We have done a Jitsi test installation and have configured authentication via LDAP to a Windows AD server sucessfully (see how we got this to work below, was a little tricky).
To allow access the conference, we would like to know if one can:
- Allow LDAP authentication, ONLY when Jitsi server is accessed from the internal network
(Dialog: I am the Host / Authentification required). - LDAP authenication should fail, when attempted from the Internet.
- It would be nice, if user accounts configured via
sudo prosodyctl register <username> jitsi-meet.example.com <password>
would still work, when used internally and externally,
in paralell with the LDAP setup (this fails to work after setting up LDAP according to the config below).
We have installed and configured the following on 2023-03-23:
Ubuntu 22.04.2 LTS 5.15.0-67-generic
jitsi-meet 2.0.8319-1
jitsi-meet-prosody 1.0.6991-1
jitsi-meet-turnserver 1.0.6991-1
jitsi-meet-web 1.0.6991-1
jitsi-meet-web-config 1.0.6991-1
jitsi-videobridge2 2.2-79-gf6426ea0-1
lua-basexx 0.4.1-jitsi1
lua-cjson:amd64 2.1.0.10-jitsi1
coturn 4.5.2-3.1~ubuntu22.04.1
jitsi-meet-turnserver 1.0.6991-1
libsasl2-2:amd64 2.1.27+dfsg2-3ubuntu1.2
libsasl2-modules:amd64 2.1.27+dfsg2-3ubuntu1.2
libsasl2-modules-db:amd64 2.1.27+dfsg2-3ubuntu1.2
libsasl2-modules-ldap:amd64 2.1.27+dfsg2-3ubuntu1.2
lua-cyrussasl:amd64 1.1.0-3
sasl2-bin 2.1.27+dfsg2-3ubuntu1.2
We configured LDAP by doing configuration acording to the documentation of
a) https://meetrix.io/blog/webrtc/jitsi/ldap-user-authentication-for-jitsi-meet.html
This documentation worked well after we did the following changes:
-
Section “
LDAP authentication”,
Nr 3 (Configure saslauthd ),
subtopic 6 (open file/etc/default/saslauthd).
we had to add missing “START=yes” to the config file -
We had to run “
systemctl enable saslauthd”,
so that the service would restart after a reboot. -
After the reboot, we could not login
(Dialog: I am the Host / Authentification required):
This only worked after working thru a 2nd install documumention
(the 2nd documention does not work, when using this to configure LDAP alone)
b) https://jitsi.github.io/handbook/docs/devops-guide/ldap-authentication/
-
We compared this documentaion with upper documentaion
(nr. a) and installed a missing package: -
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_auth_cyrus
This, at 1st threw an error:
Error: Failed finding Lua header files. You may need to install them or configure LUA_INCDIR.
We entered
lua
to figure our the version needed, which was the installed with the command
apt install liblua5.2-dev
then we repeated the command, which worked:
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_auth_cyrus
This fixed the login issue (also after reboot).
Now Authentication Dialog: I am the Host / Authentification required) via LDAP works. -
The testing of LDAP Autentication (section:
Test LDAP authentication) in this documentaion (nr. b) helped very much to get LDAP authentication working
The question is now, If one can configure the LDAP Modules to
- Only allow authentication from the inside network (and not from the internet), by. e.g. adding a IP range in the config:
- IP address in the list for: LDAP Authentication allowed,
- IP adderess not in list, LDAP Authentication failes).
- It would be nice, if user accounts configured via
sudo prosodyctl register <username> jitsi-meet.example.com <password>
would still work, when used internally and externally,
in paralell with the LDAP setup (this fails to work after setting up LDAP according to the config below).
The config files we touched in upper LDAP configuration setups are
/etc/saslauthd.conf
/etc/default/saslauthd
/etc/jitsi/meet/[your-hostname]-config.js
/etc/jitsi/jicofo/jicofo.conf
/etc/prosody/conf.avail/[your-hostname].cfg.lua
/etc/sasl/xmpp.conf
Hope one of you have an idea how this can be configured.
Best
Justin