docker-jitsi-meet
docker-jitsi-meet copied to clipboard
jitsi
[LDAP] Fail to perform an authentification with ldap
Dear,
I try to configure the jitsi-meet docker in order to use LDAP as authentification method without sucess
Below environnement variables are filled from the .env file :
- LDAP_BASE
- LDAP_URL
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_TLS_CACERT_FILE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_VERSION
- In order to check the configuration I launch a bash session from prosody container
docker exec -it someone-prosody-1 /bin/bash
- I test the configuration
testsaslauthd -u 'someone' -p 'isasecret'
NO ....
- The command fail so I install ldapsearch to check the query
apt update -y && apt install -y ldap-utils
- check the query using
ldapsearchand env var
ldapsearch -x -b "${LDAP_BASE}" -H "${LDAP_URL}" -D "${LDAP_BINDDN}" -w "${LDAP_BINDPW}" "${LDAP_FILTER}"
# someone, users, accounts, foo.org
dn: uid=someone,cn=users,cn=accounts,dc=foo,dc=org
....
...
...
With ldapsearch that works
Thanks for your advise
Best regards
Did you think that
- the
prosody/Dockerfileneed to installprosody-modulesdependencies ?
ARG JITSI_REPO=jitsi
ARG BASE_TAG=latest
FROM ${JITSI_REPO}/base:${BASE_TAG} as builder
RUN apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y \
lua5.2 \
liblua5.2-dev \
libsasl2-dev \
libssl-dev \
luarocks \
git \
gcc && \
luarocks install cyrussasl 1.1.0-1 && \
luarocks install net-url 0.9-1 && \
luarocks install luajwtjitsi 2.0-0
FROM ${JITSI_REPO}/base:${BASE_TAG}
ENV XMPP_CROSS_DOMAIN="false"
RUN wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody-debian-packages.key && \
echo "deb http://packages.prosody.im/debian bullseye main" > /etc/apt/sources.list.d/prosody.list && \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y \
prosody \
prosody-modules \
libssl1.1 \
libldap-common \
sasl2-bin \
libsasl2-modules-ldap \
ldap-utils \
lua-basexx \
lua-ldap \
lua-sec \
patch && \
apt-cleanup && \
rm -rf /etc/prosody && \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get -d install -y jitsi-meet-prosody && \
dpkg -x /var/cache/apt/archives/jitsi-meet-prosody*.deb /tmp/pkg && \
mv /tmp/pkg/usr/share/jitsi-meet/prosody-plugins /prosody-plugins && \
apt-cleanup && \
rm -rf /tmp/pkg /var/cache/apt && \
patch -d /usr/lib/prosody/modules/muc -p0 < /prosody-plugins/muc_owner_allow_kick.patch
COPY rootfs/ /
COPY --from=builder /usr/local/lib/lua /usr/local/lib/lua
COPY --from=builder /usr/local/share/lua /usr/local/share/lua
EXPOSE 5222 5347 5280
VOLUME ["/config", "/prosody-plugins-custom"]
EOF
- configure ldap with:
$ cat << 'EOF' > prosody/rootfs/defaults/conf.d/ldap.cfg.lua
-- Authentication configuration --
-- https://modules.prosody.im/mod_lib_ldap.html
-- https://prosody.im/doc/modules/mod_auth_ldap
authentication = 'ldap'
ldap_server = os.getenv("LDAP_URL")
ldap_tls = true
ldap_rootdn = os.getenv("LDAP_BINDDN")
ldap_password = os.getenv("LDAP_BINDPW")
ldap_base = os.getenv("LDAP_BASE")
ldap_filter = os.getenv("LDAP_FILTER")
EOF
- configure ldap.conf
$ mkdir -p prosody/rootfs/etc/ldap/
$ cat <<EOF> prosody/rootfs/etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI $LDAP_URL
BASE $LDAP_BASE
SASL_MECH GSSAPI
EOF
- rebuild the image
docker build --build-arg BASE_TAG=stable-6726-1 --tag jitsi/prosody:stable-6726-1 .
thanks for your help
- the
prosody/Dockerfileneed to installprosody-modulesdependencies ?
IIRC that's a dependency of Prosody, isn't it? Or do you mean that you got it working by installing that package?
To get the LDAP components from prosody, you have to add this dependencies.. Indeed this package is missing. Netherless I didn't yet find to get it working. I have started too with pam module but the corresponding lua module it's not provided by the package manager and this module is 9 years old. My goal it's to link prosody auth mechanism to our freeipa server through LDAP or pam
LDAP support is community maintained, I don't even have the necessary setup to debug it (I could give it a try if someone would share a simple LDAP setup). So please let us know if you find a fix.
@bioinfornatics I've successfully connected jitsi docker version 6726-2 to freeipa server version 4.9.6 using only the variables below. Also, my freeipa server has a valid certificate but it works with self-signed certificates if you put 0 for LDAP_TLS_CHECK_PEER. Double check your LDAP_FILTER.
- ENABLE_AUTH=1
- AUTH_TYPE=ldap
- LDAP_URL=ldap://ipa.example.com
- LDAP_BASE=cn=users,cn=accounts,dc=example,dc=com
- LDAP_FILTER=(uid=%u)
- LDAP_VERSION=3
- LDAP_TLS_CHECK_PEER=1
- LDAP_START_TLS=1
wow Thanks @alireza73uk I will give a try :pray:
Have a good day :-)
@alireza73uk I just remark that you use the ldap protocol instead of ldaps. Did you try with ldaps ?
@bioinfornatics I use ldap with Start TLS as it is more secure than ldaps. I tried out ldaps and it's working fine with below configuration: LDAP_URL=ldaps://ipa.example.com LDAP_FILTER=(uid=%u) LDAP_VERSION=3 LDAP_TLS_CHECK_PEER=1
@alireza73uk In more of the @saghul question,
did you have to copy /etc/ipa/ca.crt file into the container or something to register the certificate ?
Thanks that look promising :-)
@saghul No I didn't install anything. I'm just using version 6726-1 and 6726-2 right out of the box. @bioinfornatics No I didn't do that. My FreeIPA certificate is from Let'sEncrypt maybe it's already registered. In my tests I figured that my configuration doesn't work on version 6826 unless I comment out LDAP_TLS_CHECK_PEER.