Donnerstag, 24. September 2015

Using ldap authentication with jitsi-meet

In order to use LDAP authentication support we need install additional modules: ldap2, ldap_storage and lib_ldap
download latest versions of extra modules ('mercurial' package muss be installed on system)
hg clone prosody-modules
to update modules to newer version run
hg pull –update
copy required modules to default modules directory (/usr/lib/prosody/modules)
cd prosody-modules
cp mod_auth_ldap2/mod_auth_ldap2.lua /usr/lib/prosody/modules/mod_auth_ldap2.lua
cp mod_storage_ldap/mod_storage_ldap.lua /usr/lib/prosody/modules/mod_storage_ldap.lua
cp -r mod_storage_ldap/ldap/ /usr/lib/prosody/modules/
cp  mod_lib_ldap/ldap.lib.lua /usr/lib/prosody/modules/ldap.lib.lua

create new configuration for ldap auth.
vim /etc/prosody/conf.d/ldap.cfg.lua
-- Authentication configuration --
authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
ldap = {
    hostname      = '', -- LDAP server location
    --use_tls     = true,
    bind_dn       = 'uid=jabberd,ou=people,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
    bind_password = 'xxxxxxxxxxxxxxxxxxxx', -- Bind password (optional if anonymous bind is supported)
    user = {
      basedn        = 'ou=people,dc=example,dc=com',
      filter        = '(&(objectClass=User)(AccountActive=TRUE))',
      usernamefield = 'uid',
      namefield     = 'cn',
And enable "ldap2" auth for our "" vhost
vim /etc/prosody/conf.d/
VirtualHost ""
        -- enabled = false -- Remove this line to enable this host
        --authentication = "anonymous"
        --authentication = "internal_plain"
        authentication = "ldap2"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/";
                certificate = "/etc/prosody/certs/";
        -- we need bosh
        modules_enabled = {
VirtualHost ""
    authentication = "anonymous"
Last thing, activate "consider_bosh_secure = true" in global section of prosody configuration, more info about here.
vim /etc/prosody/prosody.cfg.lua
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
consider_bosh_secure = true
c2s_require_encryption = false
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see
s2s_secure_auth = false
Don't forget add guest domain to your jitis meet config, see

cat /etc/jitsi/meet/

domain: '',
anonymousdomain: '',

restart prosody and jicofo
service prosody restart && service jicofo restart