Secure Domain setup

Replace jitsi-meet.example.com with your hostname.

  1. Prosody configuration : Enable anonymous login for guests

    Open file,
    /etc/prosody/conf.avail/[your-hostname].cfg.lua

    Add this block after the VirtualHost "[your-hostname]" block

     VirtualHost "guest.jitsi-meet.example.com"
     authentication = "anonymous"
     c2s_require_encryption = false
    
  2. Jitsi Meet configuration
    Add anonymousdomain option in below file,
    /etc/jitsi/meet/[your-hostname]-config.js

     var config = {
     hosts: {
             domain: 'jitsi-meet.example.com',
             anonymousdomain: 'guest.jitsi-meet.example.com',
             ...
         },
         ...
     }
    
  3. Jicofo configuration
    Open file,
    /etc/jitsi/jicofo/jicofo.conf

    Add authentication section,

     jicofo {
     authentication: {
     enabled: true
     type: XMPP
     login-url: jitsi-meet.example.com
     }
     ...
    
  4. Create users in Prosody
    sudo prosodyctl register <username> jitsi-meet.example.com <password>

LDAP authentication

  1. install the following packages
    apt install sasl2-bin libsasl2-modules-ldap lua-cyrussasl

  2. Prosody config
    Open file,
    /etc/prosody/conf.avail/[your-hostname].cfg.lua

    Inside VirtualHost "jitsi-meet.example.com" make below changes

    1. Change the authentication to cyrus
      authentication = "cyrus"
    2. Add the "auth_cyrus" to modules_enabled
    3. Add below lines also
      cyrus_application_name = "xmpp"
      allow_unencrypted_plain_auth = true
  3. Configure saslauthd
    1. Create the file /etc/sasl/xmpp.conf.

      If the folder sasl does not exist, create it and add below lines.
      pwcheck_method: saslauthd
      mech_list: PLAIN

    2. Create /etc/saslauthd.conf and add the following
       ldap_servers: ldap://10.0.0.1
       ldap_bind_dn: cn=Administrator,cn=Users,dc=foo,dc=bar
       ldap_bind_pw: PassW0rd
       ldap_search_base: dc=my,dc=search,dc=base
       ldap_filter: (sAMAccountName=%u)
       ldap_version: 3
       ldap_auth_method: bind
      


      Replace the IP with yours, as well as the search base and the Bind user/password

    3. The example above has NO TLS enabled. If you want TLS enabled, add the following in addition
       ldap_tls_key: /config/certs/meet.jit.si.key
       ldap_tls_cert: /config/certs/meet.jit.si.crt
       ldap_tls_check_peer: yes
       ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
       ldap_tls_cacert_dir: /etc/ssl/certs
      
    4. Adapt to your needs. Also, change the URL scheme from ldap:// to ldaps://. Maybe you have to add ldap_tls_ciphers: , ldap_port: as well.

    5. Use another attribute than sAMAccountNam. A few filter examples:
      1. ldap_filter: (sAMAccountName=%u) searches inside the username field
      2. ldap_filter: (mail=%u) would allow you to eneter a email.
      3. Use ldap_filter: (mail=%u*) instead (note the * direct after the %u!), and tell your users to enter the portion before the @ sign of their mail address.
    6. Open file,
      /etc/default/saslauthd

      Make below changes

        Change START to yes
        Change MECHANISMS to ldap
        Change MECH_OPTIONS to /etc/saslauthd.conf
      
    7. Restart services
      sudo systemctl restart saslauthd
      sudo systemctl restart prosody

    8. Run below command
      chmod 777 /var/run/saslauthd/
      usermod -aG sasl prosody
  4. Log file for debugging
    tail -f /var/log/auth.log




Next :

Setup JWT authentication for Jitsi meet
How encryption works on Jitsi meet

Updated:

Leave a Comment