Guestdomain, ldap-auth and logins without @meet.DOMAIN part


#1

Hi there,

I am setting up Jitsi in a test enviroment and everything is working great. Really like this conference solution and we’re gonna use it in production very soon.

But, I am wondering about the anonymous domain. Cause I have difficulties to set it up.

Whats actully working is internal_auth with the main domain. After the room is created and an admin logged in, other users can join this room without authentication. This is exactly what we want, but I am also interested in the anonymous domain feature.

Whats not working: As far as I try to enter a conference room via the guest domain, I get no video and no audio + nothing in the logs.

I have a default debian stretch setup without nginx or apache and I use jvb as frontend.

All of the packages are up to date.

Is the guest domain still used and how can I get it working?

These are my config files:

domain.cfg.lua (prosody):

 -- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
--plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

 VirtualHost "meet2.<domain>"
         authentication = "internal_plain"
         ssl = {
                 key = "/etc/prosody/certs/meet2.<domain>.key";
                 certificate = "/etc/prosody/certs/meet2.<domain>.crt";
         }
 
 	modules_enabled = {
             "bosh";
             "pubsub";
             "ping"; -- Enable mod_ping
         }
 
         --c2s_require_encryption = false
 
 VirtualHost "guest.meet2.<domain>"
         authentication = "anonymous"
 	        ssl = {
      	           key = "/etc/prosody/certs/meet2.<domain>.key";
                    certificate = "/etc/prosody/certs/meet2.<domain>.crt";
 							        }
 
                 modules_enabled = {
 	            "bosh";
                     "pubsub";
 	            "ping"; -- Enable mod_ping
 	            }
 
          c2s_require_encryption = false
 																    
 Component "conference.meet2.<domain>" "muc"
     restrict_room_creation = "local" 
     storage = "null"
     --modules_enabled = { "token_verification" }
 admins = { "focus@auth.meet2.<domain>" }
 
 Component "jitsi-videobridge.meet2.<domain>"
     component_secret = "vE@lL07f"
 
 VirtualHost "auth.meet2.<domain>"
     ssl = {
         key = "/etc/prosody/certs/auth.meet2.<domain>.key";
         certificate = "/etc/prosody/certs/auth.meet2.<domain>.crt";
     }
     authentication = "internal_plain"
 
 Component "focus.meet2.<domain>"
     component_secret = "nzJCqr2D"

jvb config:

  # Jitsi Videobridge settings
 
 # sets the XMPP domain (default: none)
 JVB_HOSTNAME=meet2.<domain>
 
 # sets the hostname of the XMPP server (default: domain if set, localhost otherwise)
 JVB_HOST=
 
 # sets the port of the XMPP server (default: 5275)
 JVB_PORT=5347
 
 # sets the shared secret used to authenticate to the XMPP server
 JVB_SECRET=vE@lL07f
 
 # extra options to pass to the JVB daemon
 JVB_OPTS=--apis=rest,xmpp
 
 
 # adds java system props that are passed to jvb (default are for home and logging config file)
 JAVA_SYS_PROPS="$JVB_EXTRA_JVM_PARAMS >-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/etc/jitsi >-Dnet.java.sip.communicator.SC_HOME_DIR_NAME=videobridge >-Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi -Djava.util.logging.config.file=/etc/jitsi/videobridge/logging.properties"
 AUTHBIND=yes

meet config

     hosts: {
         // XMPP domain.
         domain: 'meet2.<domain>',
 
         // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
         muc: 'conference.meet2.<domain>',
 
         // When using authentication, domain for guest users.
         anonymousdomain: 'guest.meet2.<domain>',
 
         // Domain for authenticated users. Defaults to <domain>.
         // authdomain: 'meet2.<domain>',
 
         // Jirecon recording component domain.
         // jirecon: 'jirecon.meet2.<domain>',
 
         // Call control component (Jigasi).
         // call_control: 'callcontrol.meet2.<domain>',
 
         // Focus component domain. Defaults to focus.<domain>.
         focus: 'focus.meet2.<domain>',
     },

Thanks Yannik


#2

Guess it works as expected:

When I’m enabling the guestdomain the user is only getting asked for the password on room initialization. If I’m disabling anonymous auth, the login dialog always asks for password.

I thought that the guest. and auth. domains are also external reachable, but now I understand that these are only for the internal communication between the components.

LDAP

We also need LDAP and I found a couple of good tutorials and got it working with the following configs:

  1. Created the /etc/prosody/conf.d/ldap.cfg.lua.erb config file:
authentication = 'ldap2'
ldap = {
    hostname      = '<ip>:389',
    use_tls     = true,
    bind_dn       = 'CN=ldapuser,CN=Users,DC=<domain>,DC=de',
    bind_password = '<password>',
    user = {
      basedn        = 'ou=AllUsers,dc=<domain>,dc=de',
      filter        = '(&(objectClass=person)(memberOf=CN=app-jitsi,OU=Groups,DC=<password>,DC=de))',
      usernamefield = 'sAMAccountName',
      namefield     = 'cn',
    },
}

  1. Changed the auth medthod in /etc/prosody/conf.d/meet.domain.de.cfg.lua:
VirtualHost "meet.<domain>.de"
    --authentication = "internal_plain"
    authentication = "ldap2"
  1. Appended the following to the /etc/prosody/lprosody.cfg.lua:
consider_bosh_secure = true
  1. Installed the mod_auth_ldap package:
apt-get install prosody-modules
  1. Restarted prosody and jicofo.

RESULT

Works as expected, I can login with @meet.domain.de.

Is there an easy way to allow logins without the @domain part or change it to a specific address?

Regards Yannik