Jitsi - prosody configure ldap with client certificate

Hi @all,

I have recently setup a jitsi meet with ldap2 auth as described on the wiki site for this topic. The authentification is properly working and the next step is using the option use_tls=true.

With enabled option (secured ldap via tls) the connection is set up, but no response is received by ldap-server. The tcpdump shows me, that the ldap-server is presenting its certificate and requests a client certificate. Prosody sends a client certificate, but the information of my tcpdump about it is very rare, the transmitted hex-information are very small. So, I think this is not the right certificate. I have a standard logging (I do not touch the default-settings for logging), no issue is reported in my logs and I have no access to the ldap-server. So I am aloneā€¦

On https://git.zx2c4.com/lualdap/about/ I have found these values: certfile and keyfile for client-side certificates. I have studied ldap.lib.lua, mod_auth_ldap2.lua and prosody.cfg.lua, but I do not found a way to specify a ssl-tag with a certificate. So I have no idea how to paste the right client-certificate (or maybe the mtls-certificate) in a way, the ldap2 auth is using it.

The hard point is: the jitisi meet server has 2 interfaces.
1 interface for media/public
1 interface for management: ssh, ldap etc.

I have 2 certificates:
1 server-certificate for jitsi meet and all services published to the public (letsencrypt) and
1 mtls certificate (other CA) for the management interface.

Hopefully someone could advise me or at least could say that this feature is not supported.

Thank you alot!

dtavb

Hi there,

I has been able to solve this. For everyone with the same mTLS challenge (it does not matter if 2 or more interface with different IPs and FQDNs):
for ldap in jitsi you need openldap on your linux machine. In ldap.conf you are able to set client-cert and client-key. After this doing the configured cert is presented to ldap-server as long as you have setup the correct host-route for linux.

Regards