Skip to content

LDAP Authentication

c-goes edited this page Jun 9, 2020 · 28 revisions

This page has its own topic in the Jitsi Community if you have questions or want to discuss things.

There are two options of enabling ldap:

LDAP authentication for jitsi-meet via ldap2

I have managed to enable LDAP authentication for my basic installation on a debian machine. The following is what was necessary to doso:

Install the necessary prosody-modules and its recommended lua-ldap package:

sudo apt-get install prosody-modules lua-ldap

TODO: Difference to lualdap? Do both work (I have lualdap working). [Balu]: Probably just a different package name on Ubuntu? [andreas]: They both exist on my machine - not sure if they are any different though

Note: If you want to install lualdap with luarocks, at least on current versions of Ubuntu the distribution version of luarocks is 5.1 but 5.2 is required. In this case you need to manually install luarocks 5.2 as described here: https://stackoverflow.com/a/39761123 Then install the SSL 1.0 headers apt-get install libssl1.0-dev, followed by luarocks-5.2 install lualdap && luarocks-5.2 install luacrypto && luarocks-5.2 install jwt-jitsi

Configure the LDAP module in /etc/prosody/conf.avail/ldap.cfg.lua

-- https://modules.prosody.im/mod_lib_ldap.html
-- https://modules.prosody.im/mod_auth_ldap2.html
authentication = 'ldap2'

ldap = {
    hostname = 'ldap.example.com',
    bind_dn = 'cn=admin,dc=example,dc=com',
    bind_password = 's3cr37',
    use_tls = true,
    user = {
        usernamefield = 'uid',
        basedn = 'ou=people,dc=example,dc=com',
        filter = '(objectClass=*)',
	-- admin?
        --namefield = 'cn',
    },
}

Link the configuration into the config directory:

ln -sf /etc/prosody/conf.avail/ldap.cfg.lua /etc/prosody/conf.d/

Add the following line to /etc/prosody/prosody.cfg.lua. I have added this in front of the final include. It might be possible to just include it into the ldap.cfg.lua from above. It is to allow BOSH connections when requiring encryption, even if unencrypted (see https://prosody.im/doc/modules/mod_bosh).

consider_bosh_secure = true

To finally enable LDAP authentication, edit /etc/prosody/conf.avail/jitsi.example.com.cfg.lua and change the authentication to ldap2:

authentication = "ldap2"

Finally restart the modified service:

sudo service prosody restart

Hosts + Guests

To configure jitsi so that authenticated hosts can create rooms and guests can join, I followed the example for Jicofo - Secure domains

In /etc/prosody/conf.avail/jitsi.example.com.cfg.lua add a VirtualHost:

VirtualHost "guest.jitsi.example.com"
    authentication = "anonymous"
    c2s_require_encryption = false

But, if you have turn server installed (coturn service) and Jitsi is running behind NAT, the "turncredentials" module must be enabled

VirtualHost "guest.jitsi.example.com"
    authentication = "anonymous"
    modules_enabled = {
            "bosh";
            "pubsub";
            "ping";
            "speakerstats";
            "turncredentials";
            "conference_duration";
    }
    c2s_require_encryption = false

In /etc/jitsi/meet/jitsi.example.com-config.js enable and modify the line:

anonymousdomain: 'guest.jitsi.example.com',

In /etc/jitsi/jicofo/sip-communicator.properties add:

org.jitsi.jicofo.auth.URL=XMPP:jitsi.example.com

I am not using jigasi, so you have to follow the above link and check that configuration.

Finally restart the modified services and refresh your browser:

sudo service prosody restart; sudo service jicofo restart

LDAP authentication for jitsi-meet via cyrus/saslauthd

This way is used by jitsi-docker as well. Please note that this method isn't always working with prosody 0.11.0.

Please setup "secure domain" first, as described here: https://github.com/jitsi/jicofo#secure-domain !

At first, you need to install the following packages:

apt install sasl2-bin libsasl2-modules-ldap lua-cyrussasl

Then we move on to prosody. Please edit /etc/prosody/conf.avail/meet.jit.si.cfg.lua (open the right file with your hostname ;) ):

Change the authentication to cyrus and add the auth_cyrus to modules_enabled.

You also have to add the config options

    cyrus_application_name = "xmpp"
    allow_unencrypted_plain_auth = true

as well. The file should now be looking like this:

VirtualHost "meet.jit.si"
        -- enabled = false -- Remove this line to enable this host
        authentication = "cyrus" -- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Change this
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.jit.si.key";
                certificate = "/etc/prosody/certs/meet.jit.si.crt";
        }
		
		cyrus_application_name = "xmpp" -- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Add this
		allow_unencrypted_plain_auth = true -- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Add this

        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
	    "auth_cyrus"; -- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Add this
        }
		
        c2s_require_encryption = false

Good! Now we head over to saslauthd!

Configure saslauthd

Create the file /etc/sasl/xmpp.conf. If the folder sasl do not yet exist, create it.

Paste the follwoing inside the xmpp.conf:

pwcheck_method: saslauthd
mech_list: PLAIN

Now create /etc/saslauthd.conf and add the following:

ldap_servers: ldap://10.0.0.1
ldap_search_base: dc=my,dc=search,dc=base
ldap_bind_dn: cn=Administrator,cn=Users,dc=foo,dc=bar
ldap_bind_pw: PassW0rd
ldap_filter: (samaccountname=%u)
ldap_version: 3
ldap_auth_method: bind

Replace the IP with yours, as well as the search base and the Bind user/password! The example above has NO TLS enabled. If you want TLS enabled, add the following in addition

ldap_tls_key: /config/certs/meet.jit.si.key
ldap_tls_cert: /config/certs/meet.jit.si.crt
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
ldap_tls_cacert_dir: /etc/ssl/certs

Adapt to your needs. Also, change the URL scheme from ldap:// to ldaps://. Maybe you have to add ldap_tls_ciphers: , ldap_port: as well.

Use another attribute than samaccoutname

A few filter examples:

  • ldap_filter: (samaccountname=%u) searches inside the username field
  • ldap_filter: (mail=%u) would allow you to eneter a email. WARNING: This didnt worked on my machine. As soon as the @-sign was enetered, Jitsi displayed an endless "Connecting...".
    • Use ldap_filter: (mail=%u*) instead (note the * direct after the %u!), and tell your users to enter the portion before the @ sign of their mail address.

The next step is to edit the /etc/default/saslauthd file:

  • Change START to yes
  • Change MECHANISMS to ldap
  • Change MECH_OPTIONS to /etc/saslauthd.conf

and restart the service with service saslauthd restart. You also have to restart prosody now with service prosody restart.

One could say, thats it. But there is another issue: Prosody cant talk to saslauthd yet. You have to execute chmod 777 /var/run/saslauthd/ to make the folder saslauthd writebale for everyone.

The bad thing: This gets reset everytime saslauthd restarts (server reboot as example), so you need to ensure that this folder gets chmod'ed every time saslauthd restarts.

A possible solution is adding prosody to the sasl group by executing usermod -aG sasl prosody.