Authenticating Windows Active Directory users through LDAP to Jitsi Meet

Active directory is Microsoft directory service which runs on Windows servers to enforce security standards across Windows operating systems by providing authorization and authentication for computers, users, and groups.

The Lightweight Directory Access Protocol (LDAP) is a key element of Active Directory's operation which is used to transfer information with other servers while providing directory services. It's the mechanism to communicate with Active Directory and send messages between AD and other components of your IT infrastructure. It achieves this goal by storing data in the LDAP directory and authenticating the users before accessing the directory. Below diagram shows you how the authentication procedure flows among the user, servers and the active directory.

image1

  1. Login Request to jitsi meet - client sends a request for information along with the user's credentials
  2. Direct for authentication - Jitsi meet server directs user credentials to LDAP server for authentication process
  3. LDAP Authentication - Authenticates the credentials submitted by the user against their core user identity (Active directory)
  4. Grant access to the user - If the credentials submitted by the user match, then grant access for user
  5. Denied the user access - If the credentials submitted by the user is not matched, then client is denied access

image2

LDAP authentication setting configuration on jitsi meet

  1. Install the necessary prosody-modules and its recommended lua-ldap package
    sudo apt-get install prosody-modules lua-ldap
  2. manually install luarocks 5.2
  3. install the SSL 1.0 headers
    apt-get install libssl1.0-dev, followed by luarocks-5.2 install lualdap && luarocks-5.2 install luacrypto && luarocks-5.2 install jwt-jitsi

  4. Configure the LDAP module in /etc/prosody/conf.avail/ldap.cfg.lua
  5. Link the configuration into the config directory
    ln -sf /etc/prosody/conf.avail/ldap.cfg.lua /etc/prosody/conf.d/

  6. Add the following line to /etc/prosody/prosody.cfg.lua in order to allow BOSH connections when requiring encryption, even if unencrypted
    consider_bosh_secure = true

  7. Enable LDAP authentication
    edit /etc/prosody/conf.avail/jitsi.example.com.cfg.lua and change the
    authentication to ldap2:
    authentication = "ldap2"

  8. Finally restart the modified service
    sudo service prosody restart

Updated:

Leave a Comment