Cannot configure authentication with LDAP

[ClaudioSousa14]

Hi guys,

I had jitsi running with no problems. Then I activated internal authentication and worked great.

But now I'm trying to configure LDAP with no sucess at all. I allready tested everything.

So I cannot see any traffic bettwen my docker machine and my LDAP server. How can I see any logs? I allready searched for them with no sucess.

There it is my .env file. All the coments where allready commented and discomented and no difference at all:

# Enable authentication.
ENABLE_AUTH=1

# Enable guest access.
ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=ldap

# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#

# LDAP url for connection.
#LDAP_URL=diva.intranet.digitalsign.pt
#LDAP_URL=diva.intranet.digitalsign.pt:389

# LDAP base DN. Can be empty
#LDAP_BASE=CN=Users,DC=intranet,DC=digitalsign,DC=pt

# LDAP user DN. Do not specify this parameter for the anonymous bind.
#LDAP_BINDDN=jitsi@intranet.digitalsign.pt

# LDAP user password. Do not specify this parameter for the anonymous bind.
#LDAP_BINDPW=Bu6jhgvLK

# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
# %s - %s is replaced by the complete service string.
# %r - %r is replaced by the complete realm string.
#LDAP_FILTER=(sAMAccountName=%u)

# LDAP authentication method
#LDAP_AUTH_METHOD=bind

# LDAP version
#LDAP_VERSION=2

# LDAP TLS using
#LDAP_USE_TLS=0

# List of SSL/TLS ciphers to allow.
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC

# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=0

# Path to CA cert file. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt

# Path to CA certs directory. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs

Thank you all.

[saghul]

Have you wiped the config volume before creating the containers again?

[ClaudioSousa14]

Have you wiped the config volume before creating the containers again?

Everytime I change the .env file I do:

# sudo rm -rf /root/.jitsi-meet-cfg
# sudo /usr/local/bin/docker-compose up -d

[duynk318]

Maybe your config ldap is wrong for somehow. Here is my example config for ldap base on your information. LDAP_URL=ldap://diva.intranet.digitalsign.pt:389 LDAP_BASE=DC=intranet,DC=digitalsign,DC=pt LDAP_BINDDN=CN=jitsi,DC=intranet,DC=digitalsign,DC=pt LDAP_BINDPW=Bu6jhgvLK LDAP_FILTER=(sAMAccountName=%u) LDAP_AUTH_METHOD=bind LDAP_VERSION=3

[ClaudioSousa14]

Maybe your config ldap is wrong for somehow. Here is my example config for ldap base on your information. LDAP_URL=ldap://diva.intranet.digitalsign.pt:389 LDAP_BASE=DC=intranet,DC=digitalsign,DC=pt LDAP_BINDDN=CN=jitsi,DC=intranet,DC=digitalsign,DC=pt LDAP_BINDPW=Bu6jhgvLK LDAP_FILTER=(sAMAccountName=%u) LDAP_AUTH_METHOD=bind LDAP_VERSION=3

Thank you for the reply. I tested with that configurations and is the same. What I think that is stranger is that whatever configurations I put I don't see any traffic bettween my docker host and LDAP server.

[ClaudioSousa14]

I allready had some little advances. When I configured the ladp before, all pages where grey at all, with no options. Now I fixed it. So the problem is that if I change bettwen "internal" to "ladp" the page stay grey. To solve that I need to:

1. Change the .env file and comment all the lines:

   
   #ENABLE_AUTH=1

Enable guest access.

ENABLE_GUESTS=1

Select authentication type: internal, jwt or ldap

AUTH_TYPE=ldap

2. Delete the folder ".jitsi-meet-cfg";
3. Compose docker;
4. Change the .env file and discomment the previous lines;
5. Delete the folder ".jitsi-meet-cfg";
6. Compose docker;

Now the page works and asks for authentication.
If I insert the user "jitsi" and the password I get the error "Incorrect username or password".
If I insert the user "intranet\jitsi" and the password I get the error "Incorrect username or password".
If I insert the user "jitsi@intranet.digitalsign.pt" and the password keep saying "Connecting" forever.

In all the cases explained I cannot see any traffic between my docker-host and my LDAP server. 
Anybody know where I can see any logs?
Thank you all.

[FacundoAcevedo]

I think this commit https://github.com/jitsi/docker-jitsi-meet/commit/7aa2d8114c0da8ab0a2a8c5ec07e576eb4d887d7 helped, now the replacement is getting done

[ClaudioSousa14]

I think this commit 7aa2d81 helped, now the replacement is getting done

Sorry but what that should do different? It is all the same.

[netaskd]

@ClaudioSousa14

1. Try to debug this config with username like "jitsi". Later need changes in LDAP_FILTER for using different.
2. If you ldap url set properly, traffic to ldap server must be. If not, try to debug you network connection with netcat from inside the prosody container.
3. You can switch prosody log to debug level for get more info inside the contsiner.

[ClaudioSousa14]

@ClaudioSousa14

1. Try to debug this config with username like "jitsi". Later need changes in LDAP_FILTER for using different.
2. If you ldap url set properly, traffic to ldap server must be. If not, try to debug you network connection with netcat from inside the prosody container.
3. You can switch prosody log to debug level for get more info inside the contsiner.

So I allready can see traffic between the docker host and the LDAP server. So my .env file is:

LDAP_URL=ldap://diva.intranet.digitalsign.pt/

LDAP_BASE=DC=intranet,DC=digitalsign,DC=pt

LDAP_BINDDN=CN=jitsi,DC=intranet,DC=digitalsign,DC=pt

LDAP_BINDPW=Bu8DpLK

LDAP_FILTER=(sAMAccountName=%u)

LDAP_AUTH_METHOD=bind

LDAP_VERSION=3

LDAP_USE_TLS=1

LDAP_TLS_CIPHERS=SECURE256:SECURE128

LDAP_TLS_CHECK_PEER=1

LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt

LDAP_TLS_CACERT_DIR=/etc/ssl/certs

LDAP_START_TLS=0

All the times I received the message "Incorrect username or password". I allready tried with different filters. Any idea? Really thank you.

[netaskd]

First of all look at LDAP_URL=ldap:// it needs ldaps scheme if you have LDAP_USE_TLS=1 Did you try to read a log file of prosody? Command like docker-compose logs -f --tail=100 prosody usualy shows where the problem. Also, try to stay LDAP_TLS_* parameters by default fo debug.

[ClaudioSousa14]

First of all look at LDAP_URL=ldap:// it needs ldaps scheme if you have LDAP_USE_TLS=1 Did you try to read a log file of prosody? Command like docker-compose logs -f --tail=100 prosody usualy shows where the problem. Also, try to stay LDAP_TLS_* parameters by default fo debug.

So I changed what you suggested:

LDAP_URL=ldaps://diva.intranet.digitalsign.pt/
LDAP_USE_TLS=1
LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
LDAP_START_TLS=1

And I checked the logs but unfortunately with any luck:

prosody_1  | boshaecd6803-e4e3-49b7-b9c8-39176bcc4780  info     Authenticated as 7_98ftimw0ejpvpp@guest.meet.jitsi
prosody_1  | mod_bosh                                  info     New BOSH session, assigned it sid '50d3189e-5b98-458f-a1e3-6e595e4de4fc'
prosody_1  | saslauthd[270] :released accept lock
prosody_1  | saslauthd[273] :acquired accept lock
prosody_1  | saslauthd[270] :attempting a read lock on slot: 632
prosody_1  | saslauthd[270] :[login=jitsi] [service=xmpp] [realm=meet.jitsi]: not found, update pending
prosody_1  | saslauthd[270] :attempting to release lock on slot: 632
prosody_1  | saslauthd[270] :auth failure: [user=jitsi] [service=xmpp] [realm=meet.jitsi] [mech=ldap] [reason=Unknown]
prosody_1  | saslauthd[270] :response: NO

Any ideas? Really thank you for the help @netaskd

[netaskd]

The first guessing LDAP_START_TLS=1 -> LDAP_START_TLS=0

• stop containers
• rm -rf your-path-to-config-dir/prosody
• start containers
• try to run inside of the prosody container testsaslauthd -u your-ldap-user -p your-ldap-password
• increase log level if needed and check again

[ClaudioSousa14]

So I changed the LDAP_START_TLS=0

And the log:

prosody_1  | mod_bosh                                  info     New BOSH session, assigned it sid '3e8b69dc-6820-47b8-8346-27379c7ad357'
prosody_1  | saslauthd[273] :released accept lock
prosody_1  | saslauthd[276] :acquired accept lock
prosody_1  | saslauthd[273] :attempting a read lock on slot: 632
prosody_1  | saslauthd[273] :[login=jitsi] [service=xmpp] [realm=meet.jitsi]: not found, update pending
prosody_1  | saslauthd[273] :attempting to release lock on slot: 632
prosody_1  | saslauthd[273] :auth failure: [user=jitsi] [service=xmpp] [realm=meet.jitsi] [mech=ldap] [reason=Unknown]
prosody_1  | saslauthd[273] :response: NO
prosody_1  | mod_bosh                                  info     New BOSH session, assigned it sid '2ad63114-d5d6-4b09-87ec-f1c01aa3319f'
prosody_1  | saslauthd[276] :released accept lock
prosody_1  | saslauthd[273] :acquired accept lock
prosody_1  | saslauthd[276] :attempting a read lock on slot: 235
prosody_1  | saslauthd[276] :[login=intranet\jitsi] [service=xmpp] [realm=meet.jitsi]: not found, update pending
prosody_1  | saslauthd[276] :attempting to release lock on slot: 235
prosody_1  | saslauthd[276] :auth failure: [user=intranet\jitsi] [service=xmpp] [realm=meet.jitsi] [mech=ldap] [reason=Unknown]
prosody_1  | saslauthd[276] :response: NO

On the prosody container:

[csousa@docker jitsi-meet]$ sudo /usr/local/bin/docker-compose exec prosody /bin/bash
[sudo] password for csousa:
root@22320e63fe13:/# testsaslauthd -u jitsi -p Bu8DpLK
0: NO "authentication failed"
root@22320e63fe13:/# testsaslauthd -u jitsi@intranet.digitalsign.pt -p Bu8DpLK
0: NO "authentication failed"
root@22320e63fe13:/# testsaslauthd -u "intranet\jitsi" -p Bu8DpLK
0: NO "authentication failed"
root@22320e63fe13:/# testsaslauthd -u "intranet/jitsi" -p Bu8DpLK
0: NO "authentication failed"
root@22320e63fe13:/# testsaslauthd -u "intranet.digitalsign.pt\jitsi" -p Bu8DpLK
0: NO "authentication failed"

How can I increase the log level?

[netaskd]

try to run strace testsaslauthd -u jitsi -p Bu8DpLK

[ClaudioSousa14]

Sorry but it seems that the command does not exist on the container:

[csousa@docker jitsi-meet]$ sudo /usr/local/bin/docker-compose exec prosody /bin/bash
root@1171a9b4fd6f:/# strace testsaslauthd -u jitsi -p Bu8DpLK
bash: strace: command not found

[netaskd]

just install it and try again

[phuocnguyenit96]

Hi @ClaudioSousa14 , you use OpenLDAP, right?. Have you fixed this issue?

[ClaudioSousa14]

just install it and try again

Sorry for the delay but the work was an worry in the last days. I already run the strace but unfortunately I cannot see any relevant information.

[ClaudioSousa14]

Hi @ClaudioSousa14 , you use OpenLDAP, right?. Have you fixed this issue?

@phuocnguyenit96 No, I have a Windows Server, with the domain-controller running LDAP. And unfortunately I haven't fixed this issue yet.

[phuocnguyenit96]

Hi @ClaudioSousa14 , you use OpenLDAP, right?. Have you fixed this issue?

@phuocnguyenit96 No, I have a Windows Server, with the domain-controller running LDAP. And unfortunately I haven't fixed this issue yet.

the first installation, i have the same issue after i have resolved it but i'm using "OpenLdap". This's my config: ENABLE_AUTH=1 ENABLE_GUESTS=0 AUTH_TYPE=ldap LDAP_URL=ldaps://ip-ldap:636 LDAP_BINDDN=uid=yourldapuser,OU=People,DC=yourDC,DC=yourDC LDAP_BINDPW= LDAP_FILTER=(uid=%u) LDAP_AUTH_METHOD=bind LDAP_USE_TLS=1 I hope it helps you

[Doc-Saintly]

Hi @ClaudioSousa14 , you use OpenLDAP, right?. Have you fixed this issue?

@phuocnguyenit96 No, I have a Windows Server, with the domain-controller running LDAP. And unfortunately I haven't fixed this issue yet.

the first installation, i have the same issue after i have resolved it but i'm using "OpenLdap". This's my config: ENABLE_AUTH=1 ENABLE_GUESTS=0 AUTH_TYPE=ldap LDAP_URL=ldaps://ip-ldap:636 LDAP_BINDDN=uid=yourldapuser,OU=People,DC=yourDC,DC=yourDC LDAP_BINDPW= LDAP_FILTER=(uid=%u) LDAP_AUTH_METHOD=bind LDAP_USE_TLS=1 I hope it helps you

This worked for me. I was doing a similar thing, and the only difference between my config and this one is the ldaps and USE_TLS=1. But the interesting thing is that my LDAP server still shows the request coming through on port 389, so it seems there's a misconfiguration in the prosody module.

[ClaudioSousa14]

Hi guys,

Really thank you @phuocnguyenit96 and @Doc-Saintly

Now I can finally put this working. The only differences on my configuration:

LDAP_BASE=DC=intranet,DC=digitalsign,DC=pt
LDAP_BINDDN=CN=jitsi,CN=Users,DC=intranet,DC=digitalsign,DC=pt
LDAP_FILTER=(sAMAccountName=%u)

[tusharsonawanes]

Hello @ClaudioSousa14 @phuocnguyenit96 @Doc-Saintly , I need some help. Somehow the above thing doesn't work for me. Can you guys help me with this ?

For my LDAP, I am referring this setup : https://github.com/osixia/docker-openldap

Commands that I run

docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.4.0 docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

OUTPUT:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example

# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9c3RKaFZOVHlTNjhrb1FxVTN2QTltY25pRzlTRndnSEU=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

my .env for LDAP looks something like this

ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=ldap
LDAP_URL=ldap://<system-ip>:389/
LDAP_BASE=dc=example,dc=org
LDAP_BINDDN=cn=admin,dc=example,dc=org
LDAP_BINDPW=e1NTSEF9c3RKaFZOVHlTNjhrb1FxVTN2QTltY25pRzlTRndnSEU=
LDAP_FILTER=(sAMAccountName=%u)
LDAP_AUTH_METHOD=bind
LDAP_VERSION=3
LDAP_USE_TLS=1

Please help me!!!

[ UPDATE ]

1. I deleted the .jitsi-meet-cfg folder and when I docker-compose up again, it gives me the "If you are the host" dialog box and when I enter the ID Password, which is admin and e1NTSEF9c3RKaFZOVHlTNjhrb1FxVTN2QTltY25pRzlTRndnSEU=, it gets stuck at Connecting

[phuocnguyenit96]

hi @tusharsonawanes , I'm using docker-compose to install jitsi. Have you tried my config? and what's error log?

[tusharsonawanes]

@phuocnguyenit96 thank you soo much for the quick reply

1. So I changed these in my previous configuration file that is .env file after referring your config

ENABLE_GUEST=0 
LDAP_URL=ldaps://192.168.1.11:636 
LDAP_FILTER=(cn=%u)

2. I deleted that .jitsi-meet-config folder and did docker-compose up again.

3. Still the same error exists.

4. Can you guide me on which containers logs should I check ?

[phuocnguyenit96]

@phuocnguyenit96 thank you soo much for the quick reply

1. So I changed these in my previous configuration file that is .env file after referring your config

ENABLE_GUEST=0 
LDAP_URL=ldaps://192.168.1.11:636 
LDAP_FILTER=(cn=%u)

1. I deleted that .jitsi-meet-config folder and did docker-compose up again.
2. Still the same error exists.
3. Can you guide me on which containers logs should I check ?

Sorry Bro, I reply late. My suggests:

1. Monitoring LDAP logs
2. Minitoring docker logs: docker logs -f my-openldap-container
3. Try this config: LDAP_BINDDN=uid=yourldapuser,OU=People,DC=yourDC,DC=yourDC LDAP_FILTER=(uid=%u)

And show to me the results (screenshot docker logs if you can ^^).

[ClaudioSousa14]

@phuocnguyenit96 thank you soo much for the quick reply

1. So I changed these in my previous configuration file that is .env file after referring your config

ENABLE_GUEST=0 
LDAP_URL=ldaps://192.168.1.11:636 
LDAP_FILTER=(cn=%u)

1. I deleted that .jitsi-meet-config folder and did docker-compose up again.
2. Still the same error exists.
3. Can you guide me on which containers logs should I check ?

Hi @phuocnguyenit96 ,

Haven't you fix the problem yeat? The only way I could figered out my problem was using Wireshark to check what was sent to LDAP server and can see the response from the LDAP server.

So use LDAP comunication instead of LDAPS and use Wireshark to analise the trafic at port 389. You will see that the errors will be very clear.

Hope it helps.

[phuocnguyenit96]

@phuocnguyenit96 thank you soo much for the quick reply

1. So I changed these in my previous configuration file that is .env file after referring your config

ENABLE_GUEST=0 
LDAP_URL=ldaps://192.168.1.11:636 
LDAP_FILTER=(cn=%u)

1. I deleted that .jitsi-meet-config folder and did docker-compose up again.
2. Still the same error exists.
3. Can you guide me on which containers logs should I check ?

@phuocnguyenit96 thank you soo much for the quick reply

1. So I changed these in my previous configuration file that is .env file after referring your config

ENABLE_GUEST=0 
LDAP_URL=ldaps://192.168.1.11:636 
LDAP_FILTER=(cn=%u)

1. I deleted that .jitsi-meet-config folder and did docker-compose up again.
2. Still the same error exists.
3. Can you guide me on which containers logs should I check ?

Sorry Bro, I reply late. My suggests:

1. Monitoring LDAP logs
2. Minitoring docker logs: docker logs -f my-openldap-container
3. Try this config: LDAP_BINDDN=uid=yourldapuser,OU=People,DC=yourDC,DC=yourDC LDAP_FILTER=(uid=%u)

And show to me the results (screenshot docker logs if you can ^^).

Have you resolved your issue? @tusharsonawanes

[tusharsonawanes]

@phuocnguyenit96 not really. Need to work on this

[wanghaoqd]

Thanks to all the comments above! I have a Windows AD domain which is on function level "2008 R2". And this is the working .env configuration for me: ENABLE_AUTH=1 ENABLE_GUESTS=0 AUTH_TYPE=ldap LDAP_URL=ldap://192.168.6.10:389 LDAP_BASE=DC=company,DC=com LDAP_BINDDN=CN=jitsimeetuser,OU=devices,DC=company,DC=com LDAP_BINDPW=password-for-jitsimeetuser LDAP_FILTER=(sAMAccountName=%u) LDAP_AUTH_METHOD=bind LDAP_VERSION=3 LDAP_USE_TLS=0