<?xml version="1.0" encoding='ISO-8859-1'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [

<!-- Include general documentation entities -->
<!ENTITY % docentities SYSTEM "../../../docbook/entities.xml">
%docentities;

]>

<!-- Auth_db Module User's Guide -->

<chapter>
	
	<title>&adminguide;</title>
	
	<section>
	<title>Overview</title>
	<para>
		This module contains all authentication related functions that need 
		the access to the database. This module should be used together with 
		auth module, it cannot be used independently because it depends on 
		the module. Select this module if you want to use database to store 
		authentication information like subscriber usernames and passwords. If
		you want to use radius authentication, then use auth_radius instead.
	</para>
	</section>

	<section>
		<title>Dependencies</title>
		<section>
			<title>&kamailio; Modules</title>
			<para>
			The module depends on the following modules (in the other words 
			the listed modules must be loaded before this module):
			<itemizedlist>
			<listitem>
				<para><emphasis>auth</emphasis> -- Generic authentication 
				functions
				</para>
			</listitem>
			<listitem>
				<para><emphasis>database</emphasis> -- Any database module
				(currently mysql, postgres, dbtext)
				</para>
			</listitem>
			</itemizedlist>
		</para>
		</section>
		<section>
			<title>External Libraries or Applications</title>
			<para>
			The following libraries or applications must be installed 
			before running &kamailio; with this module loaded:
			</para>
			<itemizedlist>
				<listitem>
				<para><emphasis>none</emphasis></para>
				</listitem>
			</itemizedlist>
		</section>
	</section>


	<section>
	<title>Exported Parameters</title>
	<section>
		<title><varname>db_url</varname> (string)</title>
		<para>
		This is URL of the database to be used. Value of the parameter depends 
		on the database module used. For example for mysql and postgres modules 
		this is something like mysql://username:password@host:port/database. 
		For dbtext module (which stores data in plaintext files) it is
		directory in which the database resides.
		</para>
		<para>
		<emphasis>
			Default value is <quote>&defaultrodb;</quote>.
		</emphasis>
		</para>
		<example>
		<title><varname>db_url</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "db_url", "&exampledb;")
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>user_column</varname> (string)</title>
		<para>
		This is the name of the column holding usernames. Default value is 
		fine for most people. Use the parameter if you really need to change it.
		</para>
		<para>
		Default value is <quote>username</quote>.
		</para>
		<example>
		<title><varname>user_column</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "user_column", "user")
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>domain_column</varname> (string)</title>
		<para>
		This is the name of the column holding domains of users. Default value 
		is fine for most people. Use the parameter if you really need to 
		change it.
		</para>
		<para>
		Default value is <quote>domain</quote>.
		</para>
		<example>
		<title><varname>domain_column</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "domain_column", "domain")
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>password_column</varname> (string)</title>
		<para>
		This is the name of the column holding passwords. Passwords can be 
		either stored as plain text or pre-calculated HA1 strings. HA1 strings 
		are MD5 hashes of username, password, and realm. HA1 strings are more 
		safe because the server doesn't need to know plaintext passwords and 
		they cannot be obtained from HA1 strings.
		</para>
		<para>
		Default value is <quote>ha1</quote>.
		</para>
		<example>
		<title><varname>password_column</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "password_column", "password")
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>password_column_2</varname> (string)</title>
		<para>
		As described in the previous section this parameter contains name of 
		column holding pre-calculated HA1 string that were calculated including 
		the domain in the username. This parameter is used only when 
		<varname>calculate_ha1</varname> is set to 0 and user agent send a 
		credentials containing the domain in the username.
		</para>
		<para>
		Default value of the parameter is ha1b.
		</para>
		<example>
		<title><varname>password_column_2</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "password_column_2", "ha1_2")
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>calculate_ha1</varname> (integer)</title>
		<para>
		This parameter tells the server whether it should use plaintext 
		passwords or a pre-calculated HA1 string for authentification.
		</para>
		<para>
		If the parameter is set to 1 and the username parameter of credentials
		contains also <quote>@domain</quote> (some user agents append the
		domain to the username parameter), then the server will use the HA1
		values from the column specified in the 
		<quote>password_column_2</quote> parameter. If the username parameter
		doesn't contain a domain, the server will use the HA1 values from the
		column given in the <quote>password_column</quote>parameter.
		</para>
		<para>
		If the parameter is set to 0 then the HA1 value will be calculated
		from the column specified in the <quote>password_column</quote>
		parameter.
		</para>
		<para>
		The <quote>password_column_2</quote>column contain also HA1 strings
		but they should be calculated including the domain in the username
		parameter (as opposed to password_column which (when containing HA1
		strings) should always contains HA1 strings calculated without domain
		in username.
		</para>
		<para>
		This ensures that the authentication will always work when using
		pre-calculated HA1 strings, not depending on the presence of the
		domain in username.
		</para>
		<para>
		Default value of this parameter is 0.
		</para>
		<example>
		<title><varname>calculate_ha1</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "calculate_ha1", 1)
</programlisting>
		</example>
	</section>

	<section>
		<title><varname>use_domain</varname> (integer)</title>
		<para>
		If true (not 0), domain will be also used when looking up in the 
		subscriber table. If you have a multi-domain setup, it is strongly
		recommended to turn on this parameter to avoid username overlapping
		between domains.
		</para>
		<para>
		IMPORTANT: before turning on this parameter, be sure that the 
		<varname>domain</varname> column in <varname>subscriber</varname> 
		table is properly populated.
		</para>
		<para>
		Default value is <quote>0 (false)</quote>.
		</para>
		<example>
		<title><varname>use_domain</varname> parameter usage</title>
		<programlisting format="linespecific">
modparam("auth_db", "use_domain", 1)
		</programlisting>
		</example>
	</section>

	<section>
		<title><varname>load_credentials</varname> (string)</title>
		<para>
		This parameter specifies of credentials to be fetch from database when
		the authentication is performed. The loaded credentials will be stored
		in AVPs. If the AVP name is not specificaly given, it will be used a
		NAME AVP with the same name as the column name.
		</para>
		<para>
		 Parameter syntax:
		<itemizedlist>
			<listitem><para><emphasis>
			load_credentials = credential (';' credential)*
			</emphasis></para></listitem>
			<listitem><para><emphasis>
			credential = (avp_specification '=' column_name) |
							(column_name)
			</emphasis></para></listitem>
			<listitem><para><emphasis>
			avp_specification = '$avp(' + 'i:'ID | 's:'NAME | alias + ')'
			</emphasis></para></listitem>
		</itemizedlist>
		</para>
		<para>
		Default value of this parameter is <quote>rpid</quote>.
		</para>
		<example>
		<title><varname>load_credentials</varname> parameter usage</title>
		<programlisting format="linespecific">
# load rpid column into $avp(i:13) and email_address column
# into $avp(s:email_address)
modparam("auth_db", "load_credentials", "$avp(i:13)=rpid;email_address")
</programlisting>
		</example>
	</section>
	</section>

	<section>
	<title>Exported Functions</title>
	<section>
		<title>
			<function moreinfo="none">www_authorize(realm, table)</function>
		</title>
		<para>
		The function verifies credentials according to 
		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If the 
		credentials are verified successfully then the function will succeed 
		and mark the credentials as authorized (marked credentials can be later 
		used by some other functions). If the function was unable to verify the 
		credentials for some reason then it will fail and the script should 
		call <function moreinfo="none">www_challenge</function> which will 
		challenge the user again.
		</para>
		<para>Negative codes may be interpreted as follows:</para>
		<itemizedlist>
			<listitem><para>
			<emphasis>-5 (generic error)</emphasis> - some generic error
			occurred and no reply was sent out;
			</para></listitem>
			<listitem><para>
			<emphasis>-4 (no credentials)</emphasis> - credentials were not
			found in request;
			</para></listitem>
			<listitem><para>
			<emphasis>-3 (stale nonce)</emphasis> - stale nonce;
			</para></listitem>
			<listitem><para>
			<emphasis>-2 (invalid password)</emphasis> - valid user, but 
			wrong password;
			</para></listitem>
			<listitem><para>
			<emphasis>-1 (invalid user)</emphasis> - authentication user does
			not exist.
			</para></listitem>
		</itemizedlist>
		<para>Meaning of the parameters is as follows:</para>
		<itemizedlist>
		<listitem>
			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
			the user agent should present to the user so he can decide what 
			username and password to use. Usually this is domain of the host 
			the server is running on.
			</para>
			<para>
			If an empty string <quote></quote> is used then the server will 
			generate it from the request. In case of REGISTER requests To 
			header field domain will be used (because this header field 
			represents a user being registered), for all other messages From 
			header field domain will be used.
			</para>
			<para>
			The string may contain pseudo variables.
			</para>
		</listitem>
		<listitem>
			<para><emphasis>table</emphasis> - Table to be used to lookup 
			usernames and passwords (usually subscribers table).
			</para>
		</listitem>
		</itemizedlist>
		<para>
		This function can be used from REQUEST_ROUTE.
		</para>
		<example>
		<title><function moreinfo="none">www_authorize</function> usage</title>
		<programlisting format="linespecific">
...
if (www_authorize("siphub.net", "subscriber")) {
	www_challenge("siphub.net", "1");
};
...
</programlisting>
		</example>
	</section>

	<section>
		<title>
			<function moreinfo="none">proxy_authorize(realm, table)</function>
		</title>
		<para>
		The function verifies credentials according to 
		<ulink url="http://www.ietf.org/rfc/rfc2617.txt">RFC2617</ulink>. If 
		the credentials are verified successfully then the function will 
		succeed and mark the credentials as authorized (marked credentials can 
		be later used by some other functions). If the function was unable to 
		verify the credentials for some reason then it will fail and
		the script should call 
		<function moreinfo="none">proxy_challenge</function> which will
		challenge the user again. 
		</para>
		<para>Negative codes may be interpreted as follows:</para>
		<itemizedlist>
			<listitem><para>
					<emphasis>-5 (generic error)</emphasis> - some generic error
					occurred and no reply was sent out;
				</para></listitem>
			<listitem><para>
					<emphasis>-4 (no credentials)</emphasis> - credentials were not
					found in request;
				</para></listitem>
			<listitem><para>
					<emphasis>-3 (stale nonce)</emphasis> - stale nonce;
				</para></listitem>
			<listitem><para>
					<emphasis>-2 (invalid password)</emphasis> - valid user, but 
					wrong password;
				</para></listitem>
			<listitem><para>
					<emphasis>-1 (invalid user)</emphasis> - authentication user does
					not exist.
				</para></listitem>
		</itemizedlist>
		<para>Meaning of the parameters is as follows:</para>
		<itemizedlist>
		<listitem>
			<para><emphasis>realm</emphasis> - Realm is a opaque string that 
			the user agent should present to the user so he can decide what 
			username and password to use. Usually this is domain of the host 
			the server is running on.
			</para>
			<para>
			If an empty string <quote></quote> is used then the server will 
			generate it from the request. From header field domain will be 
			used as realm.
			</para>
			<para>
			The string may contain pseudo variables.
			</para>
		</listitem>
		<listitem>
			<para><emphasis>table</emphasis> - Table to be used to lookup 
			usernames and passwords (usually subscribers table).
			</para>
		</listitem>
		</itemizedlist>
		<para>
		This function can be used from REQUEST_ROUTE.
		</para>
		<example>
		<title>proxy_authorize usage</title>
		<programlisting format="linespecific">
...
if (!proxy_authorize("", "subscriber)) {
	proxy_challenge("", "1");  # Realm will be autogenerated
};
...
</programlisting>
		</example>
	</section>
	</section>
</chapter>