LDAP integration with jitsi-docker

I’m trying to integrate jitsi with OpenLDAP running on a Vm instance using docker-compsoe.
Githublink: https://github.com/tiredofit/docker-openldap

I can see that the prosody is talking to ldap server by check the logs but I’m getting err=49 error which indicates that the username or password is invalid. Below is my total configuration.

prosody config

prosody:
        image:  myimage/prosody:3
        hostname: xmpp.meet.example.in
        deploy:
          replicas: 1
          update_config:
            failure_action: rollback
          restart_policy:
            condition: on-failure
            delay: 5s
            max_attempts: 5
          placement:
            constraints:
              - node.hostname != vs1
              - node.hostname != vs5
              - node.hostname != vs6
        environment:
            AUTH_TYPE: ldap #internal
            ENABLE_HTTP_REDIRECT:
            ENABLE_AUTH: 1
            GLOBAL_CONFIG:
            GLOBAL_MODULES:
            LDAP_URL: ldap://ldap.example.in:5050/
            LDAP_BASE: DC=meet,DC=example,DC=in
            LDAP_BINDDN: CN=admin,OU=Users,DC=meet,DC=example,DC=in
            LDAP_BINDPW: 9c12379e12432cdc9439fa4dede18674
            LDAP_FILTER: '(uid=%u)' #(sAMAccountName=%u) <--- tried with sAMAccountName also but didn't work
            LDAP_AUTH_METHOD: bind
            LDAP_VERSION: 3
            LDAP_USE_TLS: 1
            LDAP_TLS_CIPHERS: SECURE256:SECURE128
            LDAP_TLS_CHECK_PEER: 1
            LDAP_TLS_CACERT_FILE: /etc/ssl/certs/ca-certificates.crt
            LDAP_TLS_CACERT_DIR: /etc/ssl/certs
            LDAP_START_TLS: 0
            JICOFO_COMPONENT_SECRET: e7f79f7a16a1b6a8bd5c18327d9bdace
            JICOFO_AUTH_USER: focus
            JICOFO_AUTH_PASSWORD: b44d6f8dd2af24a03fded73ebaa3ae2a
            JVB_AUTH_USER: jvb
            JVB_AUTH_PASSWORD: f8412a7d2f9821e8e9313fb6dad86a02
            PUBLIC_URL: https://meet.example.in
            XMPP_DOMAIN: meet.example.in
            XMPP_AUTH_DOMAIN: auth.meet.example.in
            XMPP_BOSH_URL_BASE: http://xmpp.meet.example.in:5280
            XMPP_GUEST_DOMAIN: guest.meet.example.in
            XMPP_MUC_DOMAIN: muc.meet.example.in
            XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.example.in
            XMPP_RECORDER_DOMAIN: recorder.meet.example.in
            XMPP_MODULES:
            XMPP_MUC_MODULES:
            XMPP_INTERNAL_MUC_MODULES:
            TZ: Asia/Kolkata
            JIGASI_XMPP_USER: jigasi
            JIGASI_XMPP_PASSWORD: 1c59269877257b39cc0475b21cf08a16
            JIBRI_BREWERY_MUC: jibribrewery
            JIBRI_PENDING_TIMEOUT: 90
            JIBRI_XMPP_USER: jibri
            JIBRI_XMPP_PASSWORD: 160135fb81b8f78232b26df486880b81
            JIBRI_RECORDER_USER: recorder
            JIBRI_RECORDER_PASSWORD: 46ea1b0e6252479eb6cc647bed7cfc18
            JWT_APP_ID: E1B40
            JWT_APP_SECRET: 21D40CD42CCA9BE6B8932855781FC840
            JWT_ACCEPTED_ISSUERS: my_web_client,my_app_client
            JWT_ALLOW_EMPTY: 0
            JWT_AUTH_TYPE: token
            JWT_TOKEN_AUTH_MODULE: token_verification
            JWT_ACCEPTED_AUDIENCES: myserver1,myserver2
            JWT_ASAP_KEYSERVER:
            LOG_LEVEL: DEBUG

OpenLDAP compose.yml file

version: '3.7'
services:

  openldap-app:
    hostname: ldap.example.in
    image: tiredofit/openldap
    container_name: openldap-app
    ports:
    - 5050:389
    - 7946:636
    - 80:80
    volumes:
    - ./backup:/data/backup
    - ./data:/var/lib/openldap
    - ./config:/etc/openldap/slapd.d
    - ./certs:/assets/slapd/certs
    - ./files:/assets/files
    environment:
    - HOSTNAME=ldap.example.in
    - BACKEND=mdb #Lightning Memory-Mapped Database by OpenLDAP
    - LOG_LEVEL=256
    - DOMAIN=ldap.example.in
    - ADMIN_PASS=admin
    - CONFIG_PASS=config
    - ORGANIZATION=Bloquelabs

    - BASE_DN=dc=meet,dc=example,dc=in
    - ENABLE_READONLY_USER=false
    - READONLY_USER_USER=reader
    - READONLY_USER_PASS=reader

    - ENABLE_TLS=true
    - TLS_CRT_FILENAME=cert.pem
    - TLS_KEY_FILENAME=key.pem
    - TLS_CA_CRT_FILENAME=ca.pem
    - TLS_ENFORCE=false
    - TLS_CIPHER_SUITE=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA
    - TLS_VERIFY_CLIENT=never
    - SSL_HELPER_PREFIX=ldap

    - ENABLE_REPLICATION=false
      #- REPLICATION_CONFIG_SYNCPROV=binddn="cn=admin,cn=config" bindmethod=simple credentials="admin" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1
      #- REPLICATION_DB_SYNCPROV=binddn="cn=admin,dc=example,dc=in" bindmethod=simple credentials="admin" searchbase="dc=example,dc=in" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1
      #- REPLICATION_HOSTS=ldap://ldap.example.in ldap://ldap2.example.in ldap://ldap3.example.in
    - REMOVE_CONFIG_AFTER_SETUP=false

    - BACKUP_CONFIG_CRON_PERIOD=0 4 * * *
    - BACKUP_DATA_CRON_PERIOD=0 4 * * *
    - BACKUP_TTL=15

    - ZABBIX_HOSTNAME=openldap-app
    - ENABLE_NGINX=TRUE

    networks:
    - internal
    - services
    restart: always

networks:
  internal:
    external: false
  services: {}
          #external: true

add_entried.ldif file

dn: dc=meet,dc=example,dc=in
o: MyOrg
objectClass: organization
objectClass: dcObject

dn: ou=Users,dc=meet,dc=example,dc=in
objectClass: organizationalUnit
ou: Users

dn: cn=binduser,ou=Users,dc=meet,dc=example,dc=in
objectClass: posixGroup
cn: binduser
gidNumber: 5001

dn: uid=Joe,ou=Users,dc=meet,dc=example,dc=in
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: Joe
sn: Smith
givenName: Joe
cn: Joe Smith
displayName: Joe Smith
userpassword: Joe
uidNumber: 10001
gidNumber: 5001
loginShell: /bin/bash
homeDirectory: /home/Joe
userPassword: joe03

error logs prosody

jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :released accept lock
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[274] :acquired accept lock
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :attempting a read lock on slot: 1569
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :[login=joe] [service=xmpp] [realm=meet.example.in]: not found, update pending
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :attempting to release lock on slot: 1569
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :auth failure: [user=joe] [service=xmpp] [realm=meet.example.in] [mech=ldap] [reason=Unknown]
jitsi_prosody.1.4xisrgmza7y2@vs4    | saslauthd[272] :response: NO

ldap logs

5ed4ff4b conn=1040 fd=15 ACCEPT from IP=161.202.X.X:36080 (IP=0.0.0.0:389)
5ed4ff4b conn=1040 op=0 BIND dn="cn=admin,ou=Users,dc=meet,dc=example,dc=in" method=128
5ed4ff4b conn=1040 op=0 RESULT tag=97 err=49 text=

Please help.

It’s working after making some changes.

LDAP_BASE: "OU=Users,DC=meet,DC=example,DC=in" # -b
LDAP_BINDDN: "CN=admin,DC=meet,DC=example,DC=in" #CN=admin,OU=Users,DC=meet,DC=example,DC=in # -D
LDAP_BINDPW: admin

It’s working with ldap://ldap.example.in not with ldaps://.I’m getting Certificate error in browser console.

I there any way by which I can check how prosody is sending the request to ldapserver. what other parameters it is adding to url ldap://ldap.example.in. I want to enforce STARTTLS.

Please help.

I have verified that STARTTLS is working fine on ldap server by adding -ZZ to url ldap://ldap.example.in

docker exec openldap-app ldapsearch -H ldap://ldap.example.in:389 -x -ZZ -D "cn=admin,dc=meet,dc=example,dc=in" -w admin -b "ou=Users,dc=meet,dc=example,dc=in"

Logs when prosody talking to ldap server

STARTTLS isn’t present in the logs hence prosody is not enforcing STARTTLS.

5ed692a7 conn=1009 fd=14 ACCEPT from IP=161.202.X.X:52864 (IP=0.0.0.0:389)
5ed692a7 conn=1009 op=0 BIND dn="cn=admin,dc=meet,dc=example,dc=in" method=128
5ed692a7 conn=1009 op=0 BIND dn="cn=admin,dc=meet,dc=example,dc=in" mech=SIMPLE ssf=0
5ed692a7 conn=1009 op=0 RESULT tag=97 err=0 text=
5ed692a8 conn=1009 op=1 SRCH base="ou=Users,dc=meet,dc=example,dc=in" scope=2 deref=0 filter="(uid=joe)"
5ed692a8 conn=1009 op=1 SRCH attr=dn
5ed692a8 conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
5ed692a8 conn=1009 op=2 BIND anonymous mech=implicit ssf=0
5ed692a8 conn=1009 op=2 BIND dn="uid=joe,ou=Users,dc=meet,dc=example,dc=in" method=128
5ed692a8 conn=1009 op=2 BIND dn="uid=joe,ou=Users,dc=meet,dc=example,dc=in" mech=SIMPLE ssf=0
5ed692a8 conn=1009 op=2 RESULT tag=97 err=0 text=
  1. figured out abut how to enable starttls.
    –> set LDAP_START_TLS: 1.
  2. Regarding certificate error in browser console, use let’s encrypt production CA not staging CA. If using staging CA then certificate errors are coming in console.

When using start-tls, then I’m unable to authenticate the user via LDAP. Getting reason=unknown in prosody logs. Same config works if not using start-tls.

prosody logs

saslauthd[277] :released accept lock
saslauthd[278] :acquired accept lock
saslauthd[277] :attempting a read lock on slot: 1569
saslauthd[277] :[login=joe] [service=xmpp] [realm=meet.example.in]: not found, update pending
saslauthd[277] :attempting to release lock on slot: 1569
saslauthd[277] :auth failure: [user=joe] [service=xmpp] [realm=meet.example.in] [mech=ldap] [reason=Unknown]
saslauthd[277] :response: NO

openldap logs
In ldap logs when start-tls is enforced then connection is closing.

5ed761f4 conn=1013 fd=13 ACCEPT from IP=161.202.X.X:35532 (IP=0.0.0.0:389)
5ed761f4 conn=1013 op=0 EXT oid=1.3.6.1.4.1.1466.20037
5ed761f4 conn=1013 op=0 STARTTLS
5ed761f4 conn=1013 op=0 RESULT oid= err=0 text=
5ed761f4 conn=1013 fd=13 TLS established tls_ssf=256 ssf=256
5ed761f4 conn=1013 fd=13 closed (connection lost)

if start-tls isn’t enable then ldap logs

5ed692a7 conn=1009 fd=14 ACCEPT from IP=161.202.X.X:52864 (IP=0.0.0.0:389)
5ed692a7 conn=1009 op=0 BIND dn="cn=admin,dc=meet,dc=example,dc=in" method=128
5ed692a7 conn=1009 op=0 BIND dn="cn=admin,dc=meet,dc=example,dc=in" mech=SIMPLE ssf=0
5ed692a7 conn=1009 op=0 RESULT tag=97 err=0 text=
5ed692a8 conn=1009 op=1 SRCH base="ou=Users,dc=meet,dc=example,dc=in" scope=2 deref=0 filter="(uid=joe)"
5ed692a8 conn=1009 op=1 SRCH attr=dn
5ed692a8 conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
5ed692a8 conn=1009 op=2 BIND anonymous mech=implicit ssf=0
5ed692a8 conn=1009 op=2 BIND dn="uid=joe,ou=Users,dc=meet,dc=example,dc=in" method=128
5ed692a8 conn=1009 op=2 BIND dn="uid=joe,ou=Users,dc=meet,dc=example,dc=in" mech=SIMPLE ssf=0
5ed692a8 conn=1009 op=2 RESULT tag=97 err=0 text=

Please help.

fixed by using certificate chain.