team-container icon indicating copy to clipboard operation
team-container copied to clipboard

Published 20 hours ago verified publisher icon ct-Open-Source

How to setup LDAP configuration for video

Open Wallenstein61 opened this issue 5 years ago • 0 comments

Hello,

In the c't artice about the LDAP configuration for jitsi the author mentioned that under the short link ct.de7yfk7 there is an explanation to setUp ldap. Although I did not find any documentation I gave it a try, however I took me some time to find out that the deployment description for the prosody-pod was incomplete. At least I did not get a ldap-connection until I extend the file team-video/templates/deploy_prosody.yaml by the appropriate LDAP variables.

With the following version of team-video/templates/deploy_prosody.yaml the saslauthd.conf-file is set up correctly in the prosody pod for ldap support.

kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: {{ include "team-video.fullname" . }}-prosody
  labels:
    app: {{ include "team-video.fullname" . }}-prosody
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{ include "team-video.fullname" . }}-prosody
  template:
    metadata:
      labels:
        app: {{ include "team-video.fullname" . }}-prosody
      annotations:
        timestamp: "{{ now | unixEpoch }}"
    spec:
      containers:
       - name: prosody
         ports:
          - containerPort: 5222
          - containerPort: 5280
          - containerPort: 5347
         resources: {}
#         restartPolicy: Always
         {{ if eq .Values.auth.type "internal" }}
         lifecycle:
           postStart:
             exec:
               command: ["/bin/bash", "-c", "sleep 60; prosodyctl --config /config/prosody.cfg.lua register {{ .Values.auth.admin.user }}
{{ .Values.app.name }}.{{ .Values.app.domain }} {{ .Values.auth.admin.password }}"]
         {{end}}
         image: jitsi/prosody
         imagePullPolicy: {{ .Values.app.pullpolicy }}
         env:
          {{ if .Values.auth.enabled}}
          - name: ENABLE_AUTH
            value: "true"
            {{ if .Values.auth.guests}}
          - name: ENABLE_GUESTS
            value: "true"
            {{end}}
          - name: AUTH_TYPE
            value: {{ .Values.auth.type }}
            {{ if .Values.auth.ldapauthmethod}}
          - name: LDAP_AUTH_METHOD
            value: {{ .Values.auth.ldapauthmethod}}
            {{end}}
            {{ if .Values.auth.ldapurl }}
          - name: LDAP_URL
            value: {{ .Values.auth.ldapurl }}
            {{end}}
            {{ if .Values.auth.ldapusetls }}
          - name: LDAP_USE_TLS
           value: {{ .Values.auth.ldapusetls }}
            {{end}}
            {{ if .Values.auth.ldapstarttls }}
          - name: LDAP_START_TLS
            value: {{ .Values.auth.ldapstarttls }}
            {{end}}
            {{ if .Values.auth.ldaptlscacertfile }}
          - name: LDAP_TLS_CACERT_FILE
            value: {{ .Values.auth.ldaptlscacertfile }}
            {{end}}
            {{ if .Values.auth.ldaptlscacertdir }}
          - name: LDAP_TLS_CACERT_DIR
            value: {{ .Values.auth.ldaptlscacertdir }}
            {{end}}
            {{ if .Values.auth.ldapcheckpeer }}
          - name: LDAP_TLS_CHECK_PEER
            value: {{ .Values.auth.ldapcheckpeer }}
            {{end}}
            {{ if .Values.auth.ldapbase }}
          - name: LDAP_BASE
            value: {{ .Values.auth.ldapbase }}
            {{end}}
            {{ if .Values.auth.ldapbinddn }}
          - name: LDAP_BINDDN
            value: {{ .Values.auth.ldapbinddn }}
            {{end}}
            {{ if .Values.auth.ldapbindpw }}
          - name: LDAP_BINDPW
            value: {{ .Values.auth.ldapbindpw }}
            {{end}}
            {{ if .Values.auth.ldapfilter }}
          - name: LDAP_FILTER
            value: {{ .Values.auth.ldapfilter }}
            {{end}}
            {{ if .Values.auth.ldapversion }}
          - name:  LDAP_VERSION
            value: {{ .Values.auth.ldapversion }}
            {{end}}
          {{end}}
          - name: XMPP_DOMAIN
            value: {{ .Values.app.name }}.{{ .Values.app.domain }}
            {{ if .Values.auth.guests}}
          - name: XMPP_GUEST_DOMAIN
            value: guest.{{ .Values.app.name }}.{{ .Values.app.domain }}
            {{end}}
          - name: XMPP_AUTH_DOMAIN
            value: auth.{{ .Values.app.name }}.{{ .Values.app.domain }}
          - name: XMPP_MUC_DOMAIN
            value: muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
          - name: JICOFO_COMPONENT_SECRET
            value: {{ .Values.secrets.jicofo.component }}
          - name: JVB_COMPONENT_SECRET
            value: {{ .Values.secrets.jvb.component }}
          - name: JICOFO_AUTH_USER
            value: focus
          - name: JICOFO_AUTH_PASSWORD
            value: {{ .Values.secrets.jicofo.auth }}
          - name: JVB_AUTH_USER
            value: jvb
          - name: JVB_AUTH_PASSWORD
            value: {{ .Values.secrets.jvb.auth }}
          - name: LOG_LEVEL
            value: {{ .Values.logLevel }}
          - name: XMPP_INTERNAL_MUC_DOMAIN
            value: internal-muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
          - name: TZ
            value: Europe/Paris

Also the line #ldapfilter: (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))) in values-video.yaml seems misleading. To get it work you should use %u as variable, not %uid. My version (also slightly simplified by ommiting superfluous operations) is ldapfilter: (&(objectclass=person)(|(uid=%u)(|(mailPrimaryAddress=%u)(mail=%u))))

Hope this helps others

Wallenstein

Wallenstein61 avatar Jul 15 '20 15:07 Wallenstein61