Jitsi+Jigasi+Cyrus sasl

In accordance with the “LDAP authentication” instruction, I installed Jitsi with SASL authorization. There was a problem with connecting Jigasi. SIP call does not work. The problem is authorization.

Jigasi log:
SEVERE: [73] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin().1003 Failed to connect to XMPP service
org.jivesoftware.smack.SmackException: No supported and enabled SASL Mechanism provided by server. Server announced mechanisms: [PLAIN]. Registered SASL mechanisms with Smack: [SASL Mech: GSSAPI, Prio: 100, SASL Mech: SCRAM-SHA-1-PLUS, Prio: 100, SASL Mech: SCRAM-SHA-1, Prio: 110, SASL Mech: DIGEST-MD5, Prio: 200, SASL Mech: CRAM-MD5, Prio: 300, SASL Mech: PLAIN, Prio: 400, SASL Mech: X-OAUTH2, Prio: 410, SASL Mech: EXTERNAL, Prio: 500, SASL Mech: ANONYMOUS, Prio: 500]. Enabled SASL mechanisms for this connection: [ANONYMOUS]. Blacklisted SASL mechanisms: [SCRAM-SHA-1-PLUS].
at org.jivesoftware.smack.SASLAuthentication.selectMechanism(SASLAuthentication.java:361)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:192)
at org.jivesoftware.smack.bosh.XMPPBOSHConnection.loginInternal(XMPPBOSHConnection.java:222)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:491)
at org.jivesoftware.smack.AbstractXMPPConnection.login(AbstractXMPPConnection.java:448)
at net.java.sip.communicator.impl.protocol.jabber.AnonymousLoginStrategy.login(AnonymousLoginStrategy.java:84)
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:1371)
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.connectAndLogin(ProtocolProviderServiceJabberImpl.java:970)
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.initializeConnectAndLogin(ProtocolProviderServiceJabberImpl.java:795)
at net.java.sip.communicator.impl.protocol.jabber.ProtocolProviderServiceJabberImpl.register(ProtocolProviderServiceJabberImpl.java:500)
at org.jitsi.jigasi.util.RegisterThread.run(RegisterThread.java:59)
SEVERE: [73] org.jitsi.jigasi.JvbConference.registrationStateChanged().683 [ctx=16420101160392011768267] XMPP Connection failed.
WARNING: [73] org.jitsi.jigasi.JvbConference.leaveConferenceRoom().1064 [ctx=16420101160392011768267] MUC room is null
SEVERE: [69] org.jitsi.jigasi.xmpp.CallControlMucActivator.processIQInternal().626 [ctx=16420101160392011768267] Error processing RayoIq
java.lang.Exception: Fail to join muc!
at org.jitsi.jigasi.xmpp.CallControlMucActivator$WaitToJoinRoom.waitToJoinRoom(CallControlMucActivator.java:725)
at org.jitsi.jigasi.xmpp.CallControlMucActivator$DialIqHandler.setDialResponseAndRegisterHangUpHandler(CallControlMucActivator.java:658)
at org.jitsi.jigasi.xmpp.CallControlMucActivator$DialIqHandler.processIQInternal(CallControlMucActivator.java:615)
at org.jitsi.jigasi.xmpp.CallControlMucActivator$DialIqHandler.lambda$processIQ$0(CallControlMucActivator.java:576)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)

I will not be able to use the following settings:

org.jitsi.jigasi.xmpp.acc.USER_ID=JIGASI@YourFQDN
org.jitsi.jigasi.xmpp.acc.PASS=PlaintextPassword
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

How to use: Jitsi+Jigasi+Cyrus sasl ?

Additional information for clarification:

  1. I installed Jitsi according to the “Self-Hosting guide”.
  2. Configured Prosody according to the “Secure Domain setup” instruction, but did not do “Create users in Prosody (internal auth)” and “Optional: Jigasi configuration” because authorization was supposed to work on Cyrus SASL.
  3. According to the “LDAP authentication” instruction, I configured Cyrus SASL with the following settings:

ldap_servers: ldap://192.168.x.x
ldap_search_base: dc=mydomain,dc=com
ldap_bind_dn: cn=JITSI_user,ou=tech,dc=mydomain,dc=com
ldap_bind_pw: JITSI_user_plain_pass
ldap_filter: (&(samaccountname=%u)(memberof=CN=Creators,CN=Users,dc=mydomain,dc=com
ldap_version: 3
ldap_auth_method: bind

Microsoft AD server is running on a local network and did not install the certificate into it.

  1. Configured Prosody:
    authentication = “cyrus”
    Not used: allow_unencrypted_plain_auth = true
    Authorization works without this parameter.
    Added “auth_cyrus” to the list of modules:
    modules_enabled = {

    “auth_cyrus”;

    }

Installed permissions: sudo adduser prosody sasl

  1. Checked, conferences start between multiple users. Video and sound work.

How do I set up Jigasi correctly now ?

/etc/jitsi/jigasi/sip-communicator.properties

org.jitsi.jigasi.xmpp.acc.USER_ID=JITSI_user@mydomain.com
org.jitsi.jigasi.xmpp.acc.PASS=JITSI_user_plain_pass
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

JITSI_user@mydomain.com SASL does not work with verification via Cyrus.

Jigasi is needed in order to add a subscriber by phone to the conference.

Sip-account is configured correctly and Jigasi is logged into Asterisk.
The problem occurs when trying to call (add) a user to a conference using a phone number (internal or external)

Do you have any ideas how to implement this scheme?

Create another virtual host for jigasi which will use username and password

Do you mean add to a file: /etc/prosody/conf.avail/jitsi.mydomain.com.cfg.lua

new virtual host:

VirtualHost “jigasi.jitsi.mydomain.com
authentication = “internal_hashed”

??

Next, execute: sudo prosodyctl register JITSI_user jigasi.jitsi.mydomain.com JITSI_user_plain_pass

add to file: /etc/jitsi/jigasi/sip-communicator.properties:

org.jitsi.jigasi.xmpp.acc.USER_ID=JITSI_user@ jigasi.jitsi.mydomain.com
org.jitsi.jigasi.xmpp.acc.PASS=JITSI_user_plain_pass
org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

Did I understand correctly?

before that, I tried in the file settings: /etc/jitsi/jigasi/sip-communicator.properties

net.java.sip.communicator.impl.protocol.sip.acc1403273890647.DOMAIN_BASE=guest.jitsi.mydomain.com

to check incoming messages.
Also unsuccessful.

Yep, that’s correct.

Thanks, it worked.

I had to activate the line org.jitsi.jigasi.xmpp.acc.ALLOW_NON_SECURE=true

I have a wildcard certificate *.mydomain.com
It is applied as:

VirtualHost “jitsi.mydomain.com
ssl = {
key = “/etc/prosody/certs/jitsi.mydomain.com.key”;
certificate = “/etc/prosody/certs/jitsi.mydomain.com.crt”;
}

but it is unlikely to be able to use it for:

VirtualHost “jigasi.jitsi.mydomain.com
authentication = “internal_hashed”
ssl = {
key = “/etc/prosody/certs/jigasi.jitsi.mydomain.com.key”;
certificate = “/etc/prosody/certs/jigasi.jitsi.mydomain.com.crt”;
}

although in the settings there is:

VirtualHost “auth.jitsi.mydomain.com
authentication = “internal_hashed”
ssl = {
key = “/etc/prosody/certs/auth.jitsi.mydomain.com.key”;
certificate = “/etc/prosody/certs/auth.jitsi.mydomain.com.crt”;
}

and a certificate is automatically generated for this domain during Jitsi installation.

What do you recommend to do - deal with certificates or use ALLOW_NON_SECURE=true?

Do I need to fix the default file:
/etc/jitsi/jigasi/config
During installation, it was configured: JIGASI_HOSTNAME=jitsi.mydomain.com

Fix to JIGASI_HOSTNAME=jigasi.jitsi.mydomain.com
or shouldn’t it?

And in addition, there is a problem - there is no sound in both directions after calling a phone number.

The callback does not work. When trying to call the number assigned to JIGASI, the call is reset and the line is busy. But probably these are problems of another topic.

Make sure your sip side is doing latching.

For the certificate, I’m not sure that is used at all …

Do I need to fix the default file:
/etc/jitsi/jigasi/config
During installation, it was configured: JIGASI_HOSTNAME=jitsi.mydomain.com

Fix to JIGASI_HOSTNAME=jigasi.jitsi.mydomain.com
or shouldn’t it?

On the other side - Asterisk

maybe that’s the problem:
SEVERE: [1863] net.sf.fmj.media.Log.error() Failed to build a graph for the given custom options.
SEVERE: [1863] net.sf.fmj.media.Log.error() Failed to realize: net.sf.fmj.media.ProcessEngine@4bb1f560
SEVERE: [1863] net.sf.fmj.media.Log.error() Cannot build a flow graph with the customized options:
SEVERE: [1863] net.sf.fmj.media.Log.error() Unable to transcode format: LINEAR, 48000.0 Hz, 16-bit, Mono, LittleEndian, Signed
SEVERE: [1863] net.sf.fmj.media.Log.error() to: opus/rtp, 48000.0 Hz, Stereo
SEVERE: [1863] net.sf.fmj.media.Log.error() outputting to: raw.rtp
SEVERE: [1863] net.sf.fmj.media.Log.error() Unable to add customed codecs:
SEVERE: [1863] net.sf.fmj.media.Log.error() org.jitsi.impl.neomedia.audiolevel.AudioLevelEffect2@3b7e89a9
2022-01-13 23:47:12.467 SEVERE: [1862] net.sf.fmj.media.Log.error() Error: Unable to realize net.sf.fmj.media.ProcessEngine@4bb1f560
INFO: [106] org.jitsi.jigasi.JvbConference.callStateChanged().1466 [ctx=16421068321113062298574] JVB conference call IN_PROGRESS.
WARNING: [106] org.jitsi.jigasi.stats.StatsHandler.startConferencePeriodicRunnable().329 [ctx=16421068321111062298574] Stats handler missing for call:Call: id=16421068323501160550140 peers=1
SEVERE: [1891] net.sf.fmj.media.Log.error() Unable to handle format: LINEAR, 48000.0 Hz, 16-bit, Mono, LittleEndian, Signed
SEVERE: [1891] net.sf.fmj.media.Log.error() Failed to prefetch: net.sf.fmj.media.ProcessEngine@44d878c5
SEVERE: [1890] net.sf.fmj.media.Log.error() Error: Unable to prefetch net.sf.fmj.media.ProcessEngine@44d878c5

JIGASI_HOSTNAME doesn’t matter.

Not sure about the errors … haven’t used jigasi in transcoding mode recently …
I think I was seeing them before

Looking at the logs, I think that the problem is related to the OpenJDK version

I have Ubuntu installed with OpenJDK 17

You need to use java8 with jigasi.

Is it possible to use OpenJDK 11 ?

In “Self-Hosting Guide - Debian/Ubuntu server” written “OpenJDK 8 or OpenJDK 11 must be used.”

What’s wrong with OpenJDK 17 ?

Doesn’t work with jigasi.
Try java11 it may work.

Damian, Thank You.
With OpenJDK 11, it works.

One more question. Would you show instructions on how to start a conference in the opposite direction, starting with a SIP user call.
And what settings need to be made in Jigasi, or perhaps even on the Asterisk side.

You just need to call that user passing a sip header with the meeting name and another one with the domain name.
Good example Jitsi phone dial-in and IVR connector | Tutorials | Voximplant.com
jitsi-connector/inbound.js at eaf4ffaac638657eeca0850040807520013ebd7d · voximplant/jitsi-connector · GitHub
net.java.sip.communicator.impl.protocol.sip.acc012345678901.JITSI_MEET_ROOM_HEADER_NAME=X-Room-Name

I assumed that an option was possible: a call to a SIP account associated with Jigasi.

For example, a call to the number: jigasi_sip_numberuser_pinroom_name*room_pass

The conference with the room name “room_name” will start with the password “room_pass”.
Or something similar.
On the sip account server, allow incoming calls to “jigasi_sip_number” only from certain numbers with the specified “user_pin” (protection against number substitution).
Or use the sip server’s voice menu to get the parameters for starting a conference from a specific user.

As far as I understood from the previous post, a call can only be arranged to one pre-planned room made in the Jigasi settings.

net.java.sip.communicator.impl.protocol.sip.acc012345678901.JITSI_MEET_ROOM_HEADER_NAME=X-Room-Name

And this room name - “X-Room-Name” is pre-defined in the settings and invariably except through the configuration file?
file: /etc/jitsi/jigasi/sip-communicator.properties

A call from an external sip user with the creation of a room with the entered digital name is not possible?

I want to use only Asterisk and not some kind of service like “Voximplant”

net.java.sip.communicator.impl.protocol.sip.acc012345678901.JITSI_MEET_ROOM_HEADER_NAME=X-Room-Name

And this room name - “X-Room-Name” is pre-defined in the settings and invariably except through the configuration file?
file: /etc/jitsi/jigasi/sip-communicator.properties

A call from an external sip user with the creation of a room with the entered digital name is not possible?

I want to use only Asterisk and not some kind of service like “Voximplant”

What you can do with voximplant, you can do with asterisk, I just gave you a well documented steps you need to follow in order to achieve this and you can always adapt it to asterisk or whatever PBX you are using. You need to create an IVR (one is created for voximplant) that will answer the call will ask for a pin, you will get the room name from the conference mapper service you will set that room name to the sip header when calling to jigasi so jigasi will know in which room to join. This is very well described in the links I sent.

Damian, thank you.
I will carefully read your link again.

Search the forum there were some asterisk examples