LDAP integration problems

Try using some markdown to mark those blocks as code, so they are easier to read :slight_smile:

I haven’t checked the whole thread (again). With all the replies and forwards and backwards I find it difficult to figure out what’s really needed. Also the missing pre-formatting makes it difficult to figure out things.

That’s why I tried documenting things in the Wiki to make it easier to follow and just wanted to point you guys there :slight_smile:

1 Like

Hey Thomas,

could you please describe in more detail exactly where to place the extra lines in the prosody.cfg.lua file?
Authentication probably works for me, but it freezes on “Connecting”

and is there any way to set the user to authenticate with the domain account without suffix?
e.g. j.fox instead of j.fox@example.com

here is my cfg:
/conf.avail/ldap.cfg.lua

authentication = ‘ldap2’

ldap = {
hostname = ‘172.22.91.100’,
bind_dn = ‘cn=ldap-read,cn=Users,dc=sxxxxx,dc=local’,
bind_password = ‘Dxxxxxxxxxxx’,
use_tls = false,
user = {
usernamefield = ‘uid’,
basedn = ‘dc=sxxxxxx,dc=local’,
filter = ‘*’,
namefield = ‘cn’,
},
}

Thank you.

Jirka

I see the following error in my log file:

Failed to load the LuaLDAP library for accessing LDAP

Any idea for how to fix this?

I have extended my documentation for the “host + guests” setup. Perhaps someone could verify that it works for him too…

If your uid attribute in LDAP doesn’t contain the username without suffix, you don’t need to enter it? At least we don’t have here.

Just because the login popup gives an example, doesn’t mean you have to enter it. I already created an issue, because it confused a few of my users already. It’s only necessary if you do XMPP authentication with more than one host.

If you are on debian, did you install the prosody-modules including the recommended lua-ldap package?

Hi there,

I’m all new to Jitsi Server and I need to have a LDAP Integration. I tried all the things you said in here but I don’t even get a Prompt for User and Password.

Can anybody help? Did I miss something? I did all the steps @albercuba wrote with the efect that I got into the room without prompt and then wasn’t able to speak or show video.

Greetz Susie

I’ve followed Balu’s instructions and can confirm that they work (with FreeIPA). Thanks a lot Balu for the nice tutorial! I’ve added a short explanation+link for the “consider_bosh_secure” line as well as the following note on luarocks.

Note that at least on my current version of Ubuntu I had to manually install luarocks 5.2 and, with it, the necessary ldap, jitsi, and crypt packages. This version requirement seems to be hardcoded somewhere, i.e. the Ubuntu luarocks version 5.1 did not work in my case!

1 Like

Hello everyone,
right now I am in the middle of a company/job change so I have no time to test this. Will see if I find some time to test this again in a new installation. I have to setup all my test lab equipment again.

Best regards

    -- Other specific functionality
            "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
            --"limits"; -- Enable bandwidth limiting for XMPP connections
            --"groups"; -- Shared roster support
            --"server_contact_info"; -- Publish contact information for this service
            --"announce"; -- Send announcement to all online users
            --"welcome"; -- Welcome users who register accounts
            --"watchregistrations"; -- Alert admins of registrations
            --"motd"; -- Send a message to users when they log in
            --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
            --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use

}

–here is the place
consider_bosh_secure = true
–here ist the place

– These modules are auto-loaded, but should you want
– to disable them then uncomment them here:
modules_disabled = {
– “offline”; – Store offline messages
– “c2s”; – Handle client connections
– “s2s”; – Handle server-to-server connections
}

I allways authorized only with my ldap uid

For those that are having that weird stuck on “Connecting” issues attempting to use LDAP, I had that too and then changed to the Cyrus SASL method that @Balu lays out in his Wiki article and was able to actually get it working.

I am using openLDAP and wanted to integrate jitsi with it. I have different OU and users are inside these OU.
what is authentication flow for ldap in jitsi.

  1. Does it bind with LDAP manager and fetch users data and try with userID and Password?
  2. if not above then is it directly bind with “dn:” and password after data fetch with Manager?

what is hashing method it uses while authenticating with LDAP?

At our LDAP end we are using MD5 hash.

Thank you in advance.

Jitsi only authenticates against prosody. Prosody does the real authentication and I think it can do both if you use the LDAP module:

From https://modules.prosody.im/mod_auth_ldap.html

The "getpasswd" mode requires plain text access to passwords in LDAP and feeds them into Prosodys authentication system. This enables more secure authentication mechanisms but does not work for all deployments.
The "bind" mode performs an LDAP bind, does not require plain text access to passwords but limits you to the PLAIN authentication mechanism.

I have not used the Cyrus SASL method, but I think it only does the “bind mode”.

Sorry for late reply. A month ago got success.
I have gone through below authentication procedure and I am able configure it successfully.

In my case jitsi search user dn with help of userid and bind with given password.

Thank you.