Need assistance to understand LDAP integration with Jitsi Meet

krishnanvs · April 17, 2023, 7:00am

I am trying to set up LDAP integration with Jitsi Meet, came across this website that seems to explain well.

However I did not understand this section,

Create /etc/saslauthd.conf and add the following
ldap_servers: ldap://10.0.0.1
ldap_bind_dn: cn=Administrator,cn=Users,dc=foo,dc=bar
ldap_bind_pw: PassW0rd
ldap_search_base: dc=my,dc=search,dc=base
ldap_filter: (sAMAccountName=%u)
ldap_version: 3
ldap_auth_method: bind

DId not get what these variables mean and how to assign them values according to my Jitsi setup -
ldap_bind_dn
ldap_search_base
ldap_filter
ldap_auth_method

Appreciate any information you can share to help me understand this better.

pascal · April 17, 2023, 5:16pm

Hi krishnanvs,

first of all, you have to configure the secure domain part as described in these documentation:

In the 2nd step you can configure your ldap settings:

the saslauthd daemon does the authentication for jitsi, jitsi itself doesn’t have an ldap connector.

However, you have to configure the following parameters in the /etc/saslauthd.conf

ldap_servers → insert your AD / LDAP Server Adress starting with the protocol type, ldaps:// or ldap://; depending on your ldap configuration you may have to add an port additionally like :389 …

ldap_bind_dn → insert an ldap bind user, so saslauthd can login to your ldap an browse for objects inside the ldap directory; the syntax depends on your LDAP system (ad/openldap etc…)
→ in the control panel of “AD Users and Computers” you can get the dn in user options > Attribute Editor > Distinguished Name (maybe you can also use the principal name logon-name@domainname.example.org ; but I have not tested yet)
ldap_bind_pw → insert the password for the ldap bind user
ldap_search_base → that’s the entrypoint for ldap searches, e.g. cn=Users,dc=foo,dc=bar will allow login on jitsi for all users in this subscope (recursively).

ldap_filter: (sAMAccountName=%u) → %u is the variable for the login input of jitsi; if you use samaccountname as login attribute, the user have to insert the samaccountname + password in the login fields.

I recommend to do a ldapsearch to check your configuration:
ldapsearch -x -D “cn=[ldap-bind-user],cn=users,dc=example,dc=com” -w [bind-user-password] -H ldap://[YOUR-LDAP-OR-AD-HOST]:389 -b “cn=Users,dc=example,dc=com” “(sAMAccountName=[userloginname])” sAMAccountName

Note: depending to your operating system, you may have to install the ldap-utils package (e.g. apt install ldap-utils | dnf install openldap-clients)

If you get an response like below, the ldap bind was successfull and your userloginname is existent.

# extended LDIF
#
# LDAPv3
# base <cn=users,dc=example,dc=com> with scope subtree
# filter: (sAMAccountName=testuser)
# requesting: sAMAccountName 
#

dn: cn=testuser,cn=users,dc=example,dc=com
sAMAccountName: testuser

Note: That part of configuration in saslauthd is regardless to Jitsi. Jitsi (more precise: prosody) is using the saslauthd as authentication provider.

If this steps are successfully done, you can go ahead with the prosody and jitsi configuration described here: LDAP authentication | Jitsi Meet

Hope it helps!

krishnanvs · April 17, 2023, 5:28pm

Thank you very much for the detailed reply, will go over and try as you suggested