[jitsi-users] jits meet: how to restrict access to authorized persons


#1

hello,

currently we are evaluating jitsi meet internally and it looks good.
before we can make it accessable from the outside world, we need a way
to restrict access to authorized persons. we have internal users
(managed in an ldap server) and there will be some external (kind of
anonymous) users who should be granted access.

every internal user should be able to start a meeting and invite others
- internals and externals. external users should not be able to start a
meeting.

how could this be achieved?

tia, gustav


#2

Hi Gustav,

see documentation for "Secure domain" on https://github.com/jitsi/jicofo
Since jitsi-meet uses prosody server underneath, you can use prosody's
ldap auth. modules for binding to ldap, I've written down a small how
to for OpenLDAP, maybe it can help you
http://booting-rpi.blogspot.de/2015/09/using-ldap-authentication-with-jitsi.html

Best,
Stan

···

2015-10-05 13:56 GMT+02:00 Gustav Spellauge <Gustav.Spellauge@softing.com>:

hello,

currently we are evaluating jitsi meet internally and it looks good.
before we can make it accessable from the outside world, we need a way
to restrict access to authorized persons. we have internal users
(managed in an ldap server) and there will be some external (kind of
anonymous) users who should be granted access.

every internal user should be able to start a meeting and invite others
- internals and externals. external users should not be able to start a
meeting.

how could this be achieved?

tia, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

hello stan and thanks for your answer.

i'm afraid, i should have mentioned that we are running ejabberd bound
to our openldap server. we would prefer to continue using ejabberd
because it's established (running for years) and stable.

i am aware of a document describing how to use jitsi-videobridge in
conjunction with ejabberd (did not try it yet). what seems to be missing
(at least i didn't find it) is a documentation dercribing how to
interface jicofo with ejabbed.

best regards, gustav

···

Am 05.10.2015 um 16:19 schrieb Stanislav Kopp:

Hi Gustav,

see documentation for "Secure domain" on https://github.com/jitsi/jicofo
Since jitsi-meet uses prosody server underneath, you can use prosody's
ldap auth. modules for binding to ldap, I've written down a small how
to for OpenLDAP, maybe it can help you
http://booting-rpi.blogspot.de/2015/09/using-ldap-authentication-with-jitsi.html

Best,
Stan

2015-10-05 13:56 GMT+02:00 Gustav Spellauge <Gustav.Spellauge@softing.com>:

hello,

currently we are evaluating jitsi meet internally and it looks good.
before we can make it accessable from the outside world, we need a way
to restrict access to authorized persons. we have internal users
(managed in an ldap server) and there will be some external (kind of
anonymous) users who should be granted access.

every internal user should be able to start a meeting and invite others
- internals and externals. external users should not be able to start a
meeting.

how could this be achieved?

tia, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

hello,

spent an hour configuring your sugestion.

1. authentication against ldap seems to be working (additionally had to
install lua-ldap) - i have to enter <uid>@auth.meet.softing.com which is
a little strange, <uid> should be enough

2. anonymousdomain does not work:
    i. when anonymousdomain: 'guest...' is in Jitsi Meet config.js
nobody will be asked for credentials, not even the creator of the room
    ii. when there is no line anonymousdomain: 'guest...' is in Jitsi
Meet config.js everybody will be aked for credentials - there are no
guests. when the second user loged in he will see the first user and
vice verce but there is no viedeo nor voice but they can keybord chat

what could i check?

regards, gustav

···

Am 05.10.2015 um 16:19 schrieb Stanislav Kopp:

Hi Gustav,

see documentation for "Secure domain" on https://github.com/jitsi/jicofo
Since jitsi-meet uses prosody server underneath, you can use prosody's
ldap auth. modules for binding to ldap, I've written down a small how
to for OpenLDAP, maybe it can help you
http://booting-rpi.blogspot.de/2015/09/using-ldap-authentication-with-jitsi.html

Best,
Stan

2015-10-05 13:56 GMT+02:00 Gustav Spellauge <Gustav.Spellauge@softing.com>:

hello,

currently we are evaluating jitsi meet internally and it looks good.
before we can make it accessable from the outside world, we need a way
to restrict access to authorized persons. we have internal users
(managed in an ldap server) and there will be some external (kind of
anonymous) users who should be granted access.

every internal user should be able to start a meeting and invite others
- internals and externals. external users should not be able to start a
meeting.

how could this be achieved?

tia, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Hey Gustav,

A couple of quick comments: you have to configure your ejabberd in a way
that still permits anonymous connections but that only allows new MUCs
to be created by registered users.

I don't know hoe to do this and hence my next question: what's the problem
with continuing to use ejabberd for whatever you are currently doing with
it and just using prosody with Jitsi?

Emil

···

On Tuesday, 6 October 2015, Gustav Spellauge <Gustav.Spellauge@softing.com> wrote:

hello stan and thanks for your answer.

i'm afraid, i should have mentioned that we are running ejabberd bound
to our openldap server. we would prefer to continue using ejabberd
because it's established (running for years) and stable.

i am aware of a document describing how to use jitsi-videobridge in
conjunction with ejabberd (did not try it yet). what seems to be missing
(at least i didn't find it) is a documentation dercribing how to
interface jicofo with ejabbed.

best regards, gustav

Am 05.10.2015 um 16:19 schrieb Stanislav Kopp:
> Hi Gustav,
>
> see documentation for "Secure domain" on https://github.com/jitsi/jicofo
> Since jitsi-meet uses prosody server underneath, you can use prosody's
> ldap auth. modules for binding to ldap, I've written down a small how
> to for OpenLDAP, maybe it can help you
>
http://booting-rpi.blogspot.de/2015/09/using-ldap-authentication-with-jitsi.html
>
> Best,
> Stan
>
> 2015-10-05 13:56 GMT+02:00 Gustav Spellauge <
Gustav.Spellauge@softing.com <javascript:;>>:
>> hello,
>>
>> currently we are evaluating jitsi meet internally and it looks good.
>> before we can make it accessable from the outside world, we need a way
>> to restrict access to authorized persons. we have internal users
>> (managed in an ldap server) and there will be some external (kind of
>> anonymous) users who should be granted access.
>>
>> every internal user should be able to start a meeting and invite others
>> - internals and externals. external users should not be able to start a
>> meeting.
>>
>> how could this be achieved?
>>
>> tia, gustav
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org <javascript:;>
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@jitsi.org <javascript:;>
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org <javascript:;>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
sent from my mobile


#6

progress: we're able to

1. establisch meetings of authenticated users when there is *no* line
anonymousdomain: 'guest...' is in Jitsi Meet config.js

2. establish meetings of unauthenticated users when there is *a* line
anonymousdomain: 'guest...' is in Jitsi Meet config.js

we did not find a configuration which requires authentication when
creating a room but does *not* require authentication when joining an
existing meeting.

i guess this might be related to

-Dorg.jitsi.jicofo.auth.URL=XMPP:.. - a parameter which is uncertain to me.

in https://github.com/jitsi/jicofo i can read: "||When running Jicofo
specify your main domain in additional configuration property." but i do
not know, what the *main domain* is - the first virual host in the
prosody configuration? in additioon i'm unsure were to place the file

···

sip-communicator.properties.

Am 08.10.2015 um 16:48 schrieb Gustav Spellauge:

hello,

spent an hour configuring your sugestion.

1. authentication against ldap seems to be working (additionally had to
install lua-ldap) - i have to enter <uid>@auth.meet.softing.com which is
a little strange, <uid> should be enough

2. anonymousdomain does not work:
    i. when anonymousdomain: 'guest...' is in Jitsi Meet config.js
nobody will be asked for credentials, not even the creator of the room
    ii. when there is no line anonymousdomain: 'guest...' is in Jitsi
Meet config.js everybody will be aked for credentials - there are no
guests. when the second user loged in he will see the first user and
vice verce but there is no viedeo nor voice but they can keybord chat

what could i check?

regards, gustav


#7

thanks emil,

the main reason for my intention to use ejabbed underneath jitsi meet is
to keeep the system as 'simple' as possibly - one component for one
purpose. another reason is, that i feel prosody is in kind of beta
status. i searched for ldap authentication and found conflicting howtos
which seemed to be kind of shaky (did not give it a try). the 3rd reason
is, that we could use the meet-videobridge for jitsi desktop confs
(which currently do not work at our site).

maybe you're right. i will try to configure prosody in the suggested way.

gustav

···

Am 07.10.2015 um 13:54 schrieb Emil Ivov:

Hey Gustav,

A couple of quick comments: you have to configure your ejabberd in a
way that still permits anonymous connections but that only allows new
MUCs to be created by registered users.

I don't know hoe to do this and hence my next question: what's the
problem with continuing to use ejabberd for whatever you are currently
doing with it and just using prosody with Jitsi?

Emil

On Tuesday, 6 October 2015, Gustav Spellauge > <Gustav.Spellauge@softing.com <mailto:Gustav.Spellauge@softing.com>> > wrote:

    hello stan and thanks for your answer.

    i'm afraid, i should have mentioned that we are running ejabberd bound
    to our openldap server. we would prefer to continue using ejabberd
    because it's established (running for years) and stable.

    i am aware of a document describing how to use jitsi-videobridge in
    conjunction with ejabberd (did not try it yet). what seems to be
    missing
    (at least i didn't find it) is a documentation dercribing how to
    interface jicofo with ejabbed.

    best regards, gustav

    Am 05.10.2015 um 16:19 schrieb Stanislav Kopp:
    > Hi Gustav,
    >
    > see documentation for "Secure domain" on
    https://github.com/jitsi/jicofo
    > Since jitsi-meet uses prosody server underneath, you can use
    prosody's
    > ldap auth. modules for binding to ldap, I've written down a
    small how
    > to for OpenLDAP, maybe it can help you
    >
    http://booting-rpi.blogspot.de/2015/09/using-ldap-authentication-with-jitsi.html
    >
    > Best,
    > Stan
    >
    > 2015-10-05 13:56 GMT+02:00 Gustav Spellauge
    <Gustav.Spellauge@softing.com <javascript:;>>:
    >> hello,
    >>
    >> currently we are evaluating jitsi meet internally and it looks
    good.
    >> before we can make it accessable from the outside world, we
    need a way
    >> to restrict access to authorized persons. we have internal users
    >> (managed in an ldap server) and there will be some external
    (kind of
    >> anonymous) users who should be granted access.
    >>
    >> every internal user should be able to start a meeting and
    invite others
    >> - internals and externals. external users should not be able to
    start a
    >> meeting.
    >>
    >> how could this be achieved?
    >>
    >> tia, gustav
    >>
    >> _______________________________________________
    >> users mailing list
    >> users@jitsi.org <javascript:;>
    >> Unsubscribe instructions and other list options:
    >> http://lists.jitsi.org/mailman/listinfo/users
    > _______________________________________________
    > users mailing list
    > users@jitsi.org <javascript:;>
    > Unsubscribe instructions and other list options:
    > http://lists.jitsi.org/mailman/listinfo/users

    _______________________________________________
    users mailing list
    users@jitsi.org <javascript:;>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/users

--
sent from my mobile

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

Hi Gustav,

We created a similar scenario. In our configuration we use:

/etc/jitsi/meet/<domain>-config.js
    var config = {
        hosts: {
            domain: '<domain>',
            anonymousdomain: 'guest.<domain>',

/usr/share/jicofo/.sip-communicator
        org.jitsi.jicofo.auth.URL=XMPP:<domain>
(please note that with configuration property it doesn't work)

<domain> is the virtualhost in XMPP Server.

Hope it helps.

Regards,
Carlo

···

Il 09/10/15 08:48, Gustav Spellauge ha scritto:

progress: we're able to

1. establisch meetings of authenticated users when there is *no* line
anonymousdomain: 'guest...' is in Jitsi Meet config.js

2. establish meetings of unauthenticated users when there is *a* line
anonymousdomain: 'guest...' is in Jitsi Meet config.js

we did not find a configuration which requires authentication when
creating a room but does *not* require authentication when joining an
existing meeting.

i guess this might be related to

>-Dorg.jitsi.jicofo.auth.URL=XMPP:.. - a parameter which is uncertain
to me.

in https://github.com/jitsi/jicofo i can read: "||When running Jicofo
specify your main domain in additional configuration property." but i
do not know, what the *main domain* is - the first virual host in the
prosody configuration? in additioon i'm unsure were to place the file
>sip-communicator.properties.

Am 08.10.2015 um 16:48 schrieb Gustav Spellauge:

hello,

spent an hour configuring your sugestion.

1. authentication against ldap seems to be working (additionally had to
install lua-ldap) - i have to enter <uid>@auth.meet.softing.com which is
a little strange, <uid> should be enough

2. anonymousdomain does not work:
    i. when anonymousdomain: 'guest...' is in Jitsi Meet config.js
nobody will be asked for credentials, not even the creator of the room
    ii. when there is no line anonymousdomain: 'guest...' is in Jitsi
Meet config.js everybody will be aked for credentials - there are no
guests. when the second user loged in he will see the first user and
vice verce but there is no viedeo nor voice but they can keybord chat

what could i check?

regards, gustav

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

thanks carlo,

it's working now.

yes, i tried it using the configuaration property because i was very
unsure where to put sip-communicator.properties - using
/etc/jitsi/jicofo/sip-communicator.properties is also working

gustav

···

Am 09.10.2015 um 09:24 schrieb Carlo Dimaggio:

Hi Gustav,

We created a similar scenario. In our configuration we use:

/etc/jitsi/meet/<domain>-config.js
    var config = {
        hosts: {
            domain: '<domain>',
            anonymousdomain: 'guest.<domain>',

/usr/share/jicofo/.sip-communicator
        org.jitsi.jicofo.auth.URL=XMPP:<domain>
(please note that with configuration property it doesn't work)

<domain> is the virtualhost in XMPP Server.

Hope it helps.

Regards,
Carlo


#10

hello again,

as mentioned before we have to authenticate as
<uid>@<hostnamepart>.<domain>. this works fine but our useres will be
unhappy. in order to improve acceptence, it would be a lot better if
there was no hostnamepart in the 'usernamepart'. that meens, i would
like to change to <uid>@<domain> or, even better, to just <uid>. how can
this be accomplished?

tia, gustav

···

Am 09.10.2015 um 09:39 schrieb Gustav Spellauge:

thanks carlo,

it's working now.

yes, i tried it using the configuaration property because i was very
unsure where to put sip-communicator.properties - using
/etc/jitsi/jicofo/sip-communicator.properties is also working

gustav

Am 09.10.2015 um 09:24 schrieb Carlo Dimaggio:

Hi Gustav,

We created a similar scenario. In our configuration we use:

/etc/jitsi/meet/<domain>-config.js
    var config = {
        hosts: {
            domain: '<domain>',
            anonymousdomain: 'guest.<domain>',

/usr/share/jicofo/.sip-communicator
        org.jitsi.jicofo.auth.URL=XMPP:<domain>
(please note that with configuration property it doesn't work)

<domain> is the virtualhost in XMPP Server.

Hope it helps.

Regards,
Carlo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

I think that appending a pre-configured string to the username in Jitsi-Meet is a simple solution for that. A contribution would we welcome.

Regards,
Boris

···

On 09/10/15 05:34, Gustav Spellauge wrote:

hello again,

as mentioned before we have to authenticate as
<uid>@<hostnamepart>.<domain>. this works fine but our useres will be
unhappy. in order to improve acceptence, it would be a lot better if
there was no hostnamepart in the 'usernamepart'. that meens, i would
like to change to <uid>@<domain> or, even better, to just <uid>. how can
this be accomplished?


#12

hello boris,

i implemented the suggested solution but i'm unsure how to do the git-checkin. any help would be welcome.

regards, gustav

···

On 10/09/2015 04:02 PM, Boris Grozev wrote:

On 09/10/15 05:34, Gustav Spellauge wrote:

hello again,

as mentioned before we have to authenticate as
<uid>@<hostnamepart>.<domain>. this works fine but our useres will be
unhappy. in order to improve acceptence, it would be a lot better if
there was no hostnamepart in the 'usernamepart'. that meens, i would
like to change to <uid>@<domain> or, even better, to just <uid>. how can
this be accomplished?

I think that appending a pre-configured string to the username in Jitsi-Meet is a simple solution for that. A contribution would we welcome.

Regards,
Boris

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#13

hello boris,

i implemented the suggested solution but i'm unsure how to do the
git-checkin. any help would be welcome.

Great! This article explains how to create a pull request:
https://yangsu.github.io/pull-request-tutorial/

Note that before we can incorporate your changes to Jitsi-Meet we need you to sign our contributor agreement (either as an individual[0] ) or as a corporation[1].

Regards,
Boris

[0] https://jitsi.org/icla
[1] https://jitsi.org/ccla

···

On 11/10/15 06:03, g.spellauge wrote:

regards, gustav

On 10/09/2015 04:02 PM, Boris Grozev wrote:

On 09/10/15 05:34, Gustav Spellauge wrote:

hello again,

as mentioned before we have to authenticate as
<uid>@<hostnamepart>.<domain>. this works fine but our useres will be
unhappy. in order to improve acceptence, it would be a lot better if
there was no hostnamepart in the 'usernamepart'. that meens, i would
like to change to <uid>@<domain> or, even better, to just <uid>. how can
this be accomplished?

I think that appending a pre-configured string to the username in
Jitsi-Meet is a simple solution for that. A contribution would we
welcome.

Regards,
Boris

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users