-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Auth: Filtering for group membership + Bind user #1797
Comments
This looks more like an LDAP issue than a docker-jitsi-meet issue. Can you try also posting this question on the community forums? https://community.jitsi.org/ has a lot of helpful folks. |
Try logging in with [email protected]. not just the username, but add and the correct domain. |
In cyrus-sasl docs, the value I'm looking for appears, however I cannot find a corresponding docker environment variable: https://github.com/winlibs/cyrus-sasl/blob/d933c030ce12ec0668469d79ab8378e347a1b3ba/saslauthd/LDAP_SASLAUTHD#L144 |
This is the result I got (I didn't actually use my.domain): To clarify, if I run LDAP without the group membership check or bind user, it works as expected |
Yes I concur: we would welcome a PR to address this. Here's the file you'd want to start with: In addition, you'll want to add any new environment variables you define to the docker-compose.yml to ensure it gets passed to the prosody container. To test changes to the defaults/saslauthd.conf you can open a shell to a running prosody container, and then edit /defaults/saslauthd.conf , then run: |
I'll see what I can do |
No pressure, if you end up stuck just reach out and one of us will try to move it along too. We don't have an example LDAP deployment to work with so we'll need your help to know what success looks like :) |
Update: When it comes to the values of those parameters, my success comes to an end. As mentioned initially, a blanket LDAP yes/no works with a basic configuration, however I could not get saslauthd to respect any filter, group DN, or group filter (Hundreds of trials). This is despite verifying the syntax of my queries with ldapsearch...
When applying in .env:
Still, the same error is returned. Even with the new parameters: I think the next step is to reach out to saslauthd team and ask them to verify the above values, and hopefully offer insight into the correct definitions for basic LDAP and FreeIPA, the latter being much less frequently referenced |
Is there perhaps a debug mode in your ldap server or the saslauth module where you could see the incoming query format to determine whether your settings of configuration match your expectation? |
On jitsi-docker end, the saslauthd process is already launched in debug mode (See. prosody/rootfs/etc/services.d/10-saslauthd/run), and its output is entirely unhelpful. I may try to capture some logs on FreeIPA side as you suggested, but that's for tomorrow... |
Apologies for the delay in update, I've been caught up in other things. |
It seems cryus saslauthd does not want to play with any form of LDAP filter Here is the filters I have tried: LDAP_FILTER=(&(uid=%u)) # Works I also experimented with the additional options from my pull request, applying any one of them would stop authentication from working: #LDAP_GROUP_ATTR=memberOf #LDAP_GROUP_MATCH_METHOD=filter #LDAP_GROUP_SEARCH_BASE=CN=fs-jitsi,CN=accounts,CN=groups,DC=my,DC=domain I will try to get a second opinion from my senpai on what I may be doing wrong |
I'm also facing a similar issue. I'm not able to find a pattern that is recognised by cryus to take into account group filter. PS: I finally found a way ! (Just a few minutes after posting my first message...). Here is my configuration:
|
@duburcqa Great work! Just for clarity, that snippet is of /etc/saslauthd.conf as seen by the container? Could you kindly try to recreate this configuration via the docker env variables I set in the pull request #1798? I will also do the same with mine (To do this) Add to prosody container
Define the following additional environment variables
Create ${VOLUMES_ROOT_PATH}/saslauthd.conf
|
Unfortunately I could not get cyrus to work whenever the filter isn't simply (&(uid=%u)), or whenever a bind_dn is defined. Here is my config with filters that does not work:
|
Hum, strange. Are you sure that you need |
I am also running FreeIPA (v4.11.1). Regardless of that field, I have been tackling this group membership issue with a variety of suggested configurations. For context, omitting all group membership control (i.e. setting ldap_filter to (&(uid=%U)), and disabling bind user (anonymous bind) allow LDAP to work without issue. |
Strange, apparently our configuration is pretty similar yet we are observing different behaviours... Are you sure you can check group membership using anonymous bind ? My knowledge about LDAP is pretty limited. Have you checked that it works using |
After checking the documentation here, I'm not sure that you can expect the same result using anonymous bind versus classical bind. Update: I did some trials on by side, I get the same behaviour as you if I disable 'bind' authentication mode. It works without group check but not with group check. So this is the key! |
You are correct that I get different results when I authenticate (see below). Authentication itself however is still giving me issues, I shall attack from that angle. (With authentication)
|
Here is my config that working that is the closest to yours. I hope this helps !
|
Thanks for that |
Finally managed to break through the issue, it was indeed a problem with the credentials for the service account. Either password was too long, or mismatched. Filters above work as required. I will switch my focus to annotating my findings in the env.example. Thanks again! |
Perfect ! Yes adding more details would be beneficial to many I think. Being able to apply group filter does not sound very uncommon. FYI regarding password length, personally I'm using 24 characters and it works just great. |
I was using 128, went to 64 :)) If you get a chance to check out my changes at https://github.com/jitsi/docker-jitsi-meet/pull/1798/files and provide any feedback there, that'd be great |
I am satisfied this has been resolved, the significant findings have been captured in the env.example as part of my pull request. @aaronkvanmeerten I'll close this issue now |
Hello,
I have recently been attempting to set up LDAP authentication for my Jitsi Meet instance with mild success.
I am running the stable branch for all docker images:
I am connecting to a FreeIPA instance (v4.11.1)
The configuration I have confirmed as working is the following (extracted from .env)
LDAP_URL=ldap://ipa01.my.domain LDAP_BASE=CN=accounts,DC=my,DC=domain LDAP_FILTER='(uid=%u)' LDAP_VERSION=3 LDAP_USE_TLS=1
In the above case, all other LDAP related values are commented out, and authentication works globally.
I however want to only allow login from users of group 'fs-jitsi'. I have attempted this by doing the following:
LDAP_BASE
toCN=fs-jitsi,CN=accounts,DC=my,DC=domain
LDAP_FILTER
toLDAP_FILTER='(&(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain)(uid=%u))'
<- This was mimicking the functional LDAP filter I use in NextcloudPerhaps I was missing something in the docs, or this feature is not supported via docker env?
Error Message:
I get a similar message when defining a bind user for LDAP lookup, which makes me think I may be using an incorrect schema value somewhere
LDAP_BINDDN=UID=jitsigroup,CN=users,CN=accounts,DC=my,DC=domain LDAP_BINDPW=password
This is my first time posting an issue, so please let me know if there's any additional info I need to provide.
The text was updated successfully, but these errors were encountered: