Jitsi + ldap, jwt, nat

Hey there! :smiling_face_with_tear:
Have some questions!
Ldap:
every each authorized person has moderator right, which is not good. is that supposed to be like that or I missing something. ( without ldap only room creator can be moderator)
jwt:
installed all plugins,
added in prosody tokens auth,
added in conference muc token auth,
added app id , secret and nothing! Logs shows all ok.
I thought maybe I’m generating wrong tokens on jwt.io, so i did rocketchat integration with jwt with tokens and nothing!
Maybe I missed something to configure ?
Will jwt works without publishing jitsi behind nat?

JWT should work if the client can access Jitsi UI

thx!
now I have this error
warn No available SASL mechanisms, verify that the configured authentication module is working
debian 11, prosody 0.12 lua5.1,5.2

Check your prosody logs for errors, errors on startup.

May 23 20:17:09 mod_posix warn Received SIGTERM
May 23 20:17:09 startup info Shutting down: Received SIGTERM
May 23 20:17:09 portmanager info Deactivated service ‘c2s’
May 23 20:17:09 portmanager info Deactivated service ‘c2s_direct_tls’
May 23 20:17:09 portmanager info Deactivated service ‘legacy_ssl’
May 23 20:17:09 mod_c2s info Waiting for sessions to close
May 23 20:17:09 c2s56329a3ef3b0 info Client disconnected: connection closed
May 23 20:17:09 c2s56329aa8ad00 info Client disconnected: connection closed
May 23 20:17:09 portmanager info Deactivated service ‘s2s’
May 23 20:17:09 portmanager info Deactivated service ‘s2s_direct_tls’
May 23 20:17:09 startup info Hello and welcome to Prosody version 0.12.0
May 23 20:17:09 startup info Prosody is using the epoll backend for connection handling
May 23 20:17:09 portmanager info Activated service ‘c2s’ on [::]:5222, []:5222
May 23 20:17:09 portmanager info Activated service ‘c2s_direct_tls’ on no ports
May 23 20:17:09 portmanager info Activated service ‘legacy_ssl’ on no ports
May 23 20:17:09 portmanager info Activated service ‘s2s’ on [::]:5269, [
]:5269
May 23 20:17:09 portmanager info Activated service ‘s2s_direct_tls’ on no ports
May 23 20:17:09 auth.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host auth.meet. .ru!
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host breakout.meet. .ru!
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host speakerstats.meet. .ru!
May 23 20:17:09 general info Starting speakerstats for conference.meet. .ru
May 23 20:17:09 speakerstats.meet. .ru:speakerstats_component info No muc component found, will listen for it: conference.meet. .ru
May 23 20:17:09 speakerstats.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host avmoderation.meet. .ru!
May 23 20:17:09 avmoderation.meet. .ru:av_moderation_component info Starting av_moderation for conference.meet. .ru
May 23 20:17:09 avmoderation.meet. .ru:av_moderation_component info No muc component found, will listen for it: conference.meet. .ru
May 23 20:17:09 avmoderation.meet. .ru:tls info Certificates loaded
May 23 20:17:09 internal.auth.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host internal.auth.meet. .ru!
May 23 20:17:09 meet. .ru:tls info Certificates loaded
May 23 20:17:09 meet. .ru:muc_breakout_rooms info Breakout rooms component created breakout.meet. .ru
May 23 20:17:09 meet. .ru:muc_breakout_rooms info Hook to muc events on breakout.meet. .ru
May 23 20:17:09 mod_bosh info The ‘cross_domain_bosh’ option has been deprecated
May 23 20:17:09 portmanager info Activated service ‘http’ on [::1]:5280, [127.0.0.1]:5280
May 23 20:17:09 portmanager info Activated service ‘https’ on [::]:5281, []:5281
May 23 20:17:09 meet. .ru:http info Serving ‘bosh’ at https://
:5281/http-bind
May 23 20:17:09 breakout.meet.carmoney.ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host meet. .ru!
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host conference.meet. .ru!
May 23 20:17:09 speakerstats.meet. .ru:speakerstats_component info Hook to muc events on conference.meet. .ru
May 23 20:17:09 avmoderation.meet. .ru:av_moderation_component info Hook to muc events on conference.meet. .ru
May 23 20:17:09 meet. .ru:muc_breakout_rooms info Hook to muc events on conference.meet. .ru
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host auth.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host breakout.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host speakerstats.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host avmoderation.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host conference.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host internal.auth.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host meet. .ru!
May 23 20:17:09 conference.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host focus.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host focus.meet. .ru!
May 23 20:17:09 focus.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host lobby.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host lobby.meet. .ru!
May 23 20:17:09 meet. .ru:muc_lobby_rooms info Lobby component loaded lobby.meet.
.ru
May 23 20:17:09 lobby.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host conferenceduration.meet. .ru!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host conferenceduration.meet. .ru!
May 23 20:17:09 general info Starting conference duration timer for conference.meet.
.ru
May 23 20:17:09 conferenceduration.meet. .ru:conference_duration_component info Hook to muc events on conference.meet. .ru
May 23 20:17:09 conferenceduration.meet. .ru:tls info Certificates loaded
May 23 20:17:09 breakout.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host localhost!
May 23 20:17:09 conference.meet. .ru:muc_domain_mapper info Loading mod_muc_domain_mapper for host localhost!
May 23 20:17:09 localhost:tls info Certificates loaded
May 23 20:17:11 c2s562343b07c00 info Client connected
May 23 20:17:12 c2s562343b07c00 info Stream encrypted (TLSv1.3 with TLS_AES_256_GCM_SHA384)
May 23 20:17:12 c2s562343ec76b0 info Client connected
May 23 20:17:12 c2s562343b07c00 info Authenticated as focus@auth.meet. .ru
May 23 20:17:12 auth.meet.carmoney.ru:limits_exception info Setting stanza size limits for focus@auth.meet.carmoney.ru to 10485760
May 23 20:17:13 c2s562343ec76b0 info Stream encrypted (TLSv1.3 with TLS_AES_256_GCM_SHA384)
May 23 20:17:13 c2s562343ec76b0 info Authenticated as jvb@auth.meet. .ru
May 23 20:17:13 auth.meet. .ru:limits_exception info Setting stanza size limits for jvb@auth.meet. .ru to 10485760
May 23 20:17:13 c2s562343f0c4c0 info Client connected
May 23 20:17:13 c2s562343f0c4c0 info Client disconnected: connection closed

In prosody.log I see only info, on prosody.err nothing

Rocks installed for Lua 5.2

basexx
0.4.1-1 (installed) - /usr/local/lib/luarocks/rocks-5.2

lbase64
20120807-3 (installed) - /usr/local/lib/luarocks/rocks-5.2

lua-cjson
2.1.0-1 (installed) - /usr/local/lib/luarocks/rocks-5.2

luacrypto
0.3.2-2 (installed) - /usr/local/lib/luarocks/rocks-5.2

luajwtjitsi
3.0-0 (installed) - /usr/local/lib/luarocks/rocks-5.2

luaossl
20200709-0 (installed) - /usr/local/lib/luarocks/rocks-5.2

well, look good now.
was a problem with lua 5.1 5.2.
so I removed all lua.
after that - install 5.2 only with basexx lbase64 luacrypto etc => install jitsi meet again => install jwt, looks good now.
testing.

btw
has anyone done with jwt + keycloak?
found couple docker images in github
but there’s no guides at all
https://hub.docker.com/r/d3473r/jitsi-keycloak
“Add a public openid-connect client in your keycloak realm — ??
Download the keycloak.json file for your client and put it in the config directory. – from where (>.<)!!!
Allow this app from keycloak (jitsi-keycloak running on https://auth.meet.example.com)” – aaaghh
:face_with_symbols_over_mouth::rage::face_with_symbols_over_mouth:

ok, guys thereis any way to make login thru the ldap and jwt both at same time?
like make additional virtualhost ?
@emrah @damencho
also:
what I’m trying to do
I need jwt to for rocketchat integration.
BTW that been working for a couple days, and then broke (not changes was done at rocket or jitsi at all) in logs was only error about token expired (time and timezones are the same on both servers)
So I’m trying to do 1) rocket+jitsi using jwt
but at the same time some users need to 2) make some calls directly on jitsi (without making tokens on jwt.io etc.).
So, what is the right and less difficult way?

You may develop/use a custom login panel that redirects authenticated LDAP users to Jitsi server with a token

Sound tough )))

have any idea what does happened on tokens ?

well.
tokens back, working fine.
but can’t’ start recording (button appears but not accessible)

enableFeaturesBasedOnToken is true
allow empty token true
And with token, or w\o token recording button appears but unpressable )
@emrah @damencho Please help :smiling_face_with_tear:

the same problem with screensharing button

Ohh, my bad, it wasn’t fixed. That’s why buttons not working (it still smth wrong with tokens)

|May 30 14:30:42 mod_bosh|info|New BOSH session, assigned it sid ‘bf71db05-fc7b-421d-b5c4-e7f968789f6b’|
|—|—|—|
|May 30 14:30:42 c2s55b63e841c20|info|Client connected|
|May 30 14:30:42 c2s55b63e841c20|info|Client disconnected: connection closed|
|May 30 14:30:45 general|warn|Error verifying token err:not-allowed, reason:Not acceptable by nbf|
|May 30 14:30:47 c2s55b63e8a3090|info|Client connected|

UPD: tokens trouble was couple seconds difference between server.
ok.
Now jibri
when enableUserRolesBasedOnToken: true,
jibri logs
2022-05-30 14:52:14.657 FINE: [56] CallPage$visit$$inlined$measureTimedValue$lambda$1.apply#58: Not joined yet: Cannot read properties of undefined (reading ‘isJoined’)

when enableUserRolesBasedOnToken: true, commented
ibri logs
2022-05-30 14:52:14.657 FINE: [56] CallPage$visit$$inlined$measureTimedValue$lambda$1.apply#58: Not joined yet: Cannot

empty token allow is true

Can you try with a token generated by jitok?

tokens are ok now.
troubles with jibri

Does jibri work when switching to anonymous auth?

nope
CallPage$visit$$inlined$measureTimedValue$lambda$1.apply#58: Not joined yet: Cannot read properties of undefined (reading ‘isJoined’)

Did you check TUTORIAL: Jibri Overview, Troubleshooting Tips & Tricks - Solve your Jibri Problems, Quickly!

@emrah
I guess i found a reason
Features based on token was set to true.
So when jibri connecting to the conference it hasn’t rights to start recording, because jibri connected with no token (allow empty token also is true).
But I need token based features and recorind.
I have no idea how to make it work.

disabling enableUserRolesBasedOnToken doesn’t help

:slightly_frowning_face:

jibri {
// A unique identifier for this Jibri
// TODO: eventually this will be required with no default
id = “main”
// Whether or not Jibri should return to idle state after handling
// (successfully or unsuccessfully) a request. A value of ‘true’
// here means that a Jibri will NOT return back to the IDLE state
// and will need to be restarted in order to be used again.
single-use-mode = false
api {
http {
external-api-port = 2222
internal-api-port = 3333
}
xmpp {
// See example_xmpp_envs.conf for an example of what is expected here
environments = [
{
name = “prod environment”
xmpp-server-hosts = [“meet. .ru”]
xmpp-domain = “meet. .ru”

             control-muc {
                 domain = "internal.auth.meet.********.ru"
                 room-name = "JibriBrewery"
                 nickname = "jibri-nickname"
             }

             control-login {
                 domain = "auth.meet.********.ru"
                 username = "jibri"
                 password = "********"
             }

             call-login {
                 domain = "recorder.meet.********.ru"
                 username = "recorder"
                 password = "********"
             }

             strip-from-room-domain = "conference."
             usage-timeout = 0
             trust-all-xmpp-certs = true
         }]
 }

}
recording {
recordings-directory = “/opt/recordings”
# TODO: make this an optional param and remove the default
finalize-script = “/opt/recording/finalize_recording.sh”
}
streaming {
// A list of regex patterns for allowed RTMP URLs. The RTMP URL used
// when starting a stream must match at least one of the patterns in
// this list.
rtmp-allow-list = [
// By default, all services are allowed
“.*”
]
}
chrome {
// The flags which will be passed to chromium when launching
flags = [
“–use-fake-ui-for-media-stream”,
“–start-maximized”,
“–kiosk”,
“–enabled”,
“–disable-infobars”,
“–autoplay-policy=no-user-gesture-required”
]
}
stats {
enable-stats-d = true
}
webhook {
// A list of subscribers interested in receiving webhook events
subscribers =
}
#jwt-info {
// The path to a .pem file which will be used to sign JWT tokens used in webhook
// requests. If not set, no JWT will be added to webhook requests.
# signing-key-path = “/path/to/key.pem”

 // The kid to use as part of the JWT
 # kid = "key-id"

 // The issuer of the JWT
 # issuer = "issuer"

 // The audience of the JWT
 # audience = "audience"

 // The TTL of each generated JWT.  Can't be less than 10 minutes.
 # ttl = 1 hour

}

call-status-checks {
// If all clients have their audio and video muted and if Jibri does not
// detect any data stream (audio or video) comming in, it will stop
// recording after NO_MEDIA_TIMEOUT expires.
no-media-timeout = 30 seconds

 // If all clients have their audio and video muted, Jibri consideres this
 // as an empty call and stops the recording after ALL_MUTED_TIMEOUT expires.
 all-muted-timeout = 10 minutes

 // When detecting if a call is empty, Jibri takes into consideration for how
 // long the call has been empty already. If it has been empty for more than
 // DEFAULT_CALL_EMPTY_TIMEOUT, it will consider it empty and stop the recording.
 default-call-empty-timeout = 30 seconds

}
}

prosody

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “meet.*****.ru”;

external_service_secret = “.";
external_services = {
{ type = “stun”, host = "meet…
.ru”, port = 3478 },
{ type = “turn”, host = “meet….ru", port = 3478, transport = “udp”, secret = true, ttl = 86400, algorithm = “turn” },
{ type = “turns”, host = "meet…
.ru”, port = 5349, transport = “tcp”, secret = true, ttl = 86400, algorithm = “turn” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;

–http_cors_override = {
– bosh = {
– enabled = false;
– };
– websocket = {
– enabled = false;
– };
–}

Mozilla SSL Configuration Generator
ssl = {
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}

unlimited_jids = {
“focus@auth.meet….ru",
"jvb@auth.meet…
.ru”
}

VirtualHost “meet….ru"
– enabled = false – Remove this line to enable this host
authentication = “token”
– authentication = ‘ldap2’
– authentication = “anonymous”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
app_id=".

app_secret="...."
allow_empty_token = true;
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
– key = “/home/cert.key”;
– certificate = “/home/cert.crt”;
key = “/etc/prosody/certs/meet….ru.key";
certificate = "/etc/prosody/certs/meet…
.ru.crt”;
}
av_moderation_component = “avmoderation.meet….ru"
speakerstats_component = "speakerstats.meet…
.ru”
conference_duration_component = “conferenceduration.meet….ru"
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“external_services”;
“conference_duration”;
“muc_lobby_rooms”;
“muc_breakout_rooms”;
“av_moderation”;
}
c2s_require_encryption = true
lobby_muc = "lobby.meet…
.ru”
breakout_rooms_muc = “breakout.meet….ru"
main_muc = "conference.meet…
.ru”
muc_lobby_whitelist = { “recorder.meet…*****.ru” } – Here we can whitelist jibri to enter lobby enabled rooms

Component “conference.meet….ru" “muc”
restrict_room_creation = true
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“polls”;
“token_verification”;
“muc_rate_limit”;
}
admins = { "focus@auth.meet…
.ru” }
muc_room_locking = false
muc_room_default_public_jids = true

Component “breakout.meet….ru" “muc”
restrict_room_creation = true
storage = “memory”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“token_verification”;
“muc_rate_limit”;
“polls”;
}
admins = { "focus@auth.meet…
.ru” }
muc_room_locking = false
muc_room_default_public_jids = true

– internal muc component
Component “internal.auth.meet….ru" “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { "focus@auth.meet…
.ru”, “jvb@auth.meet…*****.ru” }
muc_room_locking = false
muc_room_default_public_jids = true
muc_room_cache_size = 1000

VirtualHost “auth.meet….ru"
ssl = {
key = "/etc/prosody/certs/auth.meet…
.ru.key”;
certificate = “/etc/prosody/certs/auth.meet…*****.ru.crt”;
}
modules_enabled = {
“limits_exception”;
}
authentication = “internal_hashed”

– Proxy to jicofo’s user JID, so that it doesn’t have to register as a component.
Component “focus.meet….ru" “client_proxy”
target_address = "focus@auth.meet…
.ru”

Component “speakerstats.meet….ru" “speakerstats_component”
muc_component = "conference.meet…
.ru”

Component “conferenceduration.meet….ru" “conference_duration_component”
muc_component = "conference.meet…
.ru”

Component “avmoderation.meet….ru" “av_moderation_component”
muc_component = "conference.meet…
.ru”

Component “lobby.meet…*****.ru” “muc”
storage = “memory”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
modules_enabled = {
“muc_rate_limit”;
“polls”;
}

– Enabled dial-in for JaaS customers
– Note: make sure you have the following packages installed: lua-basexx, liblua5.3-dev, libssl-dev, luarocks
– and execute $ sudo luarocks install luajwtjitsi 3.0-0
VirtualHost “jigasi.meet.jitsi”
enabled = false – JaaS customers remove this line
modules_enabled = {
“ping”;
“bosh”;
}
authentication = “token”
app_id = “jitsi”;
asap_key_server = “https://jaas-public-keys.jitsi.net/jitsi-components/prod-8x8
asap_accepted_issuers = { “jaas-components” }
asap_accepted_audiences = { “jigasi.meet…*****.ru” }

VirtualHost “recorder.jibri.meet…*****.ru”
modules_enabled = {
“ping”;
}
authentication = “internal_plain”

–VirtualHost “guest.meet…*****.ru”
– authentication = “anonymous”
– c2s_require_encryption = false

  • Does jibri work when the authentication method is “anonymous”?

  • Jibri doesn’t need a token because it has a seperate virtualhost (recorder.xx.xx) and auth method. Moderators need a valid token with needed features. Check jitok