Donnerstag, 24. September 2015

Using ldap authentication with jitsi-meet

In order to use LDAP authentication support we need install additional modules: ldap2, ldap_storage and lib_ldap
download latest versions of extra modules ('mercurial' package muss be installed on system)
hg clone http://prosody-modules.googlecode.com/hg/ prosody-modules
to update modules to newer version run
hg pull –update
copy required modules to default modules directory (/usr/lib/prosody/modules)
cd prosody-modules
cp mod_auth_ldap2/mod_auth_ldap2.lua /usr/lib/prosody/modules/mod_auth_ldap2.lua
cp mod_storage_ldap/mod_storage_ldap.lua /usr/lib/prosody/modules/mod_storage_ldap.lua
cp -r mod_storage_ldap/ldap/ /usr/lib/prosody/modules/
cp  mod_lib_ldap/ldap.lib.lua /usr/lib/prosody/modules/ldap.lib.lua

create new configuration for ldap auth.
vim /etc/prosody/conf.d/ldap.cfg.lua
-- Authentication configuration --
authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
ldap = {
    hostname      = 'ldap.example.com', -- LDAP server location
    --use_tls     = true,
    bind_dn       = 'uid=jabberd,ou=people,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
    bind_password = 'xxxxxxxxxxxxxxxxxxxx', -- Bind password (optional if anonymous bind is supported)
    user = {
      basedn        = 'ou=people,dc=example,dc=com',
      filter        = '(&(objectClass=User)(AccountActive=TRUE))',
      usernamefield = 'uid',
      namefield     = 'cn',
    },
}
And enable "ldap2" auth for our "meet.example.com" vhost
vim /etc/prosody/conf.d/meet.example.com.cfg.lua
VirtualHost "meet.example.com"
        -- enabled = false -- Remove this line to enable this host
        --authentication = "anonymous"
        --authentication = "internal_plain"
        authentication = "ldap2"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/meet.example.com.key";
                certificate = "/etc/prosody/certs/meet.example.com.crt";
        }  
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
        
VirtualHost "guest.meet.example.com"
    authentication = "anonymous"
Last thing, activate "consider_bosh_secure = true" in global section of prosody configuration, more info about here.
vim /etc/prosody/prosody.cfg.lua
...
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
consider_bosh_secure = true
c2s_require_encryption = false
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = false
...
Don't forget add guest domain to your jitis meet config, see https://github.com/jitsi/jicofo

cat /etc/jitsi/meet/meet.example.com-config.js

....
domain: 'meet.example.com',
anonymousdomain: 'guest.meet.example.com',
....


restart prosody and jicofo
service prosody restart && service jicofo restart