UCS jitsi Docker ldap

Hello,

im trying to setup jitsi Docker with ldap Authentification. But i cant get it working… Im no pro with ldap but im out of ideas atm. I cant find any usefull log entrys except the prosody log:

saslauthd[256] :auth failure: [user=USERNAME] [service=xmpp] [realm=meet.jitsi] [mech=ldap] [reason=Unknown]

Jitsi-meet is starting and i can visit the website. When i try to join a room login appers but username+passwort are always incorrect.

Relevant .env Settings

#
# Authentication configuration (see README for details)
#

# Enable authentication.
ENABLE_AUTH=1

# Enable guest access.
#ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=ldap
[...]
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
#

# LDAP url for connection.
LDAP_URL=ldap://FQDNServer:7389

# LDAP base DN. Can be empty
LDAP_BASE=DC=XXXX,DC=de

# LDAP user DN. Do not specify this parameter for the anonymous bind.
LDAP_BINDDN=uid=opsildapsearch,CN=users,DC=XXXX,DC=de

# LDAP user password. Do not specify this parameter for the anonymous bind.
LDAP_BINDPW=PASSWORT

# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
# %s - %s is replaced by the complete service string.
# %r - %r is replaced by the complete realm string.
LDAP_FILTER=(sAMAccountName=%u)

# LDAP authentication method
LDAP_AUTH_METHOD=bind

# LDAP version
#LDAP_VERSION=3

# LDAP TLS using
#LDAP_USE_TLS=1

# List of SSL/TLS ciphers to allow.
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC

# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=0

# Path to CA cert file. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt

# Path to CA certs directory. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs

# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
#LDAP_START_TLS=1

Any help/suggestions or ideas are appreciated.

env.txt (7.9 KB)

Maybe it would be a great Idea to create an App or cool Solution for it. I think a lot of people would love to use something like this with all the shutdowns happening.

Please check the logs if there are any LDAP connections at all:

ucr set ldap/debug/level=stats
service slapd restart
tail -f /var/log/syslog

Then try a login and check the logs.

To reset the loglevel:

ucr set ldap/debug/level=none
service slapd restart

Looks like its working. Maybe the ldap query/filter is wrong?

Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 fd=23 ACCEPT from IP=10.3.100.15:58512 (IP=0.0.0.0:7389)
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=0 BIND dn="uid=opsildapsearch,cn=users,dc=XXXX,dc=de" method=128
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=0 BIND dn="uid=opsildapsearch,cn=users,dc=XXXX,dc=de" mech=SIMPLE ssf=0
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=0 RESULT tag=97 err=0 text=
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=1 SRCH base="dc=XXXX,dc=de" scope=2 deref=0 filter="(?sAMAccountName=f.admin)"
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=1 SRCH attr=dn
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1021 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1000 op=207 SRCH base="dc=XXXX,dc=de" scope=0 deref=0 filter="(objectClass=*)"
Mar 22 16:42:53 verwaltung slapd[28861]: conn=1000 op=207 SEARCH RESULT tag=101 err=0 nentries=1 text=

Edit:
Solution single post

Fixed it with

LDAP_FILTER=(&(rocketchatActivated=TRUE)(uid=%u))

also only rocketchat Users are allowed to use jitsi.

Thanks for the hint

Great!
I think sAMAccountName is for connecting to a MS AD.

Hello,

in the meantime, there has been released a Jitsi app in the App Center. It comes with LDAP integration pre-configured.

Best regards,
Nico