Docker-jitsi-meet: Jitsi-meet with LDAP authentication does not work if user name is a full email address

Created on 23 Jan 2020  路  17Comments  路  Source: jitsi/docker-jitsi-meet

I spent two days trying to figure this out. Jitsi-meet worked fine for anonymous users. testsaslauthd worked successfully in the prosody docker container. There were no any errors in the docker-compose logs. The only thing I found by the end of my investigation is an error in the browser console - "Strophe: Server did not offer a supported authentication mechanism" and then "Unauthorized to start the conference" with textContent "not authorized user domain".

It happens that my LDAP server identifies users by their email addresses. But such IDs are silently rejected along the way to prosody.

For now, my instance of Jitsi-meet authenticates users with LDAP_FILTER=(mail=%[email protected]) configuration and users omit @my.domain1 part at login. However, not clear what I should do now with users in my.domain2, etc.

Most helpful comment

A workaround:

You can change the function toJid https://github.com/jitsi/jitsi-meet/blob/7684b2bf98a9b7f9fe719f8ffe86e968370ec523/react/features/base/connection/functions.js#L132 from:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return id.indexOf('@') >= 0 ? id : `${id}@${authdomain || domain}`;
}

to:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return `${id.split('@').join('.at.')}@${authdomain || domain}`;
}

Later, in /usr/lib/prosody/modules/mod_auth_ldap2/mod_auth_ldap2.lua change from:

function provider.test_password(username, password)
    return ldap.bind(username, password);
end

to:

function provider.test_password(username, password)
    local username = string.gsub(username, '.at.', '@');
    return ldap.bind(username, password);
end

And restart prosody.

Now in website can be login with email in LDAP and with the official mobile clients have to replace @ for .at.

All 17 comments

@netaskd any ideas?

Hard to say without looking into configuration. If testsaslauthd works, ldap requests works properly.
I guess the error "not authorized user domain" about XMPP domain that were configured in XMPP_AUTH_DOMAIN, XMPP_AUTH_DOMAIN and so on.

For filtering users in different domains try to use LDAP_FILTER=(|(mail=%[email protected])(mail=%[email protected]))
about ldap syntax you can read here: http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm

Here is my .env file.

Thanks for the hint about LDAP_FILTER. It works.

Well, now I better understand the issue and I want to record this, so people may benefit from it.

LDAP authentication with LDAP_FILTER=(mail=%u) doesn't work if the user's email address is not in the same domain as XMPP_DOMAIN. Or vise versa if XMPP_DOMAIN is external.fqdn and user's email looks like [email protected] then authentication with full email address works, otherwise better use only user1 part as login name and LDAP_FILTER must be a bit more complicated as suggested by @netaskd.

Ok, that is quite sad, because we especially want external users to be able to login via email, so they don't have to memorize a username.

So what is the actual value of %u? Is it not what the user entered in the username field? That would be highly surprising to me. Where does additional stuff get added to this?

As recorded in the .env file above the LDAP_FILTER is (mail=%[email protected]). So, %u is indeed what user entered and in LDAP_FILTER the rest is added.

Ok, so logging in with Email is just broken at the moment and you worked around it by adding @tld in your ldap filter?

That's not going to work for us, as we'd especially like the email login for external users so they don't have to remember a username.

All our internal users us usernames anyways as it's less to type

@MaxNoe try to use filter like (mail=%U@%d)
More info here https://blog.sys4.de/cyrus-sasl-saslauthdconf-man-page-en.html
I think LDAP_FILTER=(sAMAccountName=%U) also might work.

@netaskd Tried that, still not working. I think the Problem is with this #303, it never even reaches the saslauth stack

@netaskd I tried with testsaslauth in the container, that works. But not through the webinterface:

$ testsaslauthd -u <email> -p $(read -s pwd; echo $pwd)

A workaround:

You can change the function toJid https://github.com/jitsi/jitsi-meet/blob/7684b2bf98a9b7f9fe719f8ffe86e968370ec523/react/features/base/connection/functions.js#L132 from:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return id.indexOf('@') >= 0 ? id : `${id}@${authdomain || domain}`;
}

to:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return `${id.split('@').join('.at.')}@${authdomain || domain}`;
}

Later, in /usr/lib/prosody/modules/mod_auth_ldap2/mod_auth_ldap2.lua change from:

function provider.test_password(username, password)
    return ldap.bind(username, password);
end

to:

function provider.test_password(username, password)
    local username = string.gsub(username, '.at.', '@');
    return ldap.bind(username, password);
end

And restart prosody.

Now in website can be login with email in LDAP and with the official mobile clients have to replace @ for .at.

@joker-x By any chance would you know what you needs to be patched for fix prosody auth for saslauthd?

@sooslaca you can set the XMPP_DOMAIN to the same domain as you try to use for the email to login.

In my case we only have 1 email domain so this is possible. But if there are multiple domains it will not work.

Example:

XMPP_DOMAIN = domain1.com

Now I can login with: [email protected]
Also with: foo
But __not__ with [email protected]

Gotcha, thx, unfortunately I鈥檇 love to use multiple domains

@johan-smits where can I find the XMPP_DOMAIN config

@Allen-yan It is in the documentation: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#advanced-configuration

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mrWodoo picture mrWodoo  路  5Comments

tapionx picture tapionx  路  5Comments

ErrorInPersona picture ErrorInPersona  路  3Comments

bkempe picture bkempe  路  12Comments

chovy picture chovy  路  11Comments