Latest posts

Step by Step LDAP Configuration Guide For Jitsi Meet

Jitsi is an open-source video conferencing solution. In the days of COVID19, there a lot of demand for such solutions. I have been managing a large Jitsi installation for a while. Installing Jitsi with docker is pretty easy, and there is a lot of documentation out there. But setting up LDAP proven a little more tricky for some users, so I created this guide. I will explain the steps for docker based Jitsi, but the same information also applies to non-docker installations. Before starting with LDAP configuration, here are some of my experiences I had learned by running a large Jitsi cluster for a year.

  • Strong servers can easily handle 80+ users in the same room, but local resources of clients run out pretty fast in large rooms. Cell phones get pretty hot. Jitsi offloads a lot of work to client computers.
  • The older mobile applications are often unreliable. I usually had problems with iPhone users. Some older Android versions cannot log in unless they set their names before joining.
  • High-end security appliances do not like encryptions used by some mobile clients. I had to create an exception for this to get things running smoothly. If you are having problems with mobile, check here first.
  • If you have to deal with geologically distributed users, consider the CASCADE topology, which makes everything more manageable. But it uses more bandwidth than basic topology.
  • Using a private browsing tab improves performance for clients with low specs.

1. How does Jitsi Authentication Works

Jitsi WebJitsi ProsodysaslauthdActive DirectoryAuth RequestAuth RequestLDAP SearchJitsi WebJitsi ProsodysaslauthdActive Directory

LDAP_SERVER: ldap.root101.net

This is the DNS record or IP address of the AD server.

BIND_DN: CN=jitsiuser,OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal

This is a service account created only for querying the LDAP tree. Some AD's allow querying without and account (Anonymous bind), but this method is terribly insecure. This account has the password PASSr101

SEARCH_BASE: OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal

This is the organizational group created which holds all the users we would like to authorize for this system.

2. How to Test LDAP Crendentials

As the first step, instead of rushing into saslauthd config, take a baby step and test our config with ldapsearch. This way we could also find out network and AD related issues before diving in the prosody.

To get the ldapsearch command on our system, we need to pull some openLDAP binaries:

ldapsearch -x -H ldap://ldap.root101.net -D CN=jitsiuser,OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal -w PASSr101 -b OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal

This command should return all the users in our group. We can count the number of users:

ldapsearch -x -H ldap://ldap.root101.net -D CN=jitsiuser,OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal -w PASSr101 -b OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal | grep -i distinguishedName | wc -l

If these numbers match with the number of users in our directory, we can move forward. If we are making a new installation , things are pretty simple

git clone https://github.com/jitsi/docker-jitsi-meet
cd docker-jitsi-meet
cp env.example .env
echo "ENABLE_AUTH=1" >> .env
echo "AUTH_TYPE=ldap" >> .env
echo "LDAP_AUTH_METHOD=bind" >> .env
echo "LDAP_URL=ldap://ldap.root101.net/" >> .env
echo "LDAP_BINDDN=CN=jitsiuser,OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal" >> .env
echo "LDAP_BASE=OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal" >> .env
echo "LDAP_BINDPW=PASSr101" >> .env
docker-compose up -d

3. How to Configure Jitsi

To be honest, I don't like using the .env file for this. Because .env file allows only certain parameters. The real configuration here is /etc/saslauthd.conf, which is resides inside the container. This file is initiated from /root/.jitsi-meet-cfg/prosody

{{ if eq (.Env.AUTH_TYPE | default "internal") "ldap" }}
ldap_servers: {{ .Env.LDAP_URL }}
ldap_search_base: {{ .Env.LDAP_BASE }}
ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
  {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
    {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
ldap_tls_check_peer: yes
ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
    {{ end }}
    {{ if .Env.LDAP_TLS_CIPHERS }}
ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
    {{ end }}
  {{ end }}
{{ end }}

When the container get created, this configuration file gets filled with environment variables and copied to the /etc/saslauthd.conf in the prosody container.

docker exec -it docker-jitsi-meet_prosody_1 /bin/bash
root@018a26b1e735:/# cat /etc/saslauthd.conf

ldap_servers: ldap://ldap.root101.net/
ldap_search_base: OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal

ldap_bind_dn: CN=jitsiuser,OU=ConfAdmins,OU=HumanAccounts,OU=Accounts,DC=root101,DC=lokal
ldap_bind_pw:  PASSr101

ldap_filter: uid=%u
ldap_version: 3
ldap_auth_method: bind

We can edit /root/.jitsi-meet-cfg/prosody directly to update config. This way we will bypass the .env file. We can also use all the saslauthd options instead of limited set options defined in the .env .

For testing, we can edit this file on a running container. Since there is no text editor in container we can use docker cp:

docker cp docker-jitsi-meet_prosody_1:/etc/saslauthd.conf  saslauthd.conf
vim saslauthd.conf
docker cp  saslauthd.conf docker-jitsi-meet_prosody_1:/etc/saslauthd.conf
docker exec -it docker-jitsi-meet_prosody_1 service saslauthd restart

To check if our configuration is correct, we can use testsaslauthd tool in container:

docker exec -it docker-jitsi-meet_prosody_1 /bin/bash
root@018a26b1e735:/# testsaslauthd -u root101adm -p anotherpassword
0: OK "Success."

Don't forget to clean your plaintext bash history, which just saved the passwords used.

history -cw

When dealing with a custom saslauthd.conf instead of environment variables, consider creating a custom docker file.

3. How do Accounts Behave in Jitsi

We can enable or disable guests:

ENABLE_GUESTS=

If we set this to 0.

  • Only the authorized users can login and join conferences system.

If we set this to 1.

  • Only authorized users can open a new rooms
  • Unauthorized users can join these rooms, but they cannot start rooms.
  • All authorized accounts get to be moderators in all the rooms they join.

Published under ,  on .

Last updated on .

Root101

Open Source and Linux, Notes, Guides and Ideas