LDAP issues

[dbf]

I successfully installed team-container/Jitsi Meet, then tried to switch to LDAP auth. This feature appears to be broken, though. I had to change team-container/team-video/templates/deploy_prosody.yaml as suggested in issue report #43. Though saslauthd then worked ok (tested from inside the pod using testsaslauthd), the Jitsi Meet web client simply ignored it (anyone could still open a room). After some searching, i discovered that, for some reason, the jicofo sip properties are missing an entry

org.jitsi.jicofo.auth.URL=XMPP:meet.example.org

Once changed inside the pod and jicofo restarted, LDAP auth works as expected with the Jitsi Meet web client.

How would i configure this in the YAML configuration to get it right in the first place?

[dbf]

Commenting on myself: I have LDAP auth for Jitsi working (against FreeIPA/389ds). Sanitized git diff against team-container rev. 787d4a7 below. However:

• I'm pretty convinced, that LDAP auth for Jitsi is broken in master - the variables for LDAP configuration belong into the prosody container, since saslauthd runs in the prosody container and
• i'm unhappy with manually messing around with the jicofo configuration. This is probably not the container way to do it, but i simply don't know another way.

diff --git a/team-video/templates/deploy_jicofo.yaml b/team-video/templates/deploy_jicofo.yaml
index cfb7420..1b089ab 100644
--- a/team-video/templates/deploy_jicofo.yaml
+++ b/team-video/templates/deploy_jicofo.yaml
@@ -21,6 +21,10 @@ spec:
        - name: jicofo
          image: jitsi/jicofo
          imagePullPolicy: {{ .Values.app.pullpolicy }}
+         lifecycle:
+           postStart:
+             exec:
+               command: ['/bin/bash', '-c', 'sleep 20; sed -i -e "\$aorg.jitsi.jicofo.auth.URL=XMPP:{{ .Values.app.name }}.{{ .Values.app.domain }}" /config/sip-communicator.properties && s6-svc -h /var/run/s6/services/jicofo']
          env:
           {{ if .Values.auth.enabled}}
           {{ if eq .Values.auth.type "ldap" }}
@@ -54,4 +58,4 @@ spec:
           - name: XMPP_INTERNAL_MUC_DOMAIN
             value: internal-muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
           - name: TZ
-            value: Europe/Paris
\ No newline at end of file
+            value: Europe/Paris
diff --git a/team-video/templates/deploy_prosody.yaml b/team-video/templates/deploy_prosody.yaml
index 3215b73..335aebb 100644
--- a/team-video/templates/deploy_prosody.yaml
+++ b/team-video/templates/deploy_prosody.yaml
@@ -43,6 +43,54 @@ spec:
             {{end}}
           - name: AUTH_TYPE
             value: {{ .Values.auth.type }}
+            {{ if .Values.auth.ldapauthmethod}}
+          - name: LDAP_AUTH_METHOD
+            value: {{ .Values.auth.ldapauthmethod}}
+            {{end}}
+            {{ if .Values.auth.ldapurl }}
+          - name: LDAP_URL
+            value: {{ .Values.auth.ldapurl }}
+            {{end}}
+            {{ if .Values.auth.ldapusetls }}
+          - name: LDAP_USE_TLS
+            value: {{ .Values.auth.ldapusetls }}
+            {{end}}
+            {{ if .Values.auth.ldapstarttls }}
+          - name: LDAP_START_TLS
+            value: {{ .Values.auth.ldapstarttls }}
+            {{end}}
+            {{ if .Values.auth.ldaptlscacertfile }}
+          - name: LDAP_TLS_CACERT_FILE
+            value: {{ .Values.auth.ldaptlscacertfile }}
+            {{end}}
+            {{ if .Values.auth.ldaptlscacertdir }}
+          - name: LDAP_TLS_CACERT_DIR
+            value: {{ .Values.auth.ldaptlscacertdir }}
+            {{end}}
+            {{ if .Values.auth.ldapcheckpeer }}
+          - name: LDAP_TLS_CHECK_PEER
+            value: {{ .Values.auth.ldapcheckpeer }}
+            {{end}}
+            {{ if .Values.auth.ldapbase }}
+          - name: LDAP_BASE
+            value: {{ .Values.auth.ldapbase }}
+            {{end}}
+            {{ if .Values.auth.ldapbinddn }}
+          - name: LDAP_BINDDN
+            value: {{ .Values.auth.ldapbinddn }}
+            {{end}}
+            {{ if .Values.auth.ldapbindpw }}
+          - name: LDAP_BINDPW
+            value: {{ .Values.auth.ldapbindpw }}
+            {{end}}
+            {{ if .Values.auth.ldapfilter }}
+          - name: LDAP_FILTER
+            value: {{ .Values.auth.ldapfilter }}
+            {{end}}
+            {{ if .Values.auth.ldapversion }}
+          - name:  LDAP_VERSION
+            value: {{ .Values.auth.ldapversion }}
+            {{end}}
           {{end}}
           - name: XMPP_DOMAIN
             value: {{ .Values.app.name }}.{{ .Values.app.domain }}
@@ -71,4 +119,4 @@ spec:
           - name: XMPP_INTERNAL_MUC_DOMAIN
             value: internal-muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
           - name: TZ
-            value: Europe/Paris
\ No newline at end of file
+            value: Europe/Paris
diff --git a/team-video/values.yaml b/team-video/values.yaml
index 9f4c3d8..2629e14 100644
--- a/team-video/values.yaml
+++ b/team-video/values.yaml
@@ -4,12 +4,12 @@ app:
   pullpolicy: IfNotPresent
 
 auth:
-  enabled: false
+  enabled: true
   guests: true
   type: "internal"
   admin:
     user: admin
-    password: "jitsiAdmin"
+    password: "XXX"
 
 logLevel: "info"
 hideWelcomePage: true
@@ -20,8 +20,8 @@ stun:
   # optional changes below this line.
 secrets:
   jvb:
-    component: "jsdjhjk623sxbnedrtg42315tr"
-    auth: "srfddffgjsdf34342349988"
+    component: "YYY"
+    auth: "ZZZ"
   jicofo:
-    component: "s234sdffghbvjnndf!"
-    auth: "sdfokjsdfkl123123123ghghg!"
\ No newline at end of file
+    component: "ABC"
+    auth: "DEF"
diff --git a/values-setup.yaml b/values-setup.yaml
index 034fc73..7057f83 100644
--- a/values-setup.yaml
+++ b/values-setup.yaml
@@ -1,7 +1,7 @@
 acme:
-  mail: [email protected]
-  production: false
+  mail: [email protected]
+  production: true
 
 app:
-  name: cloud
-  domain: example.org
+  name: mytc
+  domain: mydomain.org
diff --git a/values-video.yaml b/values-video.yaml
index df3691a..996c621 100644
--- a/values-video.yaml
+++ b/values-video.yaml
@@ -1,33 +1,33 @@
 app:
-  name: video
-  domain: example.org
+  name: mytc-vc
+  domain: mydomain.org
   pullpolicy: IfNotPresent # set to Always for auto updates
 
 auth:
-  enabled: false
+  enabled: true
   guests: true
   # internal auth
-  type: internal
-  admin:
-    user: admin
-    password: "jitsiAdmin"
+  #type: internal
+  #admin:
+  #  user: admin
+  #  password: "jitsiAdmin"
   # ldap auth - remove above "type: internal" auth to use it
-  #type: ldap
-  #ldapauthmethod: bind
-  #ldapurl: ldap://LDAP_SERVER
+  type: ldap
+  ldapauthmethod: bind
+  ldapurl: ldaps://ipa.mydomain.org
   #ldapusetls: 1
   #ldapstarttls: 1 # needs LDAP_VERSIOn 3
   #ldaptlscacertfile:
   #ldaptlscacertdir:
-  #ldaptlscheckpeer:
-  #ldapbase: OU=users,DC=domain,DC=local
-  #ldapbinddn: CN=ldap user,OU=svc_users,DC=domain,DC=local
-  #ldapbindpw: VerySecretPassword
-  #ldapfilter: (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
+  ldaptlscheckpeer: 0
+  ldapbase: CN=users,CN=accounts,DC=mydomain,DC=org
+  ldapbinddn: uid=binduser,CN=users,CN=accounts,DC=mydomain,DC=org
+  ldapbindpw: XXXYYYZZZ
+  ldapfilter: (uid=%u)
   #ldapversion: 3 # can break helm upgrade
 
 logLevel: "info"
-hideWelcomePage: true
+hideWelcomePage: false
 # Remove following # to use different stun servers
 # stun:
 #  server: stun.stunprotocol.org:3478, stun.services.mozilla.com:3478