[jitsi-users] LDAP integration


#1

Greetings All

Does any one have a working LDAP integration working with AD or know of
good "How to...." link to set up Jitsi-Meet with LDAP?

I tried to follow some link I found from google result but it does not seem
to work. My server for example is jitsi.forexample.com Local account
authenication works fine with jane.does@jitsi.forexample.com
but my AD for example is forexample.com. For some unknown reason, I can't
seem to get to work w/AD with jane.doe@forexample.com

Any advice, links, or clues would be much appreciated.

Thank you.

···

--
-john-


#2

Using Xenial (Ubuntu 16.04), it 'just worked' with the right bits
configured with prosody.

Here are my notes (with names changed to protect the innocent) for LDAP
...

===== ===== =====
You need to be running a Xenial server and ensure that the prosody-
modules package is installed as that includes the mod_auth_ldap2
module, plus it's dependencies to get working LDAP authentication.

### Create a new file with the details for the LDAP authentication ..

/etc/prosody/conf.d/ldap.cfg.lua

authentication = 'ldap2' -- Indicate that we want to use LDAP for
authentication
ldap = {
hostname = 'ldap.forexample.com', -- LDAP server location
use_tls = true,
user = {
basedn = 'ou=Staff,dc=forexample,dc=com',
usernamefield = 'uid',
namefield = 'cn',
},
}

### Update the server/service file to use the mod_auth_ldap2 module for
authentication ..

/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua

...
authentication = "ldap2"
...

### Update the main config file to enforce a bit of security ...

/etc/prosody/prosody.cfg.lua

...
consider_bosh_secure = true
...

### Tell the server to not require the certificates to the LDAP server
(not idea but what we do here).

/etc/ldap/ldap.conf

...
TLS_REQCERT never
...

===== ===== =====

Note that you may need to try just logging in as 'jane.doe'

Also consider OpenLDAP != AD, but an AD server can appear has a
OpenLDAP server if configured right, there may be other hoops to jump
through. See if you can do a search on the AD server with ldapsearch
on the jitsi meet server to return anything to make sure your network
isn't blocking you.

Trusty (Ubuntu 14.04) was a mess to try and get working with the LDAP
auth, there was some mangling of packages and mecurial pulls etc to get
it to sort of work. For me , Xenial just worked.

Also check the logs to see if it is spitting the dummy on something
else.

Good Luck.

···

On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:

Greetings All

Does any one have a working LDAP integration working with AD or know
of
good "How to...." link to set up Jitsi-Meet with LDAP?

I tried to follow some link I found from google result but it does
not seem
to work. My server for example is jitsi.forexample.com Local account
authenication works fine with jane.does@jitsi.forexample.com
but my AD for example is forexample.com. For some unknown reason, I
can't
seem to get to work w/AD with jane.doe@forexample.com

Any advice, links, or clues would be much appreciated.

Thank you.
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Thanks Ian. I will give that a try. I am currently running Ubuntu 14.04.5
and it run like a champ on the stable version with local authenication
because I can never get the LDAP with AD to work. I will try it Ubuntu
16.04 with the "Jitsi Meet quick install" method. Do you know if the "Jitsi
Meet quick install" method installs all the prosody modules that includes
the mod_auth_ldap2 module?

···

On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net.nz> wrote:

Using Xenial (Ubuntu 16.04), it 'just worked' with the right bits
configured with prosody.

Here are my notes (with names changed to protect the innocent) for LDAP
...

===== ===== =====
You need to be running a Xenial server and ensure that the prosody-
modules package is installed as that includes the mod_auth_ldap2
module, plus it's dependencies to get working LDAP authentication.

### Create a new file with the details for the LDAP authentication ..

/etc/prosody/conf.d/ldap.cfg.lua

authentication = 'ldap2' -- Indicate that we want to use LDAP for
authentication
ldap = {
    hostname = 'ldap.forexample.com', -- LDAP server location
    use_tls = true,
    user = {
      basedn = 'ou=Staff,dc=forexample,dc=com',
      usernamefield = 'uid',
      namefield = 'cn',
    },
}

### Update the server/service file to use the mod_auth_ldap2 module for
authentication ..

/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua

...
        authentication = "ldap2"
...

### Update the main config file to enforce a bit of security ...

/etc/prosody/prosody.cfg.lua

...
consider_bosh_secure = true
...

### Tell the server to not require the certificates to the LDAP server
(not idea but what we do here).

/etc/ldap/ldap.conf

...
TLS_REQCERT never
...

===== ===== =====

Note that you may need to try just logging in as 'jane.doe'

Also consider OpenLDAP != AD, but an AD server can appear has a
OpenLDAP server if configured right, there may be other hoops to jump
through. See if you can do a search on the AD server with ldapsearch
on the jitsi meet server to return anything to make sure your network
isn't blocking you.

Trusty (Ubuntu 14.04) was a mess to try and get working with the LDAP
auth, there was some mangling of packages and mecurial pulls etc to get
it to sort of work. For me , Xenial just worked.

Also check the logs to see if it is spitting the dummy on something
else.

Good Luck.

On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> Greetings All
>
> Does any one have a working LDAP integration working with AD or know
> of
> good "How to...." link to set up Jitsi-Meet with LDAP?
>
> I tried to follow some link I found from google result but it does
> not seem
> to work. My server for example is jitsi.forexample.com Local account
> authenication works fine with jane.does@jitsi.forexample.com
> but my AD for example is forexample.com. For some unknown reason, I
> can't
> seem to get to work w/AD with jane.doe@forexample.com
>
> Any advice, links, or clues would be much appreciated.
>
> Thank you.
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-john-


#4

The "Jitsi Meet quick install" method was what I used to install Jitsi
Meet.

I had to install the prosody-modules package as a separate 'apt-get
install prosody-modules' action.

Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as part
of the process.

The ldap-utils is probably a manual install and is not actually
required, but useful as it has the ldapsearch tool to start testing the
server can get to the AD server and return results.

···

On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:

Thanks Ian. I will give that a try. I am currently running Ubuntu
14.04.5
and it run like a champ on the stable version with local
authenication
because I can never get the LDAP with AD to work. I will try it
Ubuntu
16.04 with the "Jitsi Meet quick install" method. Do you know if the
"Jitsi
Meet quick install" method installs all the prosody modules that
includes
the mod_auth_ldap2 module?

On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net.nz> > wrote:

>
> Using Xenial (Ubuntu 16.04), it 'just worked' with the right bits
> configured with prosody.
>
> Here are my notes (with names changed to protect the innocent) for
> LDAP
> ...
>
> ===== ===== =====
> You need to be running a Xenial server and ensure that the prosody-
> modules package is installed as that includes the mod_auth_ldap2
> module, plus it's dependencies to get working LDAP authentication.
>
> ### Create a new file with the details for the LDAP authentication
> ..
>
> /etc/prosody/conf.d/ldap.cfg.lua
>
> authentication = 'ldap2' -- Indicate that we want to use LDAP for
> authentication
> ldap = {
> hostname = 'ldap.forexample.com', -- LDAP server location
> use_tls = true,
> user = {
> basedn = 'ou=Staff,dc=forexample,dc=com',
> usernamefield = 'uid',
> namefield = 'cn',
> },
> }
>
> ### Update the server/service file to use the mod_auth_ldap2 module
> for
> authentication ..
>
> /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
>
> ...
> authentication = "ldap2"
> ...
>
> ### Update the main config file to enforce a bit of security ...
>
> /etc/prosody/prosody.cfg.lua
>
> ...
> consider_bosh_secure = true
> ...
>
>
> ### Tell the server to not require the certificates to the LDAP
> server
> (not idea but what we do here).
>
> /etc/ldap/ldap.conf
>
> ...
> TLS_REQCERT never
> ...
>
> ===== ===== =====
>
> Note that you may need to try just logging in as 'jane.doe'
>
> Also consider OpenLDAP != AD, but an AD server can appear has a
> OpenLDAP server if configured right, there may be other hoops to
> jump
> through. See if you can do a search on the AD server with
> ldapsearch
> on the jitsi meet server to return anything to make sure your
> network
> isn't blocking you.
>
> Trusty (Ubuntu 14.04) was a mess to try and get working with the
> LDAP
> auth, there was some mangling of packages and mecurial pulls etc to
> get
> it to sort of work. For me , Xenial just worked.
>
> Also check the logs to see if it is spitting the dummy on something
> else.
>
> Good Luck.
>
> On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> >
> > Greetings All
> >
> > Does any one have a working LDAP integration working with AD or
> > know
> > of
> > good "How to...." link to set up Jitsi-Meet with LDAP?
> >
> > I tried to follow some link I found from google result but it
> > does
> > not seem
> > to work. My server for example is jitsi.forexample.com Local
> > account
> > authenication works fine with jane.does@jitsi.forexample.com
> > but my AD for example is forexample.com. For some unknown
> > reason, I
> > can't
> > seem to get to work w/AD with jane.doe@forexample.com
> >
> > Any advice, links, or clues would be much appreciated.
> >
> > Thank you.
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

@Ian I tried what you suggest and it does not seem to work. To recap:

···

*************************
/etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated so I
created the with the parameters of my current enviroment.
*************************
I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to one and
two location:
VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"

and

VirtualHost "auth.jitsi.forexample.com"
    authentication = "ldap2
*************************
I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure = true"
eventhough there were no existing parameters.
*************************
I comment this out /etc/ldap/ldap.conf
# TLS_CACERT /etc/ssl/certs/ca-certificates.crt
*************************

The end result is black screen with no authenication prompt and back screen.

What I am missing? I did an ldapsearch command again my Windows AD and it
responded.

Please advise and thank to in advance.

On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> wrote:

The "Jitsi Meet quick install" method was what I used to install Jitsi
Meet.

I had to install the prosody-modules package as a separate 'apt-get
install prosody-modules' action.

Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as part
of the process.

The ldap-utils is probably a manual install and is not actually
required, but useful as it has the ldapsearch tool to start testing the
server can get to the AD server and return results.
On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> Thanks Ian. I will give that a try. I am currently running Ubuntu
> 14.04.5
> and it run like a champ on the stable version with local
> authenication
> because I can never get the LDAP with AD to work. I will try it
> Ubuntu
> 16.04 with the "Jitsi Meet quick install" method. Do you know if the
> "Jitsi
> Meet quick install" method installs all the prosody modules that
> includes
> the mod_auth_ldap2 module?
>
> On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net.nz> > > wrote:
>
> >
> > Using Xenial (Ubuntu 16.04), it 'just worked' with the right bits
> > configured with prosody.
> >
> > Here are my notes (with names changed to protect the innocent) for
> > LDAP
> > ...
> >
> > ===== ===== =====
> > You need to be running a Xenial server and ensure that the prosody-
> > modules package is installed as that includes the mod_auth_ldap2
> > module, plus it's dependencies to get working LDAP authentication.
> >
> > ### Create a new file with the details for the LDAP authentication
> > ..
> >
> > /etc/prosody/conf.d/ldap.cfg.lua
> >
> > authentication = 'ldap2' -- Indicate that we want to use LDAP for
> > authentication
> > ldap = {
> > hostname = 'ldap.forexample.com', -- LDAP server location
> > use_tls = true,
> > user = {
> > basedn = 'ou=Staff,dc=forexample,dc=com',
> > usernamefield = 'uid',
> > namefield = 'cn',
> > },
> > }
> >
> > ### Update the server/service file to use the mod_auth_ldap2 module
> > for
> > authentication ..
> >
> > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> >
> > ...
> > authentication = "ldap2"
> > ...
> >
> > ### Update the main config file to enforce a bit of security ...
> >
> > /etc/prosody/prosody.cfg.lua
> >
> > ...
> > consider_bosh_secure = true
> > ...
> >
> >
> > ### Tell the server to not require the certificates to the LDAP
> > server
> > (not idea but what we do here).
> >
> > /etc/ldap/ldap.conf
> >
> > ...
> > TLS_REQCERT never
> > ...
> >
> > ===== ===== =====
> >
> > Note that you may need to try just logging in as 'jane.doe'
> >
> > Also consider OpenLDAP != AD, but an AD server can appear has a
> > OpenLDAP server if configured right, there may be other hoops to
> > jump
> > through. See if you can do a search on the AD server with
> > ldapsearch
> > on the jitsi meet server to return anything to make sure your
> > network
> > isn't blocking you.
> >
> > Trusty (Ubuntu 14.04) was a mess to try and get working with the
> > LDAP
> > auth, there was some mangling of packages and mecurial pulls etc to
> > get
> > it to sort of work. For me , Xenial just worked.
> >
> > Also check the logs to see if it is spitting the dummy on something
> > else.
> >
> > Good Luck.
> >
> > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > >
> > > Greetings All
> > >
> > > Does any one have a working LDAP integration working with AD or
> > > know
> > > of
> > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > >
> > > I tried to follow some link I found from google result but it
> > > does
> > > not seem
> > > to work. My server for example is jitsi.forexample.com Local
> > > account
> > > authenication works fine with jane.does@jitsi.forexample.com
> > > but my AD for example is forexample.com. For some unknown
> > > reason, I
> > > can't
> > > seem to get to work w/AD with jane.doe@forexample.com
> > >
> > > Any advice, links, or clues would be much appreciated.
> > >
> > > Thank you.
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-john-


#6

Hmm, I'd suggest tailing the various logs when you restart prosody as
that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
-- enabled = false -- Remove this line to enable this host
authentication = "ldap2"
...
...

VirtualHost "auth.jitsi.forexample.com"
authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

···

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:

@Ian I tried what you suggest and it does not seem to work. To recap:
*************************
/etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
so I
created the with the parameters of my current enviroment.
*************************
I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
one and
two location:
VirtualHost "jitsi.forexample.com"
-- enabled = false -- Remove this line to enable this host
authentication = "ldap2"

and

VirtualHost "auth.jitsi.forexample.com"
authentication = "ldap2
*************************
I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
true"
eventhough there were no existing parameters.
*************************
I comment this out /etc/ldap/ldap.conf
# TLS_CACERT /etc/ssl/certs/ca-certificates.crt
*************************

The end result is black screen with no authenication prompt and back
screen.

What I am missing? I did an ldapsearch command again my Windows AD
and it
responded.

Please advise and thank to in advance.

On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> > wrote:

>
> The "Jitsi Meet quick install" method was what I used to install
> Jitsi
> Meet.
>
> I had to install the prosody-modules package as a separate 'apt-get
> install prosody-modules' action.
>
> Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> part
> of the process.
>
> The ldap-utils is probably a manual install and is not actually
> required, but useful as it has the ldapsearch tool to start testing
> the
> server can get to the AD server and return results.
> On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> >
> > Thanks Ian. I will give that a try. I am currently running
> > Ubuntu
> > 14.04.5
> > and it run like a champ on the stable version with local
> > authenication
> > because I can never get the LDAP with AD to work. I will try it
> > Ubuntu
> > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > the
> > "Jitsi
> > Meet quick install" method installs all the prosody modules that
> > includes
> > the mod_auth_ldap2 module?
> >
> > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. > > > > > > > wrote:
> >
> > >
> > >
> > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > bits
> > > configured with prosody.
> > >
> > > Here are my notes (with names changed to protect the innocent)
> > > for
> > > LDAP
> > > ...
> > >
> > > ===== ===== =====
> > > You need to be running a Xenial server and ensure that the
> > > prosody-
> > > modules package is installed as that includes the
> > > mod_auth_ldap2
> > > module, plus it's dependencies to get working LDAP
> > > authentication.
> > >
> > > ### Create a new file with the details for the LDAP
> > > authentication
> > > ..
> > >
> > > /etc/prosody/conf.d/ldap.cfg.lua
> > >
> > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > for
> > > authentication
> > > ldap = {
> > > hostname = 'ldap.forexample.com', -- LDAP server
> > > location
> > > use_tls = true,
> > > user = {
> > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > usernamefield = 'uid',
> > > namefield = 'cn',
> > > },
> > > }
> > >
> > > ### Update the server/service file to use the mod_auth_ldap2
> > > module
> > > for
> > > authentication ..
> > >
> > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > >
> > > ...
> > > authentication = "ldap2"
> > > ...
> > >
> > > ### Update the main config file to enforce a bit of security
> > > ...
> > >
> > > /etc/prosody/prosody.cfg.lua
> > >
> > > ...
> > > consider_bosh_secure = true
> > > ...
> > >
> > >
> > > ### Tell the server to not require the certificates to the LDAP
> > > server
> > > (not idea but what we do here).
> > >
> > > /etc/ldap/ldap.conf
> > >
> > > ...
> > > TLS_REQCERT never
> > > ...
> > >
> > > ===== ===== =====
> > >
> > > Note that you may need to try just logging in as 'jane.doe'
> > >
> > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > OpenLDAP server if configured right, there may be other hoops
> > > to
> > > jump
> > > through. See if you can do a search on the AD server with
> > > ldapsearch
> > > on the jitsi meet server to return anything to make sure your
> > > network
> > > isn't blocking you.
> > >
> > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > the
> > > LDAP
> > > auth, there was some mangling of packages and mecurial pulls
> > > etc to
> > > get
> > > it to sort of work. For me , Xenial just worked.
> > >
> > > Also check the logs to see if it is spitting the dummy on
> > > something
> > > else.
> > >
> > > Good Luck.
> > >
> > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > >
> > > >
> > > > Greetings All
> > > >
> > > > Does any one have a working LDAP integration working with AD
> > > > or
> > > > know
> > > > of
> > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > >
> > > > I tried to follow some link I found from google result but it
> > > > does
> > > > not seem
> > > > to work. My server for example is jitsi.forexample.com Local
> > > > account
> > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > but my AD for example is forexample.com. For some unknown
> > > > reason, I
> > > > can't
> > > > seem to get to work w/AD with jane.doe@forexample.com
> > > >
> > > > Any advice, links, or clues would be much appreciated.
> > > >
> > > > Thank you.
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#7

@Ian, my /etc/prosody/prosody.cfg.lua has the default stuff from the
installation and I added you one line in it. The rest is the same:

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

···

On Tue, Sep 13, 2016 at 9:49 PM, Ian Beardslee <ian@catalyst.net.nz> wrote:

Hmm, I'd suggest tailing the various logs when you restart prosody as
that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:
> @Ian I tried what you suggest and it does not seem to work. To recap:
> *************************
> /etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
> so I
> created the with the parameters of my current enviroment.
> *************************
> I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
> one and
> two location:
> VirtualHost "jitsi.forexample.com"
> -- enabled = false -- Remove this line to enable this host
> authentication = "ldap2"
>
> and
>
> VirtualHost "auth.jitsi.forexample.com"
> authentication = "ldap2
> *************************
> I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
> true"
> eventhough there were no existing parameters.
> *************************
> I comment this out /etc/ldap/ldap.conf
> # TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> *************************
>
> The end result is black screen with no authenication prompt and back
> screen.
>
> What I am missing? I did an ldapsearch command again my Windows AD
> and it
> responded.
>
> Please advise and thank to in advance.
>
>
> On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> > > wrote:
>
> >
> > The "Jitsi Meet quick install" method was what I used to install
> > Jitsi
> > Meet.
> >
> > I had to install the prosody-modules package as a separate 'apt-get
> > install prosody-modules' action.
> >
> > Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> > part
> > of the process.
> >
> > The ldap-utils is probably a manual install and is not actually
> > required, but useful as it has the ldapsearch tool to start testing
> > the
> > server can get to the AD server and return results.
> > On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> > >
> > > Thanks Ian. I will give that a try. I am currently running
> > > Ubuntu
> > > 14.04.5
> > > and it run like a champ on the stable version with local
> > > authenication
> > > because I can never get the LDAP with AD to work. I will try it
> > > Ubuntu
> > > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > > the
> > > "Jitsi
> > > Meet quick install" method installs all the prosody modules that
> > > includes
> > > the mod_auth_ldap2 module?
> > >
> > > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. > > > > > > > > > wrote:
> > >
> > > >
> > > >
> > > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > > bits
> > > > configured with prosody.
> > > >
> > > > Here are my notes (with names changed to protect the innocent)
> > > > for
> > > > LDAP
> > > > ...
> > > >
> > > > ===== ===== =====
> > > > You need to be running a Xenial server and ensure that the
> > > > prosody-
> > > > modules package is installed as that includes the
> > > > mod_auth_ldap2
> > > > module, plus it's dependencies to get working LDAP
> > > > authentication.
> > > >
> > > > ### Create a new file with the details for the LDAP
> > > > authentication
> > > > ..
> > > >
> > > > /etc/prosody/conf.d/ldap.cfg.lua
> > > >
> > > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > > for
> > > > authentication
> > > > ldap = {
> > > > hostname = 'ldap.forexample.com', -- LDAP server
> > > > location
> > > > use_tls = true,
> > > > user = {
> > > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > > usernamefield = 'uid',
> > > > namefield = 'cn',
> > > > },
> > > > }
> > > >
> > > > ### Update the server/service file to use the mod_auth_ldap2
> > > > module
> > > > for
> > > > authentication ..
> > > >
> > > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > > >
> > > > ...
> > > > authentication = "ldap2"
> > > > ...
> > > >
> > > > ### Update the main config file to enforce a bit of security
> > > > ...
> > > >
> > > > /etc/prosody/prosody.cfg.lua
> > > >
> > > > ...
> > > > consider_bosh_secure = true
> > > > ...
> > > >
> > > >
> > > > ### Tell the server to not require the certificates to the LDAP
> > > > server
> > > > (not idea but what we do here).
> > > >
> > > > /etc/ldap/ldap.conf
> > > >
> > > > ...
> > > > TLS_REQCERT never
> > > > ...
> > > >
> > > > ===== ===== =====
> > > >
> > > > Note that you may need to try just logging in as 'jane.doe'
> > > >
> > > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > > OpenLDAP server if configured right, there may be other hoops
> > > > to
> > > > jump
> > > > through. See if you can do a search on the AD server with
> > > > ldapsearch
> > > > on the jitsi meet server to return anything to make sure your
> > > > network
> > > > isn't blocking you.
> > > >
> > > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > > the
> > > > LDAP
> > > > auth, there was some mangling of packages and mecurial pulls
> > > > etc to
> > > > get
> > > > it to sort of work. For me , Xenial just worked.
> > > >
> > > > Also check the logs to see if it is spitting the dummy on
> > > > something
> > > > else.
> > > >
> > > > Good Luck.
> > > >
> > > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > > >
> > > > >
> > > > > Greetings All
> > > > >
> > > > > Does any one have a working LDAP integration working with AD
> > > > > or
> > > > > know
> > > > > of
> > > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > > >
> > > > > I tried to follow some link I found from google result but it
> > > > > does
> > > > > not seem
> > > > > to work. My server for example is jitsi.forexample.com Local
> > > > > account
> > > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > > but my AD for example is forexample.com. For some unknown
> > > > > reason, I
> > > > > can't
> > > > > seem to get to work w/AD with jane.doe@forexample.com
> > > > >
> > > > > Any advice, links, or clues would be much appreciated.
> > > > >
> > > > > Thank you.
> > > > > _______________________________________________
> > > > > users mailing list
> > > > > users@jitsi.org
> > > > > Unsubscribe instructions and other list options:
> > > > > http://lists.jitsi.org/mailman/listinfo/users
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > >
> > >
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-john-


#8

@Ian, I finally got it work. Thank you for the sample setting file and
setting. I was able to piece it together with other config settings that I
found from googling results.

-john-

···

On Tue, Sep 13, 2016 at 9:49 PM, Ian Beardslee <ian@catalyst.net.nz> wrote:

Hmm, I'd suggest tailing the various logs when you restart prosody as
that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:
> @Ian I tried what you suggest and it does not seem to work. To recap:
> *************************
> /etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
> so I
> created the with the parameters of my current enviroment.
> *************************
> I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
> one and
> two location:
> VirtualHost "jitsi.forexample.com"
> -- enabled = false -- Remove this line to enable this host
> authentication = "ldap2"
>
> and
>
> VirtualHost "auth.jitsi.forexample.com"
> authentication = "ldap2
> *************************
> I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
> true"
> eventhough there were no existing parameters.
> *************************
> I comment this out /etc/ldap/ldap.conf
> # TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> *************************
>
> The end result is black screen with no authenication prompt and back
> screen.
>
> What I am missing? I did an ldapsearch command again my Windows AD
> and it
> responded.
>
> Please advise and thank to in advance.
>
>
> On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> > > wrote:
>
> >
> > The "Jitsi Meet quick install" method was what I used to install
> > Jitsi
> > Meet.
> >
> > I had to install the prosody-modules package as a separate 'apt-get
> > install prosody-modules' action.
> >
> > Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> > part
> > of the process.
> >
> > The ldap-utils is probably a manual install and is not actually
> > required, but useful as it has the ldapsearch tool to start testing
> > the
> > server can get to the AD server and return results.
> > On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> > >
> > > Thanks Ian. I will give that a try. I am currently running
> > > Ubuntu
> > > 14.04.5
> > > and it run like a champ on the stable version with local
> > > authenication
> > > because I can never get the LDAP with AD to work. I will try it
> > > Ubuntu
> > > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > > the
> > > "Jitsi
> > > Meet quick install" method installs all the prosody modules that
> > > includes
> > > the mod_auth_ldap2 module?
> > >
> > > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. > > > > > > > > > wrote:
> > >
> > > >
> > > >
> > > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > > bits
> > > > configured with prosody.
> > > >
> > > > Here are my notes (with names changed to protect the innocent)
> > > > for
> > > > LDAP
> > > > ...
> > > >
> > > > ===== ===== =====
> > > > You need to be running a Xenial server and ensure that the
> > > > prosody-
> > > > modules package is installed as that includes the
> > > > mod_auth_ldap2
> > > > module, plus it's dependencies to get working LDAP
> > > > authentication.
> > > >
> > > > ### Create a new file with the details for the LDAP
> > > > authentication
> > > > ..
> > > >
> > > > /etc/prosody/conf.d/ldap.cfg.lua
> > > >
> > > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > > for
> > > > authentication
> > > > ldap = {
> > > > hostname = 'ldap.forexample.com', -- LDAP server
> > > > location
> > > > use_tls = true,
> > > > user = {
> > > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > > usernamefield = 'uid',
> > > > namefield = 'cn',
> > > > },
> > > > }
> > > >
> > > > ### Update the server/service file to use the mod_auth_ldap2
> > > > module
> > > > for
> > > > authentication ..
> > > >
> > > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > > >
> > > > ...
> > > > authentication = "ldap2"
> > > > ...
> > > >
> > > > ### Update the main config file to enforce a bit of security
> > > > ...
> > > >
> > > > /etc/prosody/prosody.cfg.lua
> > > >
> > > > ...
> > > > consider_bosh_secure = true
> > > > ...
> > > >
> > > >
> > > > ### Tell the server to not require the certificates to the LDAP
> > > > server
> > > > (not idea but what we do here).
> > > >
> > > > /etc/ldap/ldap.conf
> > > >
> > > > ...
> > > > TLS_REQCERT never
> > > > ...
> > > >
> > > > ===== ===== =====
> > > >
> > > > Note that you may need to try just logging in as 'jane.doe'
> > > >
> > > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > > OpenLDAP server if configured right, there may be other hoops
> > > > to
> > > > jump
> > > > through. See if you can do a search on the AD server with
> > > > ldapsearch
> > > > on the jitsi meet server to return anything to make sure your
> > > > network
> > > > isn't blocking you.
> > > >
> > > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > > the
> > > > LDAP
> > > > auth, there was some mangling of packages and mecurial pulls
> > > > etc to
> > > > get
> > > > it to sort of work. For me , Xenial just worked.
> > > >
> > > > Also check the logs to see if it is spitting the dummy on
> > > > something
> > > > else.
> > > >
> > > > Good Luck.
> > > >
> > > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > > >
> > > > >
> > > > > Greetings All
> > > > >
> > > > > Does any one have a working LDAP integration working with AD
> > > > > or
> > > > > know
> > > > > of
> > > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > > >
> > > > > I tried to follow some link I found from google result but it
> > > > > does
> > > > > not seem
> > > > > to work. My server for example is jitsi.forexample.com Local
> > > > > account
> > > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > > but my AD for example is forexample.com. For some unknown
> > > > > reason, I
> > > > > can't
> > > > > seem to get to work w/AD with jane.doe@forexample.com
> > > > >
> > > > > Any advice, links, or clues would be much appreciated.
> > > > >
> > > > > Thank you.
> > > > > _______________________________________________
> > > > > users mailing list
> > > > > users@jitsi.org
> > > > > Unsubscribe instructions and other list options:
> > > > > http://lists.jitsi.org/mailman/listinfo/users
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > >
> > >
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-john-


#9

Hi Guys

Following your conversation, I would like to implement ldap in my Jitsi-Meet environment, however one part is missing for me in the ldap.cfg.lua. I need authentication for binding with my ldap (username and password). How can I add it in that file?

Thank you in advance,

Best regards,

···

El 2016-09-14 01:04, John Finding escribió:

@Ian, I finally got it work. Thank you for the sample setting file and
setting. I was able to piece it together with other config settings that I
found from googling results.

-john-

On Tue, Sep 13, 2016 at 9:49 PM, Ian Beardslee <ian@catalyst.net.nz> > wrote:

Hmm, I'd suggest tailing the various logs when you restart prosody as
that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:
> @Ian I tried what you suggest and it does not seem to work. To recap:
> *************************
> /etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
> so I
> created the with the parameters of my current enviroment.
> *************************
> I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
> one and
> two location:
> VirtualHost "jitsi.forexample.com"
> -- enabled = false -- Remove this line to enable this host
> authentication = "ldap2"
>
> and
>
> VirtualHost "auth.jitsi.forexample.com"
> authentication = "ldap2
> *************************
> I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
> true"
> eventhough there were no existing parameters.
> *************************
> I comment this out /etc/ldap/ldap.conf
> # TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> *************************
>
> The end result is black screen with no authenication prompt and back
> screen.
>
> What I am missing? I did an ldapsearch command again my Windows AD
> and it
> responded.
>
> Please advise and thank to in advance.
>
> On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> >> > wrote:
>
> >
> > The "Jitsi Meet quick install" method was what I used to install
> > Jitsi
> > Meet.
> >
> > I had to install the prosody-modules package as a separate 'apt-get
> > install prosody-modules' action.
> >
> > Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> > part
> > of the process.
> >
> > The ldap-utils is probably a manual install and is not actually
> > required, but useful as it has the ldapsearch tool to start testing
> > the
> > server can get to the AD server and return results.
> > On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> > >
> > > Thanks Ian. I will give that a try. I am currently running
> > > Ubuntu
> > > 14.04.5
> > > and it run like a champ on the stable version with local
> > > authenication
> > > because I can never get the LDAP with AD to work. I will try it
> > > Ubuntu
> > > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > > the
> > > "Jitsi
> > > Meet quick install" method installs all the prosody modules that
> > > includes
> > > the mod_auth_ldap2 module?
> > >
> > > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. >> > > > > >> > > > wrote:
> > >
> > > >
> > > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > > bits
> > > > configured with prosody.
> > > >
> > > > Here are my notes (with names changed to protect the innocent)
> > > > for
> > > > LDAP
> > > > ...
> > > >
> > > > ===== ===== =====
> > > > You need to be running a Xenial server and ensure that the
> > > > prosody-
> > > > modules package is installed as that includes the
> > > > mod_auth_ldap2
> > > > module, plus it's dependencies to get working LDAP
> > > > authentication.
> > > >
> > > > ### Create a new file with the details for the LDAP
> > > > authentication
> > > > ..
> > > >
> > > > /etc/prosody/conf.d/ldap.cfg.lua
> > > >
> > > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > > for
> > > > authentication
> > > > ldap = {
> > > > hostname = 'ldap.forexample.com', -- LDAP server
> > > > location
> > > > use_tls = true,
> > > > user = {
> > > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > > usernamefield = 'uid',
> > > > namefield = 'cn',
> > > > },
> > > > }
> > > >
> > > > ### Update the server/service file to use the mod_auth_ldap2
> > > > module
> > > > for
> > > > authentication ..
> > > >
> > > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > > >
> > > > ...
> > > > authentication = "ldap2"
> > > > ...
> > > >
> > > > ### Update the main config file to enforce a bit of security
> > > > ...
> > > >
> > > > /etc/prosody/prosody.cfg.lua
> > > >
> > > > ...
> > > > consider_bosh_secure = true
> > > > ...
> > > >
> > > > ### Tell the server to not require the certificates to the LDAP
> > > > server
> > > > (not idea but what we do here).
> > > >
> > > > /etc/ldap/ldap.conf
> > > >
> > > > ...
> > > > TLS_REQCERT never
> > > > ...
> > > >
> > > > ===== ===== =====
> > > >
> > > > Note that you may need to try just logging in as 'jane.doe'
> > > >
> > > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > > OpenLDAP server if configured right, there may be other hoops
> > > > to
> > > > jump
> > > > through. See if you can do a search on the AD server with
> > > > ldapsearch
> > > > on the jitsi meet server to return anything to make sure your
> > > > network
> > > > isn't blocking you.
> > > >
> > > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > > the
> > > > LDAP
> > > > auth, there was some mangling of packages and mecurial pulls
> > > > etc to
> > > > get
> > > > it to sort of work. For me , Xenial just worked.
> > > >
> > > > Also check the logs to see if it is spitting the dummy on
> > > > something
> > > > else.
> > > >
> > > > Good Luck.
> > > >
> > > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > > >
> > > > > Greetings All
> > > > >
> > > > > Does any one have a working LDAP integration working with AD
> > > > > or
> > > > > know
> > > > > of
> > > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > > >
> > > > > I tried to follow some link I found from google result but it
> > > > > does
> > > > > not seem
> > > > > to work. My server for example is jitsi.forexample.com Local
> > > > > account
> > > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > > but my AD for example is forexample.com. For some unknown
> > > > > reason, I
> > > > > can't
> > > > > seem to get to work w/AD with jane.doe@forexample.com
> > > > >
> > > > > Any advice, links, or clues would be much appreciated.
> > > > >
> > > > > Thank you.
> > > > > _______________________________________________
> > > > > users mailing list
> > > > > users@jitsi.org
> > > > > Unsubscribe instructions and other list options:
> > > > > http://lists.jitsi.org/mailman/listinfo/users
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#10

@Jack, Are you authenticating against Window AD LDAP? If so, here is the
setting. You need use any one windows domain account or create a dedicated
account for it.

For "bind_dn", I would go to the Attribute tab for on the AD account and
copy the value so you can't go wrong.

···

===================
authentication = 'ldap2' -- Indicate that we want to use LDAP for
authentication
ldap = {
hostname = 'ldap.example.com',
    bind_dn = 'CN=LDAP Account,OU=people,DC=example,DC=com',
    bind_password = 'xxxxxxxxxxxxxxxxxxxx',
    user = {
      basedn = 'ou=people,dc=example,dc=com',
      usernamefield = 'sAMAccountName',
      namefield = 'CN',
    },
}

On Thu, Sep 15, 2016 at 9:50 AM, Jack Freakazoid <freakazoid@riseup.net> wrote:

Hi Guys

Following your conversation, I would like to implement ldap in my
Jitsi-Meet environment, however one part is missing for me in the
ldap.cfg.lua. I need authentication for binding with my ldap (username and
password). How can I add it in that file?

Thank you in advance,

Best regards,

El 2016-09-14 01:04, John Finding escribió:

@Ian, I finally got it work. Thank you for the sample setting file and
setting. I was able to piece it together with other config settings that
I
found from googling results.

-john-

On Tue, Sep 13, 2016 at 9:49 PM, Ian Beardslee <ian@catalyst.net.nz> >> wrote:

Hmm, I'd suggest tailing the various logs when you restart prosody as

that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:
> @Ian I tried what you suggest and it does not seem to work. To recap:
> *************************
> /etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
> so I
> created the with the parameters of my current enviroment.
> *************************
> I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
> one and
> two location:
> VirtualHost "jitsi.forexample.com"
> -- enabled = false -- Remove this line to enable this host
> authentication = "ldap2"
>
> and
>
> VirtualHost "auth.jitsi.forexample.com"
> authentication = "ldap2
> *************************
> I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
> true"
> eventhough there were no existing parameters.
> *************************
> I comment this out /etc/ldap/ldap.conf
> # TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> *************************
>
> The end result is black screen with no authenication prompt and back
> screen.
>
> What I am missing? I did an ldapsearch command again my Windows AD
> and it
> responded.
>
> Please advise and thank to in advance.
>
>
> On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> >>> > wrote:
>
> >
> > The "Jitsi Meet quick install" method was what I used to install
> > Jitsi
> > Meet.
> >
> > I had to install the prosody-modules package as a separate 'apt-get
> > install prosody-modules' action.
> >
> > Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> > part
> > of the process.
> >
> > The ldap-utils is probably a manual install and is not actually
> > required, but useful as it has the ldapsearch tool to start testing
> > the
> > server can get to the AD server and return results.
> > On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> > >
> > > Thanks Ian. I will give that a try. I am currently running
> > > Ubuntu
> > > 14.04.5
> > > and it run like a champ on the stable version with local
> > > authenication
> > > because I can never get the LDAP with AD to work. I will try it
> > > Ubuntu
> > > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > > the
> > > "Jitsi
> > > Meet quick install" method installs all the prosody modules that
> > > includes
> > > the mod_auth_ldap2 module?
> > >
> > > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. >>> > > > > >>> > > > wrote:
> > >
> > > >
> > > >
> > > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > > bits
> > > > configured with prosody.
> > > >
> > > > Here are my notes (with names changed to protect the innocent)
> > > > for
> > > > LDAP
> > > > ...
> > > >
> > > > ===== ===== =====
> > > > You need to be running a Xenial server and ensure that the
> > > > prosody-
> > > > modules package is installed as that includes the
> > > > mod_auth_ldap2
> > > > module, plus it's dependencies to get working LDAP
> > > > authentication.
> > > >
> > > > ### Create a new file with the details for the LDAP
> > > > authentication
> > > > ..
> > > >
> > > > /etc/prosody/conf.d/ldap.cfg.lua
> > > >
> > > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > > for
> > > > authentication
> > > > ldap = {
> > > > hostname = 'ldap.forexample.com', -- LDAP server
> > > > location
> > > > use_tls = true,
> > > > user = {
> > > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > > usernamefield = 'uid',
> > > > namefield = 'cn',
> > > > },
> > > > }
> > > >
> > > > ### Update the server/service file to use the mod_auth_ldap2
> > > > module
> > > > for
> > > > authentication ..
> > > >
> > > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > > >
> > > > ...
> > > > authentication = "ldap2"
> > > > ...
> > > >
> > > > ### Update the main config file to enforce a bit of security
> > > > ...
> > > >
> > > > /etc/prosody/prosody.cfg.lua
> > > >
> > > > ...
> > > > consider_bosh_secure = true
> > > > ...
> > > >
> > > >
> > > > ### Tell the server to not require the certificates to the LDAP
> > > > server
> > > > (not idea but what we do here).
> > > >
> > > > /etc/ldap/ldap.conf
> > > >
> > > > ...
> > > > TLS_REQCERT never
> > > > ...
> > > >
> > > > ===== ===== =====
> > > >
> > > > Note that you may need to try just logging in as 'jane.doe'
> > > >
> > > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > > OpenLDAP server if configured right, there may be other hoops
> > > > to
> > > > jump
> > > > through. See if you can do a search on the AD server with
> > > > ldapsearch
> > > > on the jitsi meet server to return anything to make sure your
> > > > network
> > > > isn't blocking you.
> > > >
> > > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > > the
> > > > LDAP
> > > > auth, there was some mangling of packages and mecurial pulls
> > > > etc to
> > > > get
> > > > it to sort of work. For me , Xenial just worked.
> > > >
> > > > Also check the logs to see if it is spitting the dummy on
> > > > something
> > > > else.
> > > >
> > > > Good Luck.
> > > >
> > > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > > >
> > > > >
> > > > > Greetings All
> > > > >
> > > > > Does any one have a working LDAP integration working with AD
> > > > > or
> > > > > know
> > > > > of
> > > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > > >
> > > > > I tried to follow some link I found from google result but it
> > > > > does
> > > > > not seem
> > > > > to work. My server for example is jitsi.forexample.com Local
> > > > > account
> > > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > > but my AD for example is forexample.com. For some unknown
> > > > > reason, I
> > > > > can't
> > > > > seem to get to work w/AD with jane.doe@forexample.com
> > > > >
> > > > > Any advice, links, or clues would be much appreciated.
> > > > >
> > > > > Thank you.
> > > > > _______________________________________________
> > > > > users mailing list
> > > > > users@jitsi.org
> > > > > Unsubscribe instructions and other list options:
> > > > > http://lists.jitsi.org/mailman/listinfo/users
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > >
> > >
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-john-


#11

@John Awesome buddy, you made my day.

Cheers.

···

El 2016-09-15 11:59, John Finding escribió:

@Jack, Are you authenticating against Window AD LDAP? If so, here is the
setting. You need use any one windows domain account or create a dedicated
account for it.

For "bind_dn", I would go to the Attribute tab for on the AD account and
copy the value so you can't go wrong.

===================
authentication = 'ldap2' -- Indicate that we want to use LDAP for
authentication
ldap = {
hostname = 'ldap.example.com',
    bind_dn = 'CN=LDAP Account,OU=people,DC=example,DC=com',
    bind_password = 'xxxxxxxxxxxxxxxxxxxx',
    user = {
      basedn = 'ou=people,dc=example,dc=com',
      usernamefield = 'sAMAccountName',
      namefield = 'CN',
    },
}

On Thu, Sep 15, 2016 at 9:50 AM, Jack Freakazoid > <freakazoid@riseup.net> > wrote:

Hi Guys

Following your conversation, I would like to implement ldap in my
Jitsi-Meet environment, however one part is missing for me in the
ldap.cfg.lua. I need authentication for binding with my ldap (username and
password). How can I add it in that file?

Thank you in advance,

Best regards,

El 2016-09-14 01:04, John Finding escribió:

@Ian, I finally got it work. Thank you for the sample setting file and
setting. I was able to piece it together with other config settings that
I
found from googling results.

-john-

On Tue, Sep 13, 2016 at 9:49 PM, Ian Beardslee <ian@catalyst.net.nz> >>> wrote:

Hmm, I'd suggest tailing the various logs when you restart prosody as

that provides the authentication, but you may also need to restart the
jicofo and jitsi-videobridge. I use ...

root@host# tail -f /var/log/syslog /var/log/auth.log
/var/log/jitsi/*.log /var/log/prosody.???

My '/etc/prosody/conf.d/jitsi.forexample.com.cfg.lua' equivalent has ..

VirtualHost "jitsi.forexample.com"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...

VirtualHost "auth.jitsi.forexample.com"
    authentication = "internal_plain"

Does your /etc/prosody/prosody.cfg.lua have nothing in it (apart from
that line I suggested adding)?

On Tue, 2016-09-13 at 21:19 -0700, John Finding wrote:
> @Ian I tried what you suggest and it does not seem to work. To recap:
> *************************
> /etc/prosody/conf.d/ldap.cfg.lua files does not exist as you indated
> so I
> created the with the parameters of my current enviroment.
> *************************
> I edit the /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua file to
> one and
> two location:
> VirtualHost "jitsi.forexample.com"
> -- enabled = false -- Remove this line to enable this host
> authentication = "ldap2"
>
> and
>
> VirtualHost "auth.jitsi.forexample.com"
> authentication = "ldap2
> *************************
> I edit /etc/prosody/prosody.cfg.lua to add "consider_bosh_secure =
> true"
> eventhough there were no existing parameters.
> *************************
> I comment this out /etc/ldap/ldap.conf
> # TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> *************************
>
> The end result is black screen with no authenication prompt and back
> screen.
>
> What I am missing? I did an ldapsearch command again my Windows AD
> and it
> responded.
>
> Please advise and thank to in advance.
>
> On Tue, Sep 13, 2016 at 3:10 PM, Ian Beardslee <ian@catalyst.net.nz> >>>> > wrote:
>
> >
> > The "Jitsi Meet quick install" method was what I used to install
> > Jitsi
> > Meet.
> >
> > I had to install the prosody-modules package as a separate 'apt-get
> > install prosody-modules' action.
> >
> > Check that lua-ldap, libldap-2.4-2 & ldap-utils are installed as
> > part
> > of the process.
> >
> > The ldap-utils is probably a manual install and is not actually
> > required, but useful as it has the ldapsearch tool to start testing
> > the
> > server can get to the AD server and return results.
> > On Tue, 2016-09-13 at 14:53 -0700, John Finding wrote:
> > >
> > > Thanks Ian. I will give that a try. I am currently running
> > > Ubuntu
> > > 14.04.5
> > > and it run like a champ on the stable version with local
> > > authenication
> > > because I can never get the LDAP with AD to work. I will try it
> > > Ubuntu
> > > 16.04 with the "Jitsi Meet quick install" method. Do you know if
> > > the
> > > "Jitsi
> > > Meet quick install" method installs all the prosody modules that
> > > includes
> > > the mod_auth_ldap2 module?
> > >
> > > On Tue, Sep 13, 2016 at 2:35 PM, Ian Beardslee <ian@catalyst.net. >>>> > > > > >>>> > > > wrote:
> > >
> > > >
> > > > Using Xenial (Ubuntu 16.04), it 'just worked' with the right
> > > > bits
> > > > configured with prosody.
> > > >
> > > > Here are my notes (with names changed to protect the innocent)
> > > > for
> > > > LDAP
> > > > ...
> > > >
> > > > ===== ===== =====
> > > > You need to be running a Xenial server and ensure that the
> > > > prosody-
> > > > modules package is installed as that includes the
> > > > mod_auth_ldap2
> > > > module, plus it's dependencies to get working LDAP
> > > > authentication.
> > > >
> > > > ### Create a new file with the details for the LDAP
> > > > authentication
> > > > ..
> > > >
> > > > /etc/prosody/conf.d/ldap.cfg.lua
> > > >
> > > > authentication = 'ldap2' -- Indicate that we want to use LDAP
> > > > for
> > > > authentication
> > > > ldap = {
> > > > hostname = 'ldap.forexample.com', -- LDAP server
> > > > location
> > > > use_tls = true,
> > > > user = {
> > > > basedn = 'ou=Staff,dc=forexample,dc=com',
> > > > usernamefield = 'uid',
> > > > namefield = 'cn',
> > > > },
> > > > }
> > > >
> > > > ### Update the server/service file to use the mod_auth_ldap2
> > > > module
> > > > for
> > > > authentication ..
> > > >
> > > > /etc/prosody/conf.d/jitsi.forexample.com.cfg.lua
> > > >
> > > > ...
> > > > authentication = "ldap2"
> > > > ...
> > > >
> > > > ### Update the main config file to enforce a bit of security
> > > > ...
> > > >
> > > > /etc/prosody/prosody.cfg.lua
> > > >
> > > > ...
> > > > consider_bosh_secure = true
> > > > ...
> > > >
> > > > ### Tell the server to not require the certificates to the LDAP
> > > > server
> > > > (not idea but what we do here).
> > > >
> > > > /etc/ldap/ldap.conf
> > > >
> > > > ...
> > > > TLS_REQCERT never
> > > > ...
> > > >
> > > > ===== ===== =====
> > > >
> > > > Note that you may need to try just logging in as 'jane.doe'
> > > >
> > > > Also consider OpenLDAP != AD, but an AD server can appear has a
> > > > OpenLDAP server if configured right, there may be other hoops
> > > > to
> > > > jump
> > > > through. See if you can do a search on the AD server with
> > > > ldapsearch
> > > > on the jitsi meet server to return anything to make sure your
> > > > network
> > > > isn't blocking you.
> > > >
> > > > Trusty (Ubuntu 14.04) was a mess to try and get working with
> > > > the
> > > > LDAP
> > > > auth, there was some mangling of packages and mecurial pulls
> > > > etc to
> > > > get
> > > > it to sort of work. For me , Xenial just worked.
> > > >
> > > > Also check the logs to see if it is spitting the dummy on
> > > > something
> > > > else.
> > > >
> > > > Good Luck.
> > > >
> > > > On Tue, 2016-09-13 at 13:59 -0700, John Finding wrote:
> > > > >
> > > > > Greetings All
> > > > >
> > > > > Does any one have a working LDAP integration working with AD
> > > > > or
> > > > > know
> > > > > of
> > > > > good "How to...." link to set up Jitsi-Meet with LDAP?
> > > > >
> > > > > I tried to follow some link I found from google result but it
> > > > > does
> > > > > not seem
> > > > > to work. My server for example is jitsi.forexample.com Local
> > > > > account
> > > > > authenication works fine with jane.does@jitsi.forexample.com
> > > > > but my AD for example is forexample.com. For some unknown
> > > > > reason, I
> > > > > can't
> > > > > seem to get to work w/AD with jane.doe@forexample.com
> > > > >
> > > > > Any advice, links, or clues would be much appreciated.
> > > > >
> > > > > Thank you.
> > > > > _______________________________________________
> > > > > users mailing list
> > > > > users@jitsi.org
> > > > > Unsubscribe instructions and other list options:
> > > > > http://lists.jitsi.org/mailman/listinfo/users
> > > > _______________________________________________
> > > > users mailing list
> > > > users@jitsi.org
> > > > Unsubscribe instructions and other list options:
> > > > http://lists.jitsi.org/mailman/listinfo/users
> > >
> > > _______________________________________________
> > > users mailing list
> > > users@jitsi.org
> > > Unsubscribe instructions and other list options:
> > > http://lists.jitsi.org/mailman/listinfo/users
> > _______________________________________________
> > users mailing list
> > users@jitsi.org
> > Unsubscribe instructions and other list options:
> > http://lists.jitsi.org/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users