Jitsi not working with LDAP Authentication


#1

Dear Jitsiers,

I hope you can help me. I use prosody with mod_auth_ldap2. Unfortunatelly, when I open a room and try to login, I got the error “UnhandledError: null Script: null Line: null Column: null StackTrace: Error: Strophe: BOSH-Connection failed: host-unknown” in the developer console of my browser.

Can anybody help me with this issue?


#2

Your bosh connection is not working, try opening https://your-domain/http-bind
host-unknown means you try to open the server using a fqdn for example jitsi-meet-example.com and prosody is not configured to serve that domain. Check your prosody config.


#3

Output:
It works! Now point your BOSH client to this URL to connect to Prosody.

For more information see Prosody: Setting up BOSH.


#4

With the prosody support guys I found out that (I think jicofo) tries to authenticate with LDAP with the username “focus”. I already defined a LDAP-User to bind with. Is this wanted behaviour? Do I have to create that user? Which rights does this user need?


#5

Yes, jicofo needs a user which is admin (to be able to create a room and grant owner to the user that will join). You need that focus user and its password.


#6

No, I mean a LDAP-User called focus. Why is this needed if I already provided a LDAP-User in the config who is admin?


#7

I’m not sure what user you have provided, but jicofo needs a user to authenticate, if jicofo is using the virtual host that uses ldap, you need to have user in ldap which name is focus.


#8

Is there any possibility to tell jicofo to use a specific LDAP-user? Where can I specify the password for the user?


#9

The user should be named focus as there are many places in the code in different components that expect that.
The username and password are in /etc/jitsi/jicofo/config:

JICOFO_AUTH_DOMAIN=auth.yourdomain.com
JICOFO_AUTH_USER=focus
JICOFO_AUTH_PASSWORD=some_pass

I had never done ldap integration, but isn’t it easier to leave jicofo using a virtual host that does not uses ldap.


#10

Many thanks for your quick reply! Is there any possibility to not store the password in plain text? For me it seems that this could be a security issue.

I think auth_domain is the ldap-service. But where do you define the base in which ldap should be searched?
Could you give me an example config please?
The thing is we want to have our admins to login with their well known credentials.
Is Jitsi supporting SSO?


#11

I added the focus user, but get the following error message in the prosody log:
auth.jitsi.xxx.at:auth_ldap2 debug _M.bind - no DN found for username = focus


#12

These are the user and password to connect to the xmpp server. Jicofo doesn’t know or support ldap. These credentials are saved in a file and folder readable only by the jicofo user, so it is safe. If you someone have access to your machine these credentials are your least problem.

Have you configured the auth.domain in prosody to use ldap? If this is the case, then you don’t need to touch these settings.


#13

I changed the auth domain authentication method from anonymous to ldap2 and still the same error


#14

I say it should be internal_plain, this is the default value.
Can you paste the error you see?


#15

prosody log:
auth.jitsi.xxx.at:auth_ldap2 debug _M.bind - no DN found for username = focus

When logging in in Jitsi Meet
Invalid username or password


#16

I forgot to restart prosody. The error message in the prosody log changed now:
saslauth debug sasl reply: The response provided by the client doesn’t match the one we calculated.


#17

I already tripple-checked the user and password I provided. Wrong credentials are not the problem


#18

What is the problem you see?


#19

in prosody log

saslauth debug sasl reply: The response provided by the client doesn’t match the one we calculated.