Jitsi-meet with LDAP authentication does not work if user name is a full email address

See original GitHub issue

I spent two days trying to figure this out. Jitsi-meet worked fine for anonymous users. testsaslauthd worked successfully in the prosody docker container. There were no any errors in the docker-compose logs. The only thing I found by the end of my investigation is an error in the browser console - “Strophe: Server did not offer a supported authentication mechanism” and then “Unauthorized to start the conference” with textContent “not authorized user domain”.

It happens that my LDAP server identifies users by their email addresses. But such IDs are silently rejected along the way to prosody.

For now, my instance of Jitsi-meet authenticates users with LDAP_FILTER=(mail=%u@my.domain1) configuration and users omit @my.domain1 part at login. However, not clear what I should do now with users in my.domain2, etc.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:19 (9 by maintainers)

github_iconTop GitHub Comments

4reactions
joker-xcommented, Apr 2, 2020

A workaround:

You can change the function toJid https://github.com/jitsi/jitsi-meet/blob/7684b2bf98a9b7f9fe719f8ffe86e968370ec523/react/features/base/connection/functions.js#L132 from:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return id.indexOf('@') >= 0 ? id : `${id}@${authdomain || domain}`;
}

to:

export function toJid(id: string, { authdomain, domain }: Object): string {
    return `${id.split('@').join('.at.')}@${authdomain || domain}`;
}

Later, in /usr/lib/prosody/modules/mod_auth_ldap2/mod_auth_ldap2.lua change from:

function provider.test_password(username, password)
    return ldap.bind(username, password);
end

to:

function provider.test_password(username, password)
    local username = string.gsub(username, '.at.', '@');
    return ldap.bind(username, password);
end

And restart prosody.

Now in website can be login with email in LDAP and with the official mobile clients have to replace @ for .at.

1reaction
sooslacacommented, May 7, 2020

@joker-x By any chance would you know what you needs to be patched for fix prosody auth for saslauthd?

Read more comments on GitHub >

github_iconTop Results From Across the Web

[IMPORTANT] [HELP] LDAP integration with docker-jitsi-meet
Jitsi-meet with LDAP authentication does not work if user name is a full email address. I spent two days trying to figure this...
Read more >
Jitsi, Authentication against local AD server not working
As far as I can tell, this confirms the 'ldapservice' user is authenticated. But I cannot tell what query is run against the...
Read more >
5. Configuration of BSCW Servers
To access this personal view on the BSCW system every user needs to authenticate with an individual user name or an email address...
Read more >
Setting up TURN | Jitsi Meet - GitHub Pages
This technique doesn't require any special configuration on the XMPP server, but it exposes the credentials to your TURN server and other people...
Read more >
10 Jitsi Meet Best Practices - CLIMB
By enabling authentication for Jitsi Meet, users are required to provide credentials such as an email address or username and password ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found