Both authenticated and anonymous access

Hi,

I installed jitsi-meet around a year ago, and it is working fine with LDAP authentication.

Now I require authentication for users who can create conference rooms, but I also need guests to be able to join these rooms without authentication.

I changed my config by adding the “anonymous” guest virtual host as seen below, but now the users are NOT asked to authenticate when connecting to the default vitrual host (ldap).

# cat /etc/prosody/conf.d/meet.mydomain.org.cfg.lua 
-- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

VirtualHost "meet.mydomain.org"
        -- enabled = false -- Remove this line to enable this host
--        authentication = "anonymous"
        authentication = "ldap2"
--        authentication = "internal_plain"
--        authentication = "external"
--external_auth_command = "/etc/prosody/conf.d/custom_prosody_auth.sh"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.mydomain.org.key";
                certificate = "/etc/prosody/certs/meet.mydomain.org.crt";
        }
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

        c2s_require_encryption = false

Component "conference.meet.mydomain.org" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.meet.mydomain.org" }

Component "jitsi-videobridge.meet.mydomain.org"
    component_secret = "czzEeVRH"

VirtualHost "auth.meet.mydomain.org"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.mydomain.org.key";
        certificate = "/etc/prosody/certs/auth.meet.mydomain.org.crt";
    }
    authentication = "internal_plain"

Component "focus.meet.mydomain.org"
    component_secret = "lqrfPXSD"

VirtualHost "guest.meet.mydomain.org"
    authentication = "anonymous"

Component "callcontrol.meet.mydomain.org" component_secret = "ivqzsJSh"

# cat /etc/jitsi/meet/meet.mydomain.org-config.js 
/* eslint-disable no-unused-vars, no-var */

var config = {
    hosts: {
        // XMPP domain.
        domain: 'meet.mydomain.org',
        // When using authentication, domain for guest users.
        anonymousdomain: 'guest.meet.mydomain.org',
        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.meet.mydomain.org'
    },
    // BOSH URL. FIXME: use XEP-0156 to discover it.
    bosh: '//meet.mydomain.org/http-bind',
    // The name of client node advertised in XEP-0115 'c' stanza
    clientNode: 'http://jitsi.org/jitsimeet',
    testing: {
        // Enables experimental simulcast support on Firefox.
        enableFirefoxSimulcast: false,
        // P2P test mode disables automatic switching to P2P when there are 2
        // participants in the conference.
        p2pTestMode: false
        // Enables the test specific features consumed by jitsi-meet-torture
        // testMode: false
    },
    disableSuspendVideo: true,
    desktopSharingChromeExtId: null,
    desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
    desktopSharingChromeMinExtVersion: '0.1',
    channelLastN: -1,
    enableWelcomePage: true,
    enableUserRolesBasedOnToken: false,
    p2p: {
        enabled: true,
        stunServers: [
            { urls: 'stun:stun.l.google.com:19302' },
            { urls: 'stun:stun1.l.google.com:19302' },
            { urls: 'stun:stun2.l.google.com:19302' }
        ],
        preferH264: true
    },
    analytics: {
    },
    deploymentInfo: {
    }
};

/* eslint-enable no-unused-vars, no-var */

How can I change my config so that users that point to https://meet.mydomain.org/myroom require authentication via LDAP, and users connecting to https://guest.meet.mydomain.org/myroom don’t?
Of course, the latter “guest” URL should work only if the room “myroom” has already been created by an authed user.

Regards,

Vieri

I just figured it out.
I was missing this:

# cat /etc/jitsi/jicofo/sip-communicator.properties 
org.jitsi.jicofo.auth.URL=XMPP:meet.mydomain.org

(Debian)

I am however having big issues with Firefox. Only Google Chrome seems to work.
I hope support for Firefox will be coming soon as most of my users are running Firefox.

Does anyone know if Safari is fully supported? (I do not have a Mac OS to test it)