeper expects each LDAP
          	to only yields one or zero results anyway, so this parameter
          	is rather useless.
          	Usually that's restricted on the server side, anyway.
timelimit:	maximum number of seconds a query may take until it's
          	considered as "failed".

Defaults:
#ServerName=ldap
#ServerPort=389
#SearchBaseDN=o=University of Michigan, c=US
#BindUserDN=cn=Babs Jensen,o=University of Michigan, c=US
#BindUserPW=ReallySecretPassword
#sizelimit=0
#timelimit=0