Hi, We are trying to setup jistimeet with LDAP-backed secure domains

Hi! I would like to confirm <a class="user-mention notranslate" data-hovercard-type="u

The same happens also when using Prosody LDAP module: <a href="http://modules.prosody.

I can confirm that this patch ( <a class="issue-link js-issue-link" data-error-text="F

Secure domains do not work if prosody uses Cyrus-SASL authentication,about jitsi/jicofo

Comments (12)

paweldomas commented on July 24, 2024

Hey,

Can you provide step by step instructions or link to some tutorial for basic config for working Prosody + LDAP ? This will make it easier to reproduce and fix.

from jicofo.

jbonachera commented on July 24, 2024

Sure, however, i don't think this problem is related to LDAP: if I set MECHANISMS="pam" in saslauthd.conf, I run into the same issue (and my XMPP client can open a session, so authentication is working).
It might be easier to reproduce using PAM, as it won't require an ldap server !

Prosody SASL LDAP Configuration

You have to install ldap bindings for SASL, and sasl bindings for lua. On Debian:

apt-get install lua-cyrussasl libsasl2-modules-ldap  sasl2-bin

In the prosody vhost declaration, set

VirtualHost "jitsi.mydomain.com"
    authentication = "cyrus"
    cyrus_application_name = "xmpp"
    modules_enabled = {
            "bosh";
            "pubsub";
      }

-- These were added during Jistimeet installation

VirtualHost "guest.jitsi.mydomain.com"
     authentication = "anonymous"

Component "conference.jitsi.mydomain.com" "muc"

Component "jitsi-videobridge.jitsi.mydomain.com"
    component_secret = "verysecret"

VirtualHost "auth.jitsi.mydomain.com"
        authentication = "internal_plain"

Component "focus.jitsi.mydomain.com"
    component_secret = "moarsecret"

In /etc/sasl/xmpp.conf (i'm running Debian, so Cyrus SASL library configuration is in /etc/sasl):

pwcheck_method: saslauthd
mech_list: PLAIN

In /etc/default/saslauthd:

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap
MECH_OPTIONS="/etc/saslauthd.conf"
OPTIONS="-c -m /var/run/saslauthd"

In /etc/saslauthd.conf:

ldap_servers: ldap://<your LDAP server>:389/
ldap_search_base: ou=People,dc=your,dc=basedn

(Our LDAP configuration is quite simple)

You need to add the user running prosody to the group owning /var/run/saslauthd, so, on Debian:

gpasswd -a prosody sasl

And then restart prosody and saslauthd:

service saslauthd restart
service prosody restart

You should now be able to test SASL authentication via the "testsaslauthd" command line tool:

root@jitsimeet ~ > testsaslauthd -u user -p password -s xmpp
0: OK "Success."

You should also be able to authenticate from an XMPP client.

from jicofo.

mwegrzynek commented on July 24, 2024

Hi! I would like to confirm @jbonachera's issue: Jitsi Meet works as advertised with authentication = "internal_plain", with authentication = "cyrus" it is stuck on "Connecting" message box.

In jicofo.log at that moment there are just repeating entries with

org.jitsi.jicofo.xmpp.FocusComponent.handleConferenceIq().382 Focus request xxx

without the usual

org.jitsi.jicofo.FocusManager.createConference().276 Created new focus

afterwards.

Also, recording and SIP connection stop working after setting authentication to internal_plain.

from jicofo.

mathiasfriman commented on July 24, 2024

The same happens also when using Prosody LDAP module: http://modules.prosody.im/mod_auth_ldap.html

from jicofo.

maxmad666 commented on July 24, 2024

Hi,
it works for me with pretty much the same configuration mentioned above...
maybe the jicofo config is missing...

/etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.auth.URL=XMPP:jitsi.mydomain.com

from jicofo.

mathiasfriman commented on July 24, 2024

That line is there in my config too :)

org.jitsi.jicofo.auth.URL=XMPP:videokonf.domain.com

I tested to change my /etc/prosody/conf.avail/videokonf.domain.com.cfg.lua to use internal_plain authentication. My file

VirtualHost "videokonf.domain.com"
        authentication = "internal_plain"
        ssl = {
                key = "/etc/prosody/certs/videokonf.domain.com.key";
                certificate = "/etc/prosody/certs/videokonf.domain.com.crt";
        }
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

Component "conference.videokonf.domain.com" "muc"
admins = { "[email protected]" }

Component "jitsi-videobridge.videokonf.domain.com"
    component_secret = "password"

VirtualHost "auth.videokonf.domain.com"
        authentication = "internal_plain"

VirtualHost "guest.videokonf.domain.com"
        authentication = "anonymous"

Component "focus.videokonf.domain.com"
    component_secret = "password"

I then created a user with prosodyctl adduser [email protected] and tried to login. That worked flawlessly.

This is how jicofo.log looks then:

Sep 27, 2015 2:55:44 PM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected] 
Sep 27, 2015 2:55:44 PM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected] 
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Authentication session created for [email protected] SID: ced6ba4a-6e0b-4bc9-a658-dd628ef59040
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Authenticated jid: [email protected]/b002db2e-e1d6-45cb-9b63-c07eedcba1d0 with session: AuthSession[[email protected], [email protected]/b002db2e-e1d6-45cb-9b63-c07eedcba1d0, SID=ced6ba4a-6e0b-4bc9-a658-dd628ef59040, MUID=dada63fa2635840017fbacef1df503ca, LIFE_TM_SEC=0, [email protected]]@1190029155
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Jid [email protected]/b002db2e-e1d6-45cb-9b63-c07eedcba1d0 authenticated as: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Created new focus for [email protected]@auth.videokonf.domain.com conferences count: 1 options:
    channelLastN: -1
    adaptiveLastN: false
    simulcastMode: rewriting
    adaptiveSimulcast: false
    bridge: jitsi-videobridge.videokonf.domain.com
    openSctp: true
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Joining the room: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Auto owner feature enabled
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Focus role: OWNER init: true
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberJoined sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@ae9bd16 member=org.jitsi.impl.protocol.xmpp.ChatMemberImpl@777cf4f2]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Member [email protected]/focus joined.
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Focus role: OWNER init: false
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Authenticated jid: [email protected]/42a789f2-5868-4cd4-99c3-435ce0252a27 with session: AuthSession[[email protected], JID=a6b934f3-6d0c-4771-a038-7608b62975d4@guest.videokonf.domain.com/42a789f2-5868-4cd4-99c3-435ce0252a27, SID=ced6ba4a-6e0b-4bc9-a658-dd628ef59040, MUID=dada63fa2635840017fbacef1df503ca, LIFE_TM_SEC=0, [email protected]]@1190029155
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Jid [email protected]/42a789f2-5868-4cd4-99c3-435ce0252a27 authenticated as: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Authenticated jid: [email protected]/42a789f2-5868-4cd4-99c3-435ce0252a27 with session: AuthSession[[email protected], JID=a6b934f3-6d0c-4771-a038-7608b62975d4@guest.videokonf.domain.com/42a789f2-5868-4cd4-99c3-435ce0252a27, SID=ced6ba4a-6e0b-4bc9-a658-dd628ef59040, MUID=dada63fa2635840017fbacef1df503ca, LIFE_TM_SEC=0, [email protected]]@1190029155
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Jid [email protected]/42a789f2-5868-4cd4-99c3-435ce0252a27 authenticated as: [email protected]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberJoined sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@ae9bd16 member=org.jitsi.impl.protocol.xmpp.ChatMemberImpl@3e25065f]
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Grant owner to [email protected]/42a789f2-5868-4cd4-99c3-435ce0252a27
Sep 27, 2015 2:55:49 PM net.java.sip.communicator.util.Logger info
INFO: Member [email protected]/a6b934f3 joined.
Sep 27, 2015 2:55:54 PM net.java.sip.communicator.util.Logger error
SEVERE: Ping timeout for ID: GoY7U-731

I then changed the videokonf.domain.com.cfg.lua to use LDAP for authentication. It looks like this:

VirtualHost "videokonf.domain.com"
        authentication = "ldap"
        ldap_base="dc=domain,dc=com"
        ldap_server="10.1.1.170:3268"
        ldap_rootdn="[email protected]" -- Also tried cn=jitsi,ou=blaha,dc=domain,dc=com and it does not work either.
        ldap_password="password"
        ldap_filter="sAMAccountName=$user"
        ldap_scope="subtree"
        ldap_tls="false"
        ldap_mode="bind"
        ssl = {
                key = "/etc/prosody/certs/videokonf.domain.com.key";
                certificate = "/etc/prosody/certs/videokonf.domain.com.crt";
        }
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

Component "conference.videokonf.domain.com" "muc"
admins = { "[email protected]" }

Component "jitsi-videobridge.videokonf.domain.com"
    component_secret = "password"

VirtualHost "auth.videokonf.domain.com"
        authentication = "internal_plain"

VirtualHost "guest.videokonf.domain.com"
        authentication = "anonymous"

Component "focus.videokonf.domain.com"
    component_secret = "password"

The LDAP config works from the jitsi-meet server using ldapsearch -D '[email protected]' l -x -W -H ldap://10.1.1.170:3268 -b 'dc=domain,dc=com' 'sAMAccountName=*'

The LDAP login works from Jitsi client, Empathy and Pidgin. When logging in with a XMPP client, the prosody log looks like this:

Sep 27 15:10:31 videokonf.domain.com:auth_ldap    debug    get_user("osdmatfri")
Sep 27 15:10:31 c2s10d9750    info    Authenticated as [email protected]
Sep 27 15:10:31 rostermanager    debug    load_roster: asked for: [email protected]
Sep 27 15:10:31 rostermanager    debug    load_roster: loading for new user: [email protected]
Sep 27 15:10:31 c2s10d9750    debug    Resource bound: [email protected]/85fbfde6
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='232003757585' type='get' to='[email protected]'>
Sep 27 15:10:31 videokonf.domain.com:presence    debug    outbound presence probe from [email protected] for [email protected]
Sep 27 15:10:31 videokonf.domain.com:presence    debug    inbound presence probe from [email protected] for [email protected]
Sep 27 15:10:31 videokonf.domain.com:presence    debug    broadcasted presence of 0 resources from [email protected] to [email protected]/85fbfde6
Sep 27 15:10:31 videokonf.domain.com:presence    debug    outbound presence probe from [email protected] for [email protected]
Sep 27 15:10:31 videokonf.domain.com:presence    debug    inbound presence probe from [email protected] for [email protected]
Sep 27 15:10:31 videokonf.domain.com:presence    debug    broadcasted presence of 1 resources from [email protected] to [email protected]/85fbfde6
Sep 27 15:10:31 datamanager    debug    Assuming empty offline storage ('cannot open /var/lib/prosody/videokonf%2edomain%2ecom/offline/osdmatfri.list: No such file or directory') for user: [email protected]
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='240204764539' type='get' to='[email protected]'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='disco' type='result' to='[email protected]' from='[email protected]/85fbfde6'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='237581766226' type='get' to='[email protected]'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='237650766294' type='get' to='[email protected]'>
Sep 27 15:10:31 jcpfcae40    debug    Received[component]: <iq id='239825768460' type='result' to='[email protected]/85fbfde6' from='jitsi-videobridge.videokonf.domain.com'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='245780770067' type='get' to='[email protected]'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='245785770078' type='get' to='[email protected]'>
Sep 27 15:10:31 c2s10d9750    debug    Received[c2s]: <iq id='245786770086' type='get' to='[email protected]'>
Sep 27 15:10:31 jcp111ba70    debug    Received[component]: <iq id='240212768588' type='result' to='[email protected]/85fbfde6' from='focus.videokonf.domain.com'>

When logging in from Jitsi-Meet, the prosody.log looks like this:

Sep 28 10:24:37 mod_bosh    info    New BOSH session, assigned it sid '2b7e24c8-044c-4cff-8209-ddf04b6352dc'
Sep 28 10:24:37 bosh2b7e24c8-044c-4cff-8209-ddf04b6352dc    info    Authenticated as aef3bab9-6e82-4f1e-b58b-4f2f84a1aafb@guest.videokonf.ostersund.se
Sep 28 10:24:54 mod_bosh    info    New BOSH session, assigned it sid '9faf363a-e2e5-423e-9108-9d2a0c147ef2'

Debug log here: https://paste.debian.net/plain/313618

The jicofo.log looks like this:

Sep 28, 2015 10:03:29 AM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 28, 2015 10:03:29 AM net.java.sip.communicator.util.Logger info 
INFO: Focus request for room: [email protected]
Sep 28, 2015 10:03:30 AM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 28, 2015 10:03:31 AM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]
Sep 28, 2015 10:03:35 AM net.java.sip.communicator.util.Logger info
INFO: Focus request for room: [email protected]

Endlessly.

My /etc/prosody/prosody.cfg.lua looks like this:

-- Prosody Configuration File

admins = { }

modules_enabled = {

    -- Generally required
    "roster"; -- Allow users to have a roster. Recommended ;)
    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
    "tls"; -- Add support for secure TLS on c2s/s2s connections
    "dialback"; -- s2s dialback support
    "disco"; -- Service discovery

-- Not essential, but recommended
    "private"; -- Private XML storage (for room bookmarks, etc.)
    "vcard"; -- Allow users to set vCards

-- Nice to have
    "version"; -- Replies to server version requests
    "uptime"; -- Report how long server has been running
    "time"; -- Let others know the time here on this server
    "ping"; -- Replies to XMPP pings with pongs
    "pep"; -- Enables users to publish their mood, activity, playing music and more
    "register"; -- Allow users to register on this server using a client and change passwords

-- Admin interfaces
    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands

-- Other specific functionality
    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};

allow_registration = false;

consider_bosh_secure = true

daemonize = true;

pidfile = "/var/run/prosody/prosody.pid";

ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}

c2s_require_encryption = false

s2s_secure_auth = false

authentication = "internal_plain"

log = {
-- Log files (change 'info' to 'debug' for debug logs):
info = "/var/log/prosody/prosody.log";
error = "/var/log/prosody/prosody.err";
-- Syslog:
{ levels = { "error" }; to = "syslog";  };
}

VirtualHost "example.com"
enabled = false -- Remove this line to enable this host

ssl = {
    key = "/etc/prosody/certs/example.com.key";
    certificate = "/etc/prosody/certs/example.com.crt";
}

Include "conf.d/*.cfg.lua"

My /etc/jitsi/meet/videokonf.domain.com-config.js looks like this:

/* jshint -W101 */
var config = {
//    configLocation: './config.json', // see ./modules/HttpConfigFetch.js
    hosts: {
        domain: 'videokonf.domain.com',
        anonymousdomain: 'guest.videokonf.domain.com',
        muc: 'conference.videokonf.domain.com', // FIXME: use XEP-0030
        bridge: 'jitsi-videobridge.videokonf.domain.com', // FIXME: use XEP-0030
        //jirecon: 'jirecon.videokonf.domain.com',
        //call_control: 'callcontrol.videokonf.domain.com',
        //focus: 'focus.videokonf.domain.com' - defaults to 'focus.videokonf.domain.com'
    },
//  getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; },
//  useStunTurn: true, // use XEP-0215 to fetch STUN and TURN server
//  useIPv6: true, // ipv6 support. use at your own risk
    useNicks: false,
    bosh: '//videokonf.domain.com/http-bind', // FIXME: use xep-0156 for that
    etherpad_base: 'https://videokonf.domain.com/etherpad/p/',
    clientNode: 'http://jitsi.org/jitsimeet', // The name of client node advertised in XEP-0115 'c' stanza
    //focusUserJid: '[email protected]', // The real JID of focus participant - can be overridden here
    //defaultSipNumber: '', // Default SIP number

    // Desktop sharing method. Can be set to 'ext', 'webrtc' or false to disable.
    desktopSharingChromeMethod: 'ext',
    // The ID of the jidesha extension for Chrome.
    desktopSharingChromeExtId: 'jle[..]kfa',
    // The media sources to use when using screen sharing with the Chrome
    // extension.
    desktopSharingChromeSources: ['screen', 'window'],
    // Required version of Chrome extension
    desktopSharingChromeMinExtVersion: '0.1',

    // The ID of the jidesha extension for Firefox. If null, we assume that no
    // extension is required.
    desktopSharingFirefoxExtId: null,
    // Whether desktop sharing should be disabled on Firefox.
    desktopSharingFirefoxDisabled: true,
    // The maximum version of Firefox which requires a jidesha extension.
    // Example: if set to 41, we will require the extension for Firefox versions
    // up to and including 41. On Firefox 42 and higher, we will run without the
    // extension.
    // If set to -1, an extension will be required for all versions of Firefox.
    desktopSharingFirefoxMaxVersionExtRequired: -1,
    // The URL to the Firefox extension for desktop sharing.
    desktopSharingFirefoxExtensionURL: null,

    openSctp: true, // Toggle to enable/disable SCTP channels
    disableStats: false,
    disableAudioLevels: false,
    channelLastN: -1, // The default value of the channel attribute last-n.
    adaptiveLastN: false,
    adaptiveSimulcast: false,
    enableRecording: false,
    enableWelcomePage: true,
    enableSimulcast: false, // blocks FF support
    logStats: false, // Enable logging of PeerConnection stats via the focus
//    requireDisplayName: true,//Forces the participants that doesn't have display name to enter it when they enter the room.
//    startAudioMuted: 10, //every participant after the Nth will start audio muted
//    startVideoMuted: 10, //every participant after the Nth will start video muted
//    defaultLanguage: "en",
// To enable sending statistics to callstats.io you should provide Applicaiton ID and Secret.
//    callStatsID: "",//Application ID for callstats.io API
//    callStatsSecret: ""//Secret for callstats.io API 
    /*noticeMessage: 'Service update is scheduled for 16th March 2015. ' +
    'During that time service will not be available. ' +
    'Apologise for inconvenience.'*/ 
};

My /etc/jitsi/jicofo/sip-communicator.properties looks like this:

org.jitsi.impl.neomedia.transform.srtp.SRTPCryptoContext.checkReplay=false 
org.jitsi.videobridge.NAT_HARVESTER_LOCAL_ADDRESS=192.168.0.15
org.jitsi.videobridge.NAT_HARVESTER_PUBLIC_ADDRESS=xxx.xxx.xxx.xxx
org.jitsi.jicofo.auth.URL=XMPP:videokonf.domain.com

My /etc/jitsi/jicofo/config file:

# Jitsi Conference Focus settings
# sets the host name of the XMPP server
JICOFO_HOST=localhost

# sets the XMPP domain (default: none)
JICOFO_HOSTNAME=videokonf.domain.com

# sets the secret used to authenticate as an XMPP component
JICOFO_SECRET=password

# sets the port to use for the XMPP component connection
JICOFO_PORT=5347

# sets the XMPP domain name to use for XMPP user logins
JICOFO_AUTH_DOMAIN=auth.videokonf.domain.com

# sets the username to use for XMPP user logins
JICOFO_AUTH_USER=focus

# sets the password to use for XMPP user logins
JICOFO_AUTH_PASSWORD=password

# extra options to pass to the jicofo daemon
JICOFO_OPTS=""

Somewhere the communication falters. So, the tl;dr summary:

internal_plain authentication with Jitsi-Meet/jicofo works.
LDAP-authentication using XMPP client works.
LDAP-authentication with Jitsi-Meet/jicofo does not work.

from jicofo.

mathiasfriman commented on July 24, 2024

Chrome Developer Console gives me this when trying to login using internal_plain:

This appears to be Chrome, ver: 44
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check http://xhr.spec.whatwg.org/.
Using Chrome extension for desktop sharing
Get media constraints Object {audio: Object, video: Object}
Strophe status changed to CONNECTING null
Extension version is: 0.1.5
Chrome extension installed: true updateRequired: false
onUserMediaSuccess
got MediaStream {} 1 1
'webkitURL' is deprecated. Please use 'URL' instead.
Peer video type changed:  null camera
Strophe status changed to CONNECTED null
My Jabber ID: [email protected]/2d1b0fe6-7ca8-4c01-a386-4f80ac7f7e3b
Focus jid set to: undefined
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
XMPP pings will be sent every 20000 ms
Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="403b2932-695e-   [email protected]/2d1b0fe6-7ca8-4c01-a386-4f80ac7f7e3b" from="focus.videokonf.domain.com" id="2:sendIQ">…</iq>
[..]
Focus jid set to: undefined
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="403b2932-695e-   [email protected]/2d1b0fe6-7ca8-4c01-a386-4f80ac7f7e3b" from="focus.videokonf.domain.com" id="8:sendIQ"><conference xmlns="http://jitsi.org/protocol/focus" room="[email protected]" machine-uid="35579784d57d6d0af862ae92c0d7f764">…</conference><error code="401" type="AUTH">…</error></iq>
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
Received sessionId: 881599a0-8b13-4ccb-bb5e-0e4b44642ed4
Focus jid set to: undefined
Session ID: 881599a0-8b13-4ccb-bb5e-0e4b44642ed4 machine UID: 35579784d57d6d0af862ae92c0d7f764
Focus jid set to: [email protected]
Authentication enabled: true
External authentication enabled: false
Received sessionId: 881599a0-8b13-4ccb-bb5e-0e4b44642ed4
Sip gateway enabled: false
Joined MUC as [email protected]/403b2932
entered [email protected]/focus Object {show: "", status: "", affiliation: "owner", role: "moderator", jid: "[email protected]/focus11158088545"…}
Ignore focus: [email protected]/focus, real JID: [email protected]/focus11158088545
Peer video type changed:  403b2932 camera
My role changed, new role: participant
hover in 403b2932, video:  LocalVideo {videoSpanId: "localVideoContainer", container: span#localVideoContainer.videocontainer, VideoLayout: Object, flipX: true, isLocal: true…}
selected endpoint changed:  403b2932
My role changed, new role: moderator
UI enable dominant speaker Mathias (<span data-i18n="me">me</span>) 403b2932 true

And it gives me this when trying Prosody authentication using the ldap module:

This appears to be Chrome, ver: 44
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check http://xhr.spec.whatwg.org/.
Using Chrome extension for desktop sharing
Get media constraints Object
Strophe status changed to CONNECTING null
Extension version is: 0.1.5
Chrome extension installed: true updateRequired: false
Failed to get access to local media. Error  NavigatorUserMediaError Object
failed to obtain audio/video stream - trying audio only NavigatorUserMediaError
Get media constraints Object
Failed to get access to local media. Error  NavigatorUserMediaError Object
failed to obtain audio/video stream - stop NavigatorUserMediaError
'webkitURL' is deprecated. Please use 'URL' instead.
Peer video type changed:  null camera
Strophe status changed to CONNECTED null
My Jabber ID: 95d97c48-4643-464f-8ad1-7f76c2b2e8ff@guest.videokonf.ostersund.se/1a9d03ac-4a41-4dc0-bd66-0aea3370d731
Focus jid set to: undefined
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
XMPP pings will be sent every 20000 ms
Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="95d97c48-4643-464f-8ad1-7f76c2b2e8ff@guest.videokonf.ostersund.se/1a9d03ac-4a41-4dc0-bd66-0aea3370d731" from="focus.videokonf.ostersund.se" id="2:sendIQ">…</iq>
Focus jid set to: undefined
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="95d97c48-4643-464f-8ad1-7f76c2b2e8ff@guest.videokonf.ostersund.se/1a9d03ac-4a41-4dc0-bd66-0aea3370d731" from="focus.videokonf.ostersund.se" id="3:sendIQ">…</iq>
[..]
Focus jid set to: undefined
Session ID: null machine UID: 35579784d57d6d0af862ae92c0d7f764
Unauthorized to start the conference <iq xmlns="jabber:client" type="error" to="95d97c48-4643-464f-8ad1-7f76c2b2e8ff@guest.videokonf.ostersund.se/1a9d03ac-4a41-4dc0-bd66-0aea3370d731" from="focus.videokonf.ostersund.se" id="18:sendIQ">…</iq>

from jicofo.

mathiasfriman commented on July 24, 2024

I've found a possible problem in the /var/log/prosody/prosody.log debug-log above:

Sep 28 10:03:46 boshed479f56-6a3b-420c-b330-00c1b4ea4bc6    debug   Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Sep 28 10:03:46 sasl    debug   Username or password violates SASLprep.
Sep 28 10:03:46 videokonf.domain.com:saslauth   debug   sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><malformed-request/><text>Invalid username or password.</text></failure>

This is when using LDAP in prosody. It seems that it has to do with encoding Unicode strings. For me Jitsi-Meet failed when I used a password containing the letter ö (that is & ouml; in html-speak).

Testing another LDAP-account with a less complex password, it worked.

from jicofo.

xnyhps commented on July 24, 2024

The underlying problem appears to be that strophe.js fails to base64-encode non-ASCII UTF8:

strophe/strophejs#136

strophe/strophejs#147

from jicofo.

mathiasfriman commented on July 24, 2024

I can confirm that this patch ( strophe/strophejs#136 ) allows Jitsi-Meet to authenticate with LDAP using SASL with a username or password that contain non-ASCII characters like (in my case) swedish åäö and/or ÅÄÖ, which was previously not possible.

For now, I've modified a local copy of strophe.js and renamed it to strophe.min.js which seems to do the trick for Jitsi-Meet, I don't have the knowledge yet to minify the js file.

from jicofo.

leonidas-o commented on July 24, 2024

@mathiasfriman I saw you are/was using mod_auth_ldap. I've would like to write you a private message, not spamming around in here, got some questions, how to get in touch with you?

from jicofo.

bgrozev commented on July 24, 2024

Outdated

from jicofo.

Secure domains do not work if prosody uses Cyrus-SASL authentication about jicofo HOT 12 CLOSED

Comments (12)

Prosody SASL LDAP Configuration

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent