WIKI: LDAP Authentication

Hi, I have spent a lot of hours since last saturday configuring ldap (AD) authentication on my jitsi-meet installation.

I have followed wiki page instructions to configure ldap2 authentication, and it´s working ok when the basedn parameter is configured to a single OU. But same as Nemo reports in his post, when I set basedn parameter to my domain, if an invalid username is used, prosody shows a lot of errors and a strange behaviour.

I’ve tried a lot of mixed settings on basedn and filter parameters, but no luck. So I’ve tried with Cyrus sasl option.

After following Cyrus sasl setup instructions carefully, I can authenticate users against LDAP with testsaslauthd:

# testsaslauthd -u myuser -p mypasswd -s xmpp
0: OK "Success."

But authentication in prosody always results in “incorrect username or password” error.

No errors in prosody logs (with debug level), but when prosody service starts, these erros are recorded in syslog:

    Apr 21 20:43:39 serv-03 prosody[7683]:  * Starting Prosody XMPP Server prosody 
    Apr 21 20:43:39 serv-03 systemd[1]: Starting LSB: Prosody XMPP Server...
    Apr 21 20:43:39 serv-03 prosody[7683]:    ...done.
    Apr 21 20:43:39 serv-03 systemd[1]: Started LSB: Prosody XMPP Server.
    Apr 21 20:43:39 serv-03 prosody[7704]: **auxpropfunc error invalid parameter supplied**
    Apr 21 20:43:39 serv-03 prosody[7704]: **_sasl_plugin_load failed on sasl_auxprop_plug_init**
    Apr 21 20:43:39 serv-03 prosody[7704]: ldapdb
    Apr 21 20:43:39 serv-03 prosody[7704]: **_sasl_plugin_load failed on sasl_canonuser_init**

Note: I’ve configured prosody to allow only authenticated users for creating new conference rooms (following https://github.com/jitsi/jicofo#secure-domain instructions.

Any ideas?
Thanks in advance

What does

/var/log/auth.log

look like while you‘re trying to authenticate?

I see the same errors in auth.log even if I can authenticate .
Apr 22 06:55:22 meeting systemd-logind[1072]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)
Apr 22 06:55:23 meeting sshd[1417]: Server listening on 0.0.0.0 port 22.
Apr 22 06:55:23 meeting sshd[1417]: Server listening on :: port 22.
Apr 22 06:55:25 meeting saslauthd[1489]: : master pid is: 1489
Apr 22 06:55:25 meeting saslauthd[1489]: : listening on socket: /var/run/saslauthd/mux
Apr 22 06:55:26 meeting lua5.1: auxpropfunc error invalid parameter supplied
Apr 22 06:55:26 meeting lua5.1: _sasl_plugin_load failed on sasl_auxprop_plug_init
Apr 22 06:55:26 meeting lua5.1: ldapdb
Apr 22 06:55:26 meeting lua5.1: _sasl_plugin_load failed on sasl_canonuser_init
Apr 22 06:55:30 meeting sshd[1466]: Accepted password for rob from 192.168.1.24 port 19960 ssh2
Apr 22 06:55:30 meeting sshd[1466]: pam_unix(sshd:session): session opened for user rob by (uid=0)
Apr 22 06:55:30 meeting systemd-logind[1072]: New session 1 of user rob.
Apr 22 06:55:30 meeting systemd: pam_unix(systemd-user:session): session opened for user rob by (uid=0)
Apr 22 06:55:53 meeting saslauthd[1490]: ldapdb
Apr 22 06:55:53 meeting saslauthd[1490]: _sasl_plugin_load failed on sasl_canonuser_init

I’m getting these messages in auth.log while restarting saslauthd and prosody:

Apr 22 08:58:04 meet prosody[25307]: auxpropfunc error invalid parameter supplied
Apr 22 08:58:04 meet prosody[25307]: _sasl_plugin_load failed on sasl_auxprop_plug_init
Apr 22 08:58:04 meet prosody[25307]: ldapdb
Apr 22 08:58:04 meet prosody[25307]: _sasl_plugin_load failed on sasl_canonuser_init
Apr 22 08:58:04 meet saslauthd[25355]:                 : master pid is: 25355
Apr 22 08:58:04 meet saslauthd[25355]:                 : listening on socket: /var/run/saslauthd/mux

An authorized login looks like:

Apr 22 09:06:42 meet saslauthd[25356]: ldapdb
Apr 22 09:06:42 meet saslauthd[25356]: _sasl_plugin_load failed on sasl_canonuser_init

A failed login:

Apr 22 09:09:52 meet saslauthd[25757]: ldapdb
Apr 22 09:09:52 meet saslauthd[25757]: _sasl_plugin_load failed on sasl_canonuser_init
Apr 22 09:09:52 meet saslauthd[25757]: Entry not found (sAMAccountName=testuser).
Apr 22 09:09:52 meet saslauthd[25757]: Authentication failed for testuser/meet.mydomain.com: User not found (-6)
Apr 22 09:09:52 meet saslauthd[25757]: : auth failure: [user=testuser] [service=xmpp] [realm=meet.mydomain.com] [mech=ldap] [reason=Unknown]

Because your log shows “lua5.1” I assume that your authentication is set to “ldap2” and not to “cyrus”. Could you be so kind to paste the “VirtualHost” part of your prosody configuration with the authentication settings?

Another question is: how do you restart prosody (prosodyctl restart)?

Thanks for the answer. I am using cyrus not ldap2.
Everytime I do a config change I reboot, takes less than a minute and so I am sure the services restart properly.

VirtualHost “meeting.eld.it”
– enabled = false – Remove this line to enable this host
authentication = “cyrus”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/meeting.eld.it.key”;
certificate = “/etc/prosody/certs/meeting.eld.it.crt”;
}
cyrus_application_name = “xmpp”
allow_unencrypted_plain_auth = true
speakerstats_component = “speakerstats.meeting.eld.it”
conference_duration_component = “conferenceduration.meeting.eld.it”
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“auth_cyrus”;
“speakerstats”;
“turncredentials”;
“conference_duration”;
}
c2s_require_encryption = false

I’ve got two differences in my conf:

  1. additional entry below cyrus_application_name:

cyrus_service_name = “xmpp”

  1. disabled enabled module “auth_cyrus” because it was reported as already loaded:

– “auth_cyrus”;

I guess your /etc/sasl/xmpp.conf is looking like this?

pwcheck_method: saslauthd
mech_list: PLAIN

I think that if your log shows anything with “lua5.1” the LDAP-authentication is enabled. But I’m not shure.

Hi @Balu,

I want to contribute to your LDAP wiki, this is for deployments with Turn server and Host + Guest auth.
I’ve Jitsi latest release working OK through NAT. I had to install Turn server (the coturn service) to make the audio and video look good.

With regard to authentication, the guests could only join to the conference if they were connected within the LAN; guests in external networks could not join, even though everything else was working OK.

I solved it by adding the use of the “turncredentials” module in the virtual host of the guests, inside the /etc/prosody/conf.avail/jitsi.domain.cfg.lua file.

This is the code I used:

VirtualHost "jitsi.domain.com"
    -- enabled = false
    authentication = "ldap2"
    
    ssl = {
            key = "/etc/prosody/certs/jitsi.domain.com.key";
            certificate = "/etc/prosody/certs/jitsi.domain.com.crt";
    }

    speakerstats_component = "speakerstats.jitsi.domain.com"
    conference_duration_component = "conferenceduration.jitsi.domain.com"

    modules_enabled = {
        "bosh";
        "pubsub";
        "ping";
        "speakerstats";
        "turncredentials"; --module for coturn service
        "conference_duration";
    }

    c2s_require_encryption = false

...
etc...
...

--Guests
VirtualHost "guest.jitsi.domain.com"
    authentication = "anonymous"
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping";
        "speakerstats";
        "turncredentials"; --module for coturn service
        "conference_duration";
    }
c2s_require_encryption = false

I am not sure if this is something for the LDAP authentication or something for a turn setup documentation. But it’s a Wiki, everyone can edit :wink:

Its both, I’m going to add it. :+1:

I configured LDAP authentication for jitsi-meet via cyrus / saslauthd. but when creating a room, a login with a password is not requested. when I change the authentication = “cyrus” value in /etc/prosody/conf.avail/meet.jit.si.cfg.lua to authentication = “internal_hashed”, a login and password request is made. what am I doing wrong?

We are trying to configure a login with ldap2. We followed the LDAP Authentication guide in the GitHub Wiki.

When providing incorrect credentials, we get the correct behavior of “incorect username/password”.

However, when entering the correct credentials these are first accepted but then the login window appears again.

In /var/log/prosody/prosody.log we see

Jicofo 2020-08-11 15:20:57.149 SEVERE: [111] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.log() Failed to connect/login: SASLError using PLAIN: not-authorized
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using PLAIN: not-authorized
        at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:292)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1100)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
        at java.lang.Thread.run(Thread.java:748)

Which looks like that PLAIN is used as the auth method?

We are not sure anymore what might be wrong. Does somebody have an idea?

In the wiki article I can spot two undocumented configuration options: admin and namefield. See here:

ldap = {
  hostname = 'ldap.example.com',
  bind_dn = 'cn=admin,dc=example,dc=com',
  bind_password = 's3cr37',
  use_tls = true,
  user = {
    usernamefield = 'uid',
    basedn = 'ou=people,dc=example,dc=com',
    filter = '(objectClass=*)',
    -- admin?
    -- namefield = 'cn',
  },
}

Do I hope correctly, that this both options somehow enable to

  1. set the display name of a participant from LDAP
  2. grant rights to (a) create a conference room and (b) moderate a conference based on some LDAP attribute or LDAP group membership?

It would be great to have some more documentation about these two options and what they do.

Hello,

I am very interested in being able to use ldap2 in 2 groups.

  1. Group A (teachers) should be allowed to create rooms and get moderator rights.
  2. Group B (students) should only be allowed to log in, but not get moderator rights.

In “/usr/lib/prosody/modules/ldap.lib.lua” I found this:

local config_params = {
    hostname = 'string',
    user = {
        basedn = 'string',
        namefield = 'string',
        filter = 'string',
        usernamefield = 'string',
    },
    groups = {
        basedn = 'string',
        namefield = 'string',
        memberfield = 'string',

        _member = {
          name = 'string',
          admin = 'boolean?
        },
    },
    admin = {
        _optional = true,
        basedn = 'string',
        namefield = 'string',
        filter = 'string',
    }
}

Unfortunately, when I transfer this to ldap.cfg.lua, group B always has moderator rights.
Is it possible to implement this with ldap2 authentication @damencho ?

Regards
Dominion

I configured setting LDAP , but authorization don’t work(   sudo apt-get install prosody-modules lua-ldapfrom my server
    Reading package listsUbuntu 20... Done
    Building dependency tree
    Reading state information... Done
    lua-ldap is already the newest version (1.2.5-1).
    prosody-modules is already the newest version (0.0~hg20200128.09e7e880e056+dfsg-1)

Create it.

Thanks, Yes I created him! And I prescribed everything, but it still doesn’t catch on! It feels like the module isn’t pulling up

Hi,Thank you for your help.
I installed jitsi-meet (version 2.0.5765-1/ ) on debian (version 10.9) and now I want to integrate my Active Directory with it .
I followed the instruction here (LDAP Authentication · jitsi/jitsi-meet Wiki · GitHub), but after I open my browser and enter username/password without domain name , I get this error in console :
XML Parsing Error: mismatched tag. Expected: .
Location: https://my-domain/http-bind?room=test
Line Number 6, Column 3: http-bind:6:3

1 Like

Thank you for this tutorial.
I’d change though this sentence

This way is used by jitsi-docker as well. Please note that this method isn’t always working with prosody 0.11.0.

to

This way is used by jitsi-docker as well. Please note that this method isn't always working with [prosody 0.11.x](https://prosody.im/doc/release/0.11.0).
If you are on debian based distribution, it is advise to install the next version : https://packages.debian.org/bullseye/amd64/lua-cyrussasl/download
1 Like

For guys who have trouble with cyrus/sasl after upgrading to Prosody 0.11, here is the solution:
First, install required libraries:
sudo apt-get install libsasl2-dev
Next, install cyrussasl:
sudo luarocks install cyrussasl
I assume that you know how to install or upgrade luarocks. If you don’t, search the forum.

1 Like

On Ubuntu 20.04 there was no need to do this. If someone ask :slight_smile:

1 Like