LDAP Authentication for jitsi meet using cyrus/saslauthd

Secure Domain setup

Replace jitsi-meet.example.com with your hostname.

1. Prosody configuration : Enable anonymous login for guests

   Open file,
   /etc/prosody/conf.avail/[your-hostname].cfg.lua
   

   Add this block after the VirtualHost "[your-hostname]" block

    VirtualHost "guest.jitsi-meet.example.com"
    authentication = "anonymous"
    c2s_require_encryption = false
   

2. Jitsi Meet configuration
   Add anonymousdomain option in below file,
   /etc/jitsi/meet/[your-hostname]-config.js
   

    var config = {
    hosts: {
            domain: 'jitsi-meet.example.com',
            anonymousdomain: 'guest.jitsi-meet.example.com',
            ...
        },
        ...
    }
   

3. Jicofo configuration
   Open file,
   /etc/jitsi/jicofo/jicofo.conf
   

   Add authentication section,

    jicofo {
    authentication: {
    enabled: true
    type: XMPP
    login-url: jitsi-meet.example.com
    }
    ...
   

4. Create users in Prosody
   sudo prosodyctl register <username> jitsi-meet.example.com <password>

LDAP authentication

1. install the following packages
   apt install sasl2-bin libsasl2-modules-ldap lua-cyrussasl

2. Prosody config
   Open file,
   /etc/prosody/conf.avail/[your-hostname].cfg.lua

   Inside VirtualHost "jitsi-meet.example.com" make below changes

   1. Change the authentication to cyrus
      authentication = "cyrus"
   2. Add the "auth_cyrus" to modules_enabled
   3. Add below lines also
      cyrus_application_name = "xmpp"
allow_unencrypted_plain_auth = true
3. Configure saslauthd

   1. Create the file /etc/sasl/xmpp.conf.

      If the folder sasl does not exist, create it and add below lines.
      pwcheck_method: saslauthd
mech_list: PLAIN
      

   2. Create /etc/saslauthd.conf and add the following
      

       ldap_servers: ldap://10.0.0.1
       ldap_bind_dn: cn=Administrator,cn=Users,dc=foo,dc=bar
       ldap_bind_pw: PassW0rd
       ldap_search_base: dc=my,dc=search,dc=base
       ldap_filter: (sAMAccountName=%u)
       ldap_version: 3
       ldap_auth_method: bind
      

      
      Replace the IP with yours, as well as the search base and the Bind user/password

   3. The example above has NO TLS enabled. If you want TLS enabled, add the following in addition
      

       ldap_tls_key: /config/certs/meet.jit.si.key
       ldap_tls_cert: /config/certs/meet.jit.si.crt
       ldap_tls_check_peer: yes
       ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
       ldap_tls_cacert_dir: /etc/ssl/certs
      

   4. Adapt to your needs. Also, change the URL scheme from ldap:// to ldaps://. Maybe you have to add ldap_tls_ciphers: , ldap_port: as well.

   5. Use another attribute than sAMAccountNam. A few filter examples:
      
      1. ldap_filter: (sAMAccountName=%u) searches inside the username field
         
      2. ldap_filter: (mail=%u) would allow you to eneter a email.
         
      3. Use ldap_filter: (mail=%u*) instead (note the * direct after the %u!), and tell your users to enter the portion before the @ sign of their mail address.
         

   6. Open file,
      /etc/default/saslauthd
      

      Make below changes

        Change START to yes
        Change MECHANISMS to ldap
        Change MECH_OPTIONS to /etc/saslauthd.conf
      

   7. Restart services
      sudo systemctl restart saslauthd
sudo systemctl restart prosody

   8. Run below command
      chmod 777 /var/run/saslauthd/
usermod -aG sasl prosody
4. Log file for debugging
   tail -f /var/log/auth.log

Next :

Setup JWT authentication for Jitsi meet
How encryption works on Jitsi meet