Secure Domain setup

Replace with your hostname.

  1. Prosody configuration : Enable anonymous login for guests

    Open file,

    Add this block after the VirtualHost "[your-hostname]" block

     VirtualHost ""
     authentication = "anonymous"
     c2s_require_encryption = false
  2. Jitsi Meet configuration
    Add anonymousdomain option in below file,

     var config = {
     hosts: {
             domain: '',
             anonymousdomain: '',
  3. Jicofo configuration
    Open file,

    Add authentication section,

     jicofo {
     authentication: {
     enabled: true
     type: XMPP
  4. Create users in Prosody
    sudo prosodyctl register <username> <password>

LDAP authentication

  1. install the following packages
    apt install sasl2-bin libsasl2-modules-ldap lua-cyrussasl

  2. Prosody config
    Open file,

    Inside VirtualHost "" make below changes

    1. Change the authentication to cyrus
      authentication = "cyrus"
    2. Add the "auth_cyrus" to modules_enabled
    3. Add below lines also
      cyrus_application_name = "xmpp"
      allow_unencrypted_plain_auth = true
  3. Configure saslauthd
    1. Create the file /etc/sasl/xmpp.conf.

      If the folder sasl does not exist, create it and add below lines.
      pwcheck_method: saslauthd
      mech_list: PLAIN

    2. Create /etc/saslauthd.conf and add the following
       ldap_servers: ldap://
       ldap_bind_dn: cn=Administrator,cn=Users,dc=foo,dc=bar
       ldap_bind_pw: PassW0rd
       ldap_search_base: dc=my,dc=search,dc=base
       ldap_filter: (sAMAccountName=%u)
       ldap_version: 3
       ldap_auth_method: bind

      Replace the IP with yours, as well as the search base and the Bind user/password

    3. The example above has NO TLS enabled. If you want TLS enabled, add the following in addition
       ldap_tls_key: /config/certs/
       ldap_tls_cert: /config/certs/
       ldap_tls_check_peer: yes
       ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
       ldap_tls_cacert_dir: /etc/ssl/certs
    4. Adapt to your needs. Also, change the URL scheme from ldap:// to ldaps://. Maybe you have to add ldap_tls_ciphers: , ldap_port: as well.

    5. Use another attribute than sAMAccountNam. A few filter examples:
      1. ldap_filter: (sAMAccountName=%u) searches inside the username field
      2. ldap_filter: (mail=%u) would allow you to eneter a email.
      3. Use ldap_filter: (mail=%u*) instead (note the * direct after the %u!), and tell your users to enter the portion before the @ sign of their mail address.
    6. Open file,

      Make below changes

        Change START to yes
        Change MECHANISMS to ldap
        Change MECH_OPTIONS to /etc/saslauthd.conf
    7. Restart services
      sudo systemctl restart saslauthd
      sudo systemctl restart prosody

    8. Run below command
      chmod 777 /var/run/saslauthd/
      usermod -aG sasl prosody
  4. Log file for debugging
    tail -f /var/log/auth.log

Next :

Setup JWT authentication for Jitsi meet
How encryption works on Jitsi meet


Leave a Comment