WIKI: LDAP Authentication

This topic is meant to be for discussions and help regarding the LDAP Authentication Wiki page.

@WebCF added a section on using saslauthd for LDAP authentication.

I wonder what the (dis-)advantages between the two methods are?

Hi! Thank you so much for your clear documentation.

After following all the tutorial (going forward and backwards), it seems the LDAP authentication does not work. We are able to create rooms without authentication and Jitsi does not prompt the user/password box.

We have installed the required packages and modified as you stated the following files:

  • /etc/prosody/conf.avail/ldap.cfg.lua (we tried with a user created in our domain and also with anonymous authentication)
  • /etc/prosody/prosody.cfg.lua (adding the consider_bosh_secure = true)
  • /etc/prosody/conf.avail/ourdomain.com.cfg.lua (changing authentication to ldap2)
  • /etc/prosody/conf.avail/ourdomain.com.cfg.lua (adding the VirtualHost anonymous)
  • /etc/jitsi/jicofo/sip-communicator.properties (adding the XMPP: line)

It seems strange that the console log is logging:

Logger.js:154 2020-04-06T13:55:04.533Z [modules/xmpp/moderator.js] <l.parseConfigOptions>: Authentication enabled: false
Logger.js:154 2020-04-06T13:55:04.534Z [modules/xmpp/moderator.js] <l.parseConfigOptions>: External authentication enabled: false
Logger.js:154 2020-04-06T13:55:04.538Z [modules/xmpp/moderator.js] <l.parseConfigOptions>: Sip gateway enabled: false

Could you give us further assistance?

Thank you!
Rada

Did you try without the “Host + Guest” setup first? That way everybody needs to authenticate. I tried that first, so I could test if authentication works at all.

Did you link the LDAP configuration into the prosody config directory?

Also make sure you restart the services.

Hi! Thank you for your prompt answer.

We followed your advice and now Jitsi prompts for user and password. However, when the second user logs in, the call disconnects.

Thank you,
Radamés

Thank you for putting your findings in one single wiki page!

Today I spent most of my day setting up a new Jitsi environment with LDAP support. I spend a few hours one trying to get the first method to work.

At first it seemed to work, until a wrong user / password combination was entered. Prosody chocked on finding the user, that didn’t exists. Due to design of our AD it has to look in multiple OU’s, which it seems not to be handled well by ldap2. Limiting the search to one OU worked fine.

The error logs stated a fatal error in one of the LUA LDAP libraries when it tries to retrieve a non existent attribute.

I tried to limit the search by creating all kinds of filters me and Google could come up with, without any result.

In the end I gave up on the LDAP2 method and went for the other option with Cyrus.

Followed the steps you described and it worked like a charm the first way round. I wonder if other people have similar experiences.

I added the prosody to sasl group with the command:

#> usermod -aG sasl prosody

Instead of manually changing the files.

Hi, I followed the instructions here https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication#ldap-authentication-for-jitsi-meet-via-cyrussaslauthd-in-progress and used saslauthd.
I used the suggestion about email address: Use ldap_filter: (mail=%u*) instead (note the * direct after the %u !), and tell your users to enter the portion before the @ sign of their mail address.
But when I log in with user@domain mail address it remains in “connecting” forever, and if I use only the user as suggested, I get a “invalid username or password”.
Any ideas ?
Thanks

I am not sure, but I am guessing that a login with @domain is used by prosody for virtual host setups. That’s why email addresse might not be working unless you set up the corresponding domain in prosody? I am just guessing though

It should work with the asterisk-Filter though. Did you check the prosody log if they have more details? Do you require / use a service account to connect to your LDAP?

Where are the prosody logs located ?

$ sudo ls /var/log/prosody/
prosody.err  prosody.log

Thanks

now it works, I am asked for authentication when joining a room. Was a stupid typo in a config file
I can’t make the electron client work, but this is not a topic for this wiki.

The app needs access to the External API. You might want to check that.

Had a look and found out the app does not support self signed certs.

1 Like

First I just want to thank Balu and others on this thread. I suspect many of us are new Jitsi users because of the COVID-19 pandemic. I’ll speak personally- I’m standing up servers for healthcare uses. This feels very valuable and I want to start with appreciation for y’all!

Here’s where I am:

If I follow the Github guide, I can get LDAP auth working for hosts. That’s good.

If I add the virtual host for anonymous guests, then it opens up my entire server for everyone.
I’m starting to think this is a hostname thing.
EG:
I have something like this:
conference.mydomain.cc

My main virtual host is conference.mydomain.cc …

When I add a virtual host like this:
guest.mydomain.cc
it opens up things for everyone.
but I didn’t create guest as a hostname externally or internally on my DNS servers. (I have split DNS).
Is that part of the equation? Do I need to have a subdomain (not so easy, actually) or do I need to just create another host?
What other steps might be involved?
eg: do I need to add something to /etc/hosts ?

having LDAP work for hosts and guests at least makes my server (more) secure. Our ideal state is that LDAP users can start a conference and then anyone can join.

Again, thank you all for helping with this documentation. It’s so helpful!

One thing I learned is that “domain” in Jitsi / Prosody terms does not necessarily correspond to hostnames / DNS domains. You don’t have to add all the extra “domains” that are used in Prosody into DNS.

As for the guest VirtualHost try “guest.conference.mydomain.cc” (I have no DNS or hosts entry for it). This is how it works for me.

Thanks Balu.
I’ve been tinkering and here’s what I’m finding, as soon as I add anynomousdomain to my config.js file, it opens everything up again.

var config = {
// Connection
//

hosts: {
    // XMPP domain.
    domain: 'tv8.mydomain.cc',

    // When using authentication, domain for guest users.
    anonymousdomain: 'guest.tv8.mydomain.cc',

in tv8.mydomain.cc.cfg.lua I have:

VirtualHost "tv8.mydomain.cc"
        -- enabled = false -- Remove this line to enable this host
        authentication = "ldap2"
...
VirtualHost "guest.tv8.mydomain.cc"
    authentication = "anonymous"
    c2s_require_encryption = false

If I remove the anonymousdomain option from the config.js file, it goes back to doing LDAP auth for everyone.

Do you have the org.jitsi.jicofo.auth.URL=XMPP:tv8.mydomain.cc in /etc/jitsi/jicofo/sip-communicator.properties too?

And just to make sure. Do you always use a new private browser window? Jitsi stores successfull authentications in cookies which confused me in some of my tests.

Well, I didn’t think I had /etc/jitsi/jicofo/sip-communicator.properties as a file. But it turns out, I did…and adding that line fixed it.
Host auth and guests can join - thanks Balu!

1 Like

Good afternoon,

I am having the same problem, I can authenticate with sAMAccountName but not with mail.

Any ideas?

Thank you very much.

TLDR: You will not be able to authenticate with anything containing an @ symbol unless you modify the prosody configuration - which is something I can not help with, since I have no experience with the internal details of prosody.

You will not be able to authenticate with email unless your email account is the same as the hostname / domain you entered during the jits-meet installation.

Prosody is using the @-part of the login as marker for the internal virtualhost. Usually this is defined as meet.example.com. Unless your email addresses are user@meet.example.com this will not work.