-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure domains do not work if prosody uses Cyrus-SASL authentication #22
Comments
Hey, Can you provide step by step instructions or link to some tutorial for basic config for working Prosody + LDAP ? This will make it easier to reproduce and fix. |
Sure, however, i don't think this problem is related to LDAP: if I set MECHANISMS="pam" in saslauthd.conf, I run into the same issue (and my XMPP client can open a session, so authentication is working). Prosody SASL LDAP ConfigurationYou have to install ldap bindings for SASL, and sasl bindings for lua. On Debian:
In the prosody vhost declaration, set
In /etc/sasl/xmpp.conf (i'm running Debian, so Cyrus SASL library configuration is in /etc/sasl):
In /etc/default/saslauthd:
In /etc/saslauthd.conf:
(Our LDAP configuration is quite simple) You need to add the user running prosody to the group owning /var/run/saslauthd, so, on Debian:
And then restart prosody and saslauthd:
You should now be able to test SASL authentication via the "testsaslauthd" command line tool:
You should also be able to authenticate from an XMPP client. |
Hi! I would like to confirm @jbonachera's issue: Jitsi Meet works as advertised with In
without the usual
afterwards. Also, recording and SIP connection stop working after setting authentication to internal_plain. |
The same happens also when using Prosody LDAP module: http://modules.prosody.im/mod_auth_ldap.html |
Hi, /etc/jitsi/jicofo/sip-communicator.properties
|
That line is there in my config too :)
I tested to change my
I then created a user with This is how jicofo.log looks then:
I then changed the videokonf.domain.com.cfg.lua to use LDAP for authentication. It looks like this:
The LDAP config works from the jitsi-meet server using The LDAP login works from Jitsi client, Empathy and Pidgin. When logging in with a XMPP client, the prosody log looks like this:
When logging in from Jitsi-Meet, the
Debug log here: https://paste.debian.net/plain/313618 The jicofo.log looks like this:
Endlessly. My
My
My
My
Somewhere the communication falters. So, the tl;dr summary:
|
Chrome Developer Console gives me this when trying to login using
And it gives me this when trying Prosody authentication using the
|
I've found a possible problem in the
This is when using LDAP in prosody. It seems that it has to do with encoding Unicode strings. For me Jitsi-Meet failed when I used a password containing the letter ö (that is & ouml; in html-speak). Testing another LDAP-account with a less complex password, it worked. |
The underlying problem appears to be that strophe.js fails to base64-encode non-ASCII UTF8: |
I can confirm that this patch ( strophe/strophejs#136 ) allows Jitsi-Meet to authenticate with LDAP using SASL with a username or password that contain non-ASCII characters like (in my case) swedish åäö and/or ÅÄÖ, which was previously not possible. For now, I've modified a local copy of strophe.js and renamed it to strophe.min.js which seems to do the trick for Jitsi-Meet, I don't have the knowledge yet to minify the js file. |
@mathiasfriman I saw you are/was using mod_auth_ldap. I've would like to write you a private message, not spamming around in here, got some questions, how to get in touch with you? |
Outdated |
Hi,
We are trying to setup jistimeet with LDAP-backed secure domains, using prosody as XMPP server.
If prosody is configured to use sasl as an authentication provider, the authentication dialog on jitsimeet is stuck on "Connecting".
Prosody does not log any authentication request, so i'm guessing the problem is with Jicofo, but i'm not sure, since the architecture behind this is quite complex.
Authentication does work if i use a random XMPP client, like Empathy or Gajim, so i don't think it's a configuration issue with prosody.
Do you have any idea why is the authentication failing?
Thanks.
The text was updated successfully, but these errors were encountered: