Jitsi-meet LDAP Active Directory authentication - how to get log info

#1

Hi,

I’m new to Jitsi-meet and prosody.

I’m running Debian, and the “quick install” guide went fine. I can use Jitsi-meet with “anonymous” access.

I am now trying to force LDAP/AD authentication. So I installed “prosody-modules”, and configured the following:

/etc/prosody/conf.d# cat ldap.cfg.lua
authentication = 'ldap'

ldap = {
    ldap_server = 'myASserverIP:389',
    ldap_rootdn = 'cn=ldapbindusername,cn=Users,dc=mydomain,dc=org',
    ldap_password = 'mypassword',
    -- use_tls = true,
    user = {
        basedn = 'cn=Users,dc=mydomain,dc=org',
        filter = '(&(objectClass=User)(AccountActive=TRUE))',
        usernamefield = 'sAMAccountName',
        namefield = 'cn',
    },
}

I changed the file /etc/prosody/conf.d/myjitmeet.mydomain.org.cfg.lua so that ’ authentication = “ldap2”’.

I also set logging to “debug”:

log = {
        debug = "/var/log/prosody/prosody.log";

I even added “auth_ldap2” to “modules_enabled” even though I’m guessing it’s not strictly necessary.

In the prosody log I can see that the ldap2 module is loaded:
usermanager debug host ‘myjitmeet.mydomain.org’ now set to use user provider ‘ldap2’
modulemanager debug auth_ldap2 is already loaded for myjitmeet.mydomain.org, so not loading again

However, when I connect my browser to my jit-meet URL I get no user login prompt (it’s as if it were in anonymous mode). Furthermore, I ran the following while connecting to the URL and opening a “conference room”:

# tcpdump -n -i enp5s3 host AD_server_IP_addr

where enp5s3 is the NIC on the server where prosody is running.
I don’t see any LDAP-related traffic.

Also, the debug logs do not show anything related to LDAP except for the fact that the ldap2 module was loaded.

Why am I not seeing any LDAP traffic at all?

Thanks!

Jitsi meet cant conect to AD with LDAP
#2

There must be something wrong with the “jitsi client” side because after I modified my ldap.cfg.lua file with the following setting:

filter = '(objectClass=User)'

I could connect with Jitsi Desktop as an XMPP client. I can now see the LDAP messages in the Prosody log. The problem with the Jitsi-meet web site is that the user is never asked to enter his/her credentials. I must be missing something.

Any ideas?

#3

The only way I can get jitsi-meet to show me a user/password login form is if I use

authentication = "internal_plain"

There’s no way the jitsi-meet web page will show me the same login form if I use either one of these:

authentication = "ldap2"
authentication = "external"

Is this a known bug or a lack of feature?
The documentation doesn’t seem to reflect this.

#4

I have no experience using ldap, but there are number of people using that successfully, have you searched in the forum for their posts and configurations?

#5

Take a look at this, maybe it can help: https://github.com/jitsi/docker-jitsi-meet/pull/75

#6

Hi,

Try to remove filter, I don’t think it’s necessary. I got some errors when I tried with that.

Otherwise, can you send me your “domain.com.cfg.lua” file ?

#7

damencho, of course I’ve searched the forum, and found useful information from helpful users.

saghul, thanks for the link, but I think my issue is a lot simpler. I don’t need sasl/ldap. I only require jitsi-meet (the web UI) to actually ask the user his/her credentials. In fact, instead of mod_auth_ldap2 I could very well use another module such as auth_external.

Yann, I don’t think the filter has anything to do with it because the exact same config works just fine if I connect with eg. Jitsi Desktop (add XMPP account, jabber ID myLDAPname@meet.mydomain.org, myLDAPpassword). The main problem is that the jitsi-meet web UI does NOT give me the chance to input username + password when auntentication is either ldap2 or external.

Anyway, here’s my full cfg file:

# cat /etc/prosody/conf.d/meet.mydomain.org.cfg.lua
VirtualHost "meet.mydomain.org"
        authentication = "ldap2"
--     authentication = "external"
--     external_auth_command = "/etc/prosody/conf.d/my_auth.sh"
        ssl = {
                key = "/etc/prosody/certs/meet.mydomain.org.key";
                certificate = "/etc/prosody/certs/meet.mydomain.org.crt";
        }
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping";
        }

        c2s_require_encryption = false

Component "conference.meet.mydomain.org" "muc"
    storage = "null"
    --modules_enabled = { "token_verification" }
admins = { "focus@auth.meet.mydomain.org" }

Component "jitsi-videobridge.meet.mydomain.org"
    component_secret = "czzEeVRH"

VirtualHost "auth.meet.mydomain.org"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.mydomain.org.key";
        certificate = "/etc/prosody/certs/auth.meet.mydomain.org.crt";
    }
    authentication = "internal_plain"

Component "focus.meet.mydomain.org"
    component_secret = "lqrfPXSD"

By the way, it’s the first time I’m installing jitsi-meet, and I’m using the Debian packages. I don’t understand why the debian config put in the “auth.meet.mydomain.org” virtual host when it’s not configured in apache (I’m using apache). Only “meet.mydomain.org” is defined in apache. Anyway, this is probably not relevant here.

Thanks

#8

I’d also like to add this other config file in case it’s of any use to solve this issue:

# cat /etc/jitsi/meet/meet.mydomain.org-config.js
var config = {
    hosts: {
        domain: 'meet.mydomain.org',
        muc: 'conference.meet.mydomain.org'
    },

    bosh: '//meet.mydomain.org/http-bind',

    clientNode: 'http://jitsi.org/jitsimeet',

    testing: {
        enableFirefoxSimulcast: false,

        p2pTestMode: false
    },

    disableSuspendVideo: true,

    desktopSharingChromeExtId: null,

    desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
    desktopSharingChromeMinExtVersion: '0.1',

    channelLastN: -1,

    enableWelcomePage: true,

    enableUserRolesBasedOnToken: false,

    p2p: {
        enabled: true,

        stunServers: [
            { urls: 'stun:stun.l.google.com:19302' },
            { urls: 'stun:stun1.l.google.com:19302' },
            { urls: 'stun:stun2.l.google.com:19302' }
        ],

        preferH264: true
    },

    analytics: {
    },

    deploymentInfo: {
    }

};
#9

You need authentication enabled in prosody. This is the idea, where the web tries to connect anonymously and the server responds with an error that authentication is required.
https://prosody.im/doc/authentication
If prosody fails to load it or something it may not return the error code that will deny anonymous connect. Check your prosody logs when restarting, do you see everything loaded normally.

These are xmpp virtual hosts and has nothing to do with web virtual hosts, it is just that the name of the main xmpp one is the same as the web virtual host. Those hosts are internal for the system and do not require DNS record or anything.

#10

I’m uploading a screenshot of a Firefox client trying to connect to my jitsi-meet installation with authentication = ldap2, if it’s of any use. User credentials are not asked for, the room “opens”, but I also notice that both camera and audio fail. Also, once I’m inside the room I can’t “hang up”. Clicking the red button does not do anything at all.

Jitsi meet cant conect to AD with LDAP
#11

I think you forgot to enable guest domain in “conf.d/domain.cfg.lua” then in hosts configuration.

VirtualHost “guest.domain.com
authenticaton = “anonymous”

#12

Did you check those? Are there any errors?

#13

damencho,

# cat /var/log/prosody/prosody.err

# cat /var/log/prosody/prosody.log

May 15 10:40:21 general info    Hello and welcome to Prosody version 0.9.12
May 15 10:40:21 general info    Prosody is using the select backend for connection handling
May 15 10:40:21 hostmanager     debug   Activated host: focus.meet.mydomain.org
May 15 10:40:21 portmanager     debug   No active service for component, activating...
May 15 10:40:21 socket  debug   server.lua: new server listener on '[127.0.0.1]:5347'
May 15 10:40:21 portmanager     debug   Added listening service component to [127.0.0.1]:5347
May 15 10:40:21 socket  debug   server.lua: new server listener on '[::1]:5347'
May 15 10:40:21 portmanager     debug   Added listening service component to [::1]:5347
May 15 10:40:21 portmanager     info    Activated service 'component' on [127.0.0.1]:5347, [::1]:5347
May 15 10:40:21 portmanager     debug   No active service for s2s, activating...
May 15 10:40:21 socket  debug   server.lua: new server listener on '[::]:5269'
May 15 10:40:21 portmanager     debug   Added listening service s2s to [::]:5269
May 15 10:40:21 socket  debug   server.lua: new server listener on '[*]:5269'
May 15 10:40:21 portmanager     debug   Added listening service s2s to [*]:5269
May 15 10:40:21 portmanager     info    Activated service 's2s' on [::]:5269, [*]:5269
May 15 10:40:21 hostmanager     debug   Activated host: meet.mydomain.org
May 15 10:40:21 usermanager     debug   host 'meet.mydomain.org' now set to use user provider 'ldap2'
May 15 10:40:21 portmanager     debug   No active service for http, activating...
May 15 10:40:21 socket  debug   server.lua: new server listener on '[::]:5280'
May 15 10:40:21 portmanager     debug   Added listening service http to [::]:5280
May 15 10:40:21 socket  debug   server.lua: new server listener on '[*]:5280'
May 15 10:40:21 portmanager     debug   Added listening service http to [*]:5280
May 15 10:40:21 portmanager     info    Activated service 'http' on [::]:5280, [*]:5280
May 15 10:40:21 portmanager     debug   No active service for https, activating...
May 15 10:40:21 socket  debug   server.lua: new ssl server listener on '[::]:5281'
May 15 10:40:21 portmanager     debug   Added listening service https to [::]:5281
May 15 10:40:21 socket  debug   server.lua: new ssl server listener on '[*]:5281'
May 15 10:40:21 portmanager     debug   Added listening service https to [*]:5281
May 15 10:40:21 portmanager     info    Activated service 'https' on [::]:5281, [*]:5281
May 15 10:40:21 meet.mydomain.org:http   debug   Serving 'bosh' at https://meet.mydomain.org:5281/http-bind
May 15 10:40:21 portmanager     debug   No active service for c2s, activating...
May 15 10:40:21 socket  debug   server.lua: new server listener on '[::]:5222'
May 15 10:40:21 portmanager     debug   Added listening service c2s to [::]:5222
May 15 10:40:21 socket  debug   server.lua: new server listener on '[*]:5222'
May 15 10:40:21 portmanager     debug   Added listening service c2s to [*]:5222
May 15 10:40:21 portmanager     info    Activated service 'c2s' on [::]:5222, [*]:5222
May 15 10:40:21 portmanager     debug   No active service for legacy_ssl, activating...
May 15 10:40:21 portmanager     info    Activated service 'legacy_ssl' on no ports
May 15 10:40:21 modulemanager   debug   auth_ldap2 is already loaded for meet.mydomain.org, so not loading again
May 15 10:40:21 mod_posix       info    Prosody is about to detach from the console, disabling further console output
May 15 10:40:21 mod_posix       info    Successfully daemonized to PID 2475
May 15 10:40:21 hostmanager     debug   Activated host: auth.meet.mydomain.org
May 15 10:40:21 auth.meet.mydomain.org:auth_internal_plain       debug   initializing internal_plain authentication provider for host 'auth.meet.mydomain.org'
May 15 10:40:21 usermanager     debug   host 'auth.meet.mydomain.org' now set to use user provider 'internal_plain'
May 15 10:40:21 hostmanager     debug   Activated host: conference.meet.mydomain.org
May 15 10:40:21 hostmanager     debug   Activated host: jitsi-videobridge.meet.mydomain.org
May 15 10:40:21 hostmanager     debug   Activated host: localhost
May 15 10:40:21 usermanager     debug   host 'localhost' now set to use user provider 'ldap2'
May 15 10:40:23 socket  debug   server.lua: accepted new client connection from 127.0.0.1:36556 to 5347
May 15 10:40:23 jcp18587a0      info    Incoming Jabber component connection
May 15 10:40:23 jcp18587a0      debug   Received[component_unauthed]: <handshake xmlns='jabber:component:accept'>
May 15 10:40:23 jitsi-videobridge.meet.mydomain.org:component    info    External component successfully authenticated
May 15 10:40:24 socket  debug   server.lua: accepted new client connection from 127.0.0.1:35154 to 5222
May 15 10:40:24 c2s18600d8      info    Client connected
May 15 10:40:24 c2s18600d8      debug   Client sent opening <stream:stream> to auth.meet.mydomain.org
May 15 10:40:24 c2s18600d8      debug   Sent reply <stream:stream> to client
May 15 10:40:24 c2s18600d8      debug   Received[c2s_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
May 15 10:40:24 socket  debug   server.lua: we need to do tls, but delaying until send buffer empty
May 15 10:40:24 c2s18600d8      debug   TLS negotiation started for c2s_unauthed...
May 15 10:40:24 socket  debug   server.lua: attempting to start tls on tcp{client}: 0x185d2ec
May 15 10:40:24 socket  debug   server.lua: ssl handshake done
May 15 10:40:24 c2s18600d8      debug   Client sent opening <stream:stream> to auth.meet.mydomain.org
May 15 10:40:24 c2s18600d8      debug   Sent reply <stream:stream> to client
May 15 10:40:24 c2s18600d8      debug   Received[c2s_unauthed]: <auth mechanism='SCRAM-SHA-1' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
May 15 10:40:24 auth.meet.mydomain.org:auth_internal_plain       debug   get_password for username 'focus' at host 'auth.meet.mydomain.org'
May 15 10:40:24 auth.meet.mydomain.org:saslauth  debug   sasl reply: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cj1rJTViTCtON2pOaCU8MCUlRV5rOS4wfCpDOTZbJjRQQ2Y4NjdhY2UxLTMwMDYtNGI1MS04NzI0LTNjYjYzMjFhNzY0YixzPVkySTBaV1U0WTJFdFlUa3lZUzAwTVRReUxUbGxZVE10TnpKak1ETXhaREZsTURRNSxpPTQwOTY=</challenge>
May 15 10:40:24 c2s18600d8      debug   Received[c2s_unauthed]: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
May 15 10:40:24 c2s18600d8      info    Authenticated as focus@auth.meet.mydomain.org
May 15 10:40:24 auth.meet.mydomain.org:saslauth  debug   sasl reply: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>dj1HRU4xWEZEVnJoRktxQy84NW9tekF0MnRlWFE9</success>
May 15 10:40:24 c2s18600d8      debug   Client sent opening <stream:stream> to auth.meet.mydomain.org
May 15 10:40:24 c2s18600d8      debug   Sent reply <stream:stream> to client
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56674' type='set'>
May 15 10:40:24 rostermanager   debug   load_roster: asked for: focus@auth.meet.mydomain.org
May 15 10:40:24 rostermanager   debug   load_roster: loading for new user: focus@auth.meet.mydomain.org
May 15 10:40:24 datamanager     debug   Assuming empty roster storage ('cannot open /var/lib/prosody/auth%2emeet%2emydomain%2eorg/roster/focus.dat: No such file or directory') for user: focus@auth.meet.mydomain.org
May 15 10:40:24 c2s18600d8      debug   Resource bound: focus@auth.meet.mydomain.org/focus38254570681
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56676' type='get'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56677' type='get' to='meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56680' type='get' to='focus.meet.mydomain.org'>
May 15 10:40:24 focus.meet.mydomain.org:component        warn    Component not connected, bouncing error for: <iq id='6pjFf-56680' type='get' to='focus.meet.mydomain.org' from='focus@auth.meet.mydomain.org/focus38254570681'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56682' type='get' to='auth.meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56684' type='get' to='auth.meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56687' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:24 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56687' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56689' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:24 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56689' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56692' type='get' to='conference.meet.mydomain.org'>
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <presence id='6pjFf-56694'>
May 15 10:40:24 datamanager     debug   Assuming empty offline storage ('cannot open /var/lib/prosody/auth%2emeet%2emydomain%2eorg/offline/focus.list: No such file or directory') for user: focus@auth.meet.mydomain.org
May 15 10:40:24 c2s18600d8      debug   Received[c2s]: <iq id='disco' type='result' to='focus@auth.meet.mydomain.org'>
May 15 10:40:24 stanzarouter    debug   Discarding iq from c2s of type: result
May 15 10:40:25 socket  debug   server.lua: accepted new client connection from 127.0.0.1:36562 to 5347
May 15 10:40:25 jcp188ed98      info    Incoming Jabber component connection
May 15 10:40:25 jcp188ed98      debug   Received[component_unauthed]: <handshake xmlns='jabber:component:accept'>
May 15 10:40:25 focus.meet.mydomain.org:component        info    External component successfully authenticated
May 15 10:40:25 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56698' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:40:30 socket  debug   server.lua: accepted new client connection from ::1:42028 to 5280
May 15 10:40:30 http.server     debug   Firing event: POST meet.mydomain.org/http-bind/
May 15 10:40:30 mod_bosh        debug   Handling new request table: 0x1898ea0: <body rid='4283048738' xmlns='http://jabber.org/protocol/httpbind' to='meet.mydomain.org' xml:lang='en' wait='60' hold='1' content='text/xml; charset=utf-8' ver='1.6' xmpp:version='1.0' xmlns:xmpp='urn:xmpp:xbosh'/>
----------
May 15 10:40:30 mod_bosh        debug   BOSH body open (sid: <none>)
May 15 10:40:30 bosh5604133b-f648-440b-9014-e6ff3faed1ec        debug   BOSH session created for request from ::1
May 15 10:40:30 mod_bosh        info    New BOSH session, assigned it sid '5604133b-f648-440b-9014-e6ff3faed1ec'
May 15 10:40:30 mod_bosh        debug   We have an open request, so sending on that
May 15 10:40:30 mod_bosh        debug   Request destroyed: table: 0x1899228
May 15 10:40:30 bosh5604133b-f648-440b-9014-e6ff3faed1ec        debug   BOSH session marked as inactive (for 60s)
May 15 10:40:30 mod_bosh        debug   Session 5604133b-f648-440b-9014-e6ff3faed1ec has 0 out of 1 requests open
May 15 10:40:30 mod_bosh        debug   and there are 0 things in the send_buffer:
May 15 10:40:30 http.server     debug   Firing event: POST meet.mydomain.org/http-bind/
May 15 10:40:30 mod_bosh        debug   Handling new request table: 0x189f6f0: <body rid='4283048739' xmlns='http://jabber.org/protocol/httpbind' sid='5604133b-f648-440b-9014-e6ff3faed1ec'/>
----------
May 15 10:40:30 mod_bosh        debug   BOSH body open (sid: 5604133b-f648-440b-9014-e6ff3faed1ec)
May 15 10:40:30 mod_bosh        debug   Session 5604133b-f648-440b-9014-e6ff3faed1ec has 1 out of 1 requests open
May 15 10:40:30 mod_bosh        debug   and there are 0 things in the send_buffer:
May 15 10:40:30 mod_bosh        debug   Have nothing to say, so leaving request unanswered for now
May 15 10:40:33 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30849' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:34 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56699' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:34 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56699' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:34 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56701' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:34 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56701' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:35 socket  debug   server.lua: accepted new client connection from ::1:42032 to 5280
May 15 10:40:35 http.server     debug   Firing event: POST meet.mydomain.org/http-bind/
May 15 10:40:35 mod_bosh        debug   Handling new request table: 0x18ac730: <body rid='4283048740' xmlns='http://jabber.org/protocol/httpbind' sid='5604133b-f648-440b-9014-e6ff3faed1ec' type='terminate'/>
----------
May 15 10:40:35 mod_bosh        debug   BOSH body open (sid: 5604133b-f648-440b-9014-e6ff3faed1ec)
May 15 10:40:35 mod_bosh        debug   Session 5604133b-f648-440b-9014-e6ff3faed1ec has 2 out of 1 requests open
May 15 10:40:35 mod_bosh        debug   and there are 0 things in the send_buffer:
May 15 10:40:35 mod_bosh        debug   We are holding too many requests, so...
May 15 10:40:35 mod_bosh        debug   ...sending an empty response
May 15 10:40:35 mod_bosh        debug   We have an open request, so sending on that
May 15 10:40:35 mod_bosh        debug   Request destroyed: table: 0x189fae0
May 15 10:40:35 mod_bosh        debug   Have nothing to say, so leaving request unanswered for now
May 15 10:40:35 bosh5604133b-f648-440b-9014-e6ff3faed1ec        debug   Closing session with 1 requests open
May 15 10:40:35 bosh5604133b-f648-440b-9014-e6ff3faed1ec        info    BOSH client disconnected
May 15 10:40:35 mod_bosh        debug   Request destroyed: table: 0x18acb50
May 15 10:40:35 bosh5604133b-f648-440b-9014-e6ff3faed1ec        debug   BOSH session marked as inactive (for 60s)
May 15 10:40:35 bosh5604133b-f648-440b-9014-e6ff3faed1ec        debug   Destroying session for (unknown) ((unknown)@meet.mydomain.org)
May 15 10:40:35 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56703' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:40:35 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56704' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:40:43 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30853' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:44 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56705' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:44 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56705' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:40:45 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56707' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:40:45 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56708' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>

And here’s the log when I use Jitsi Desktop with XMPP jabber ID myLDAPuser@meet.mydomain.org (just so you can see the difference):

# cat /var/log/prosody/prosody.err

# cat /var/log/prosody/prosody.log

May 15 10:44:03 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30933' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:04 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56855' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:04 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56855' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:05 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56857' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:05 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56858' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:13 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30937' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:14 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56859' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:14 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56859' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:15 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56861' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:15 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56862' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:23 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30941' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56863' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:24 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56863' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56865' type='get' to='meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56867' type='get' to='focus.meet.mydomain.org'>
May 15 10:44:24 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56867' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='focus.meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56869' type='get' to='auth.meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56871' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:24 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56871' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:24 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56873' type='get' to='conference.meet.mydomain.org'>
May 15 10:44:25 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56875' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:25 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56876' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:33 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30945' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:34 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56877' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:34 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56877' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:34 socket  debug   server.lua: accepted new client connection from 10.215.144.48:52583 to 5222
May 15 10:44:34 c2s172b690      info    Client connected
May 15 10:44:34 c2s172b690      debug   Client sent opening <stream:stream> to meet.mydomain.org
May 15 10:44:34 c2s172b690      debug   Sent reply <stream:stream> to client
May 15 10:44:34 c2s172b690      debug   Received[c2s_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
May 15 10:44:34 socket  debug   server.lua: we need to do tls, but delaying until send buffer empty
May 15 10:44:34 c2s172b690      debug   TLS negotiation started for c2s_unauthed...
May 15 10:44:34 socket  debug   server.lua: attempting to start tls on tcp{client}: 0x173b9e4
May 15 10:44:35 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56879' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:35 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56880' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:39 socket  debug   server.lua: ssl handshake done
May 15 10:44:39 c2s172b690      debug   Client sent opening <stream:stream> to meet.mydomain.org
May 15 10:44:39 c2s172b690      debug   Sent reply <stream:stream> to client
May 15 10:44:39 c2s172b690      debug   Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
May 15 10:44:40 meet.mydomain.org:auth_ldap2     debug   _M.bind - who: CN=VDP,CN=Users,DC=mydomain,DC=org
May 15 10:44:40 c2s172b690      info    Authenticated as VDP@meet.mydomain.org
May 15 10:44:40 meet.mydomain.org:saslauth       debug   sasl reply: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'></success>
May 15 10:44:40 c2s172b690      debug   Client sent opening <stream:stream> to meet.mydomain.org
May 15 10:44:40 c2s172b690      debug   Sent reply <stream:stream> to client
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-1' type='set'>
May 15 10:44:40 rostermanager   debug   load_roster: asked for: VDP@meet.mydomain.org
May 15 10:44:40 rostermanager   debug   load_roster: loading for new user: VDP@meet.mydomain.org
May 15 10:44:40 datamanager     debug   Assuming empty roster storage ('cannot open /var/lib/prosody/meet%2emydomain%2eorg/roster/VDP.dat: No such file or directory') for user: VDP@meet.mydomain.org
May 15 10:44:40 c2s172b690      debug   Resource bound: VDP@meet.mydomain.org/jitsi-23p7g2m
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-2' type='set'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-3' type='get'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-4' type='get' from='VDP@meet.mydomain.org/jitsi-23p7g2m'>
May 15 10:44:40 datamanager     debug   Assuming empty vcard storage ('cannot open /var/lib/prosody/meet%2emydomain%2eorg/vcard/VDP.dat: No such file or directory') for user: VDP@meet.mydomain.org
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <presence id='3I60R-5'>
May 15 10:44:40 datamanager     debug   Assuming empty offline storage ('cannot open /var/lib/prosody/meet%2emydomain%2eorg/offline/VDP.list: No such file or directory') for user: VDP@meet.mydomain.org
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='disco' type='result' to='VDP@meet.mydomain.org'>
May 15 10:44:40 stanzarouter    debug   Discarding iq from c2s of type: result
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-6' type='get' to='meet.mydomain.org'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-7' type='get' to='meet.mydomain.org'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-8' type='get' to='jitsi-videobridge.meet.mydomain.org' from='VDP@meet.mydomain.org/jitsi-23p7g2m'>
May 15 10:44:40 jcp18587a0      debug   Received[component]: <iq id='3I60R-8' type='error' to='VDP@meet.mydomain.org/jitsi-23p7g2m' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <presence id='3I60R-9'>
May 15 10:44:40 c2s172b690      debug   Received[c2s]: <iq id='3I60R-10' type='get' to='VDP@meet.mydomain.org'>
May 15 10:44:40 datamanager     debug   Assuming empty vcard storage ('cannot open /var/lib/prosody/meet%2emydomain%2eorg/vcard/VDP.dat: No such file or directory') for user: VDP@meet.mydomain.org
May 15 10:44:43 jcp18587a0      debug   Received[component]: <iq id='eSJeg-30949' type='get' to='meet.mydomain.org' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:44 c2s18600d8      debug   Received[c2s]: <iq id='6pjFf-56881' type='get' to='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:44 jcp18587a0      debug   Received[component]: <iq id='6pjFf-56881' type='result' to='focus@auth.meet.mydomain.org/focus38254570681' from='jitsi-videobridge.meet.mydomain.org'>
May 15 10:44:45 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56883' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>
May 15 10:44:45 jcp188ed98      debug   Received[component]: <iq id='6pjFf-56884' type='get' to='meet.mydomain.org' from='focus.meet.mydomain.org'>

So I guess Prosody is loading ldap2 just fine.

#14

Yann,

why would I need to enable the guest domain? Could you please elaborate?
My current goal is to enable LDAP for everyone. I will be configuring the guest domain later as described in https://github.com/jitsi/jicofo (Secure domain). However, the “auth domain” will need to be an ldap-accessed domain (I do not wish to use “prosodyctl register” as in the README).

#15

By the way, I tried different browsers, and I get the same behavior (FF, Chrome).

#16

Oh okay, I didn’t see that.

VirtualHost "auth.meet.mydomain.org"
    ssl = {
        key = "/etc/prosody/certs/auth.meet.mydomain.org.key";
        certificate = "/etc/prosody/certs/auth.meet.mydomain.org.crt";
    }
    authentication = "internal_plain"

So why are you using “internal_plain” in authentication, is it for testing ?

#17

Yann,

I did not configure auth.meet.mydomain.org. It “came” with my debian installation (stable builds). I did not try the nightlies yet.

Anyway, even if I change internal_plain to ldap2 in auth.meet… I still get the same behavior.

#18

Don’t touch auth.meet.mydomain.org as your jicofo will stop connecting and making your deployment unusable.

#19

I think you got authenticated and everything works. Isn’t this your meet attempt in the logs? Can you try the same from incognito window?

#20

Sorry, I’m not able to help you. I succeeded to limit the room creation only to authenticated participants. But I don’t remember how to completely limit authentication in every cases (creating conference, joining conference).