LDAP Auth: Filtering for group membership + Bind user

[le-firehawk]

Hello,
I have recently been attempting to set up LDAP authentication for my Jitsi Meet instance with mild success.
I am running the stable branch for all docker images:

I am connecting to a FreeIPA instance (v4.11.1)

The configuration I have confirmed as working is the following (extracted from .env)
LDAP_URL=ldap://ipa01.my.domain LDAP_BASE=CN=accounts,DC=my,DC=domain LDAP_FILTER='(uid=%u)' LDAP_VERSION=3 LDAP_USE_TLS=1

In the above case, all other LDAP related values are commented out, and authentication works globally.
I however want to only allow login from users of group 'fs-jitsi'. I have attempted this by doing the following:

• Setting LDAP_BASE to CN=fs-jitsi,CN=accounts,DC=my,DC=domain
• Setting LDAP_FILTER to LDAP_FILTER='(&(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain)(uid=%u))' <- This was mimicking the functional LDAP filter I use in Nextcloud

Perhaps I was missing something in the docs, or this feature is not supported via docker env?

Error Message:

I get a similar message when defining a bind user for LDAP lookup, which makes me think I may be using an incorrect schema value somewhere
LDAP_BINDDN=UID=jitsigroup,CN=users,CN=accounts,DC=my,DC=domain LDAP_BINDPW=password

This is my first time posting an issue, so please let me know if there's any additional info I need to provide.

[aaronkvanmeerten]

This looks more like an LDAP issue than a docker-jitsi-meet issue. Can you try also posting this question on the community forums? https://community.jitsi.org/ has a lot of helpful folks.

[damencho]

Try logging in with test-user@my.domain. not just the username, but add and the correct domain.

[le-firehawk]

This looks more like an LDAP issue than a docker-jitsi-meet issue. Can you try also posting this question on the community forums? https://community.jitsi.org/ has a lot of helpful folks.

In cyrus-sasl docs, the value I'm looking for appears, however I cannot find a corresponding docker environment variable: https://github.com/winlibs/cyrus-sasl/blob/d933c030ce12ec0668469d79ab8378e347a1b3ba/saslauthd/LDAP_SASLAUTHD#L144

[le-firehawk]

Try logging in with test-user@my.domain. not just the username, but add and the correct domain.

This is the result I got (I didn't actually use my.domain):

To clarify, if I run LDAP without the group membership check or bind user, it works as expected

[aaronkvanmeerten]

https://github.com/winlibs/cyrus-sasl/blob/d933c030ce12ec0668469d79ab8378e347a1b3ba/saslauthd/LDAP_SASLAUTHD#L144

Yes I concur: we would welcome a PR to address this. Here's the file you'd want to start with:

docker-jitsi-meet/prosody/rootfs/defaults/saslauthd.conf

Line 4 in 0298a30

In addition, you'll want to add any new environment variables you define to the docker-compose.yml to ensure it gets passed to the prosody container.

To test changes to the defaults/saslauthd.conf you can open a shell to a running prosody container, and then edit /defaults/saslauthd.conf , then run:
tpl /defaults/saslauthd.conf

[le-firehawk]

https://github.com/winlibs/cyrus-sasl/blob/d933c030ce12ec0668469d79ab8378e347a1b3ba/saslauthd/LDAP_SASLAUTHD#L144

Yes I concur: we would welcome a PR to address this. Here's the file you'd want to start with:

docker-jitsi-meet/prosody/rootfs/defaults/saslauthd.conf

Line 4 in 0298a30

In addition, you'll want to add any new environment variables you define to the docker-compose.yml to ensure it gets passed to the prosody container.

To test changes to the defaults/saslauthd.conf you can open a shell to a running prosody container, and then edit /defaults/saslauthd.conf , then run: tpl /defaults/saslauthd.conf

I'll see what I can do

[aaronkvanmeerten]

I'll see what I can do

No pressure, if you end up stuck just reach out and one of us will try to move it along too. We don't have an example LDAP deployment to work with so we'll need your help to know what success looks like :)

[le-firehawk]

Update:
I have translated the various LDAP-related parameters into the .../rootfs/defaults/saslauthd.conf file and verified saslauthd accepts those parameters.

When it comes to the values of those parameters, my success comes to an end. As mentioned initially, a blanket LDAP yes/no works with a basic configuration, however I could not get saslauthd to respect any filter, group DN, or group filter (Hundreds of trials). This is despite verifying the syntax of my queries with ldapsearch...

ldapsearch -WH ldap://ipa01.my.domain -b 'CN=accounts,DC=my,DC=domain' -D 'uid=jitsisystemuser,cn=users,cn=accounts,dc=my,dc=domain' '(&(uid=test-user)(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain))' memberOf

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <CN=accounts,DC=my,DC=domain> with scope subtree
# filter: (&(uid=test-user)(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain))
# requesting: memberOf 
#
<... output omitted ...>

memberOf: cn=fs-jitsi,cn=groups,cn=accounts,dc=my,dc=domain
memberOf: cn=fs-<...>

# search result
search: 2
result: 0 Success <-- 0 = Exit code

# numResponses: 2
# numEntries: 1

When applying in .env:

LDAP_BASE='CN=accounts,DC=my,DC=domain'
LDAP_BINDDN=uid=jitsisystemuser,cn=users,cn=accounts,dc=my,dc=domain
LDAP_BINDPW=password
LDAP_FILTER='(&(uid=%u)(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain))'

Still, the same error is returned. Even with the new parameters:
LDAP_GROUP_DN=cn=fs-jitsi,dc=my,dc=domain

I think the next step is to reach out to saslauthd team and ask them to verify the above values, and hopefully offer insight into the correct definitions for basic LDAP and FreeIPA, the latter being much less frequently referenced

[aaronkvanmeerten]

Is there perhaps a debug mode in your ldap server or the saslauth module where you could see the incoming query format to determine whether your settings of configuration match your expectation?

[le-firehawk]

On jitsi-docker end, the saslauthd process is already launched in debug mode (See. prosody/rootfs/etc/services.d/10-saslauthd/run), and its output is entirely unhelpful. I may try to capture some logs on FreeIPA side as you suggested, but that's for tomorrow...

[le-firehawk]

Apologies for the delay in update, I've been caught up in other things.

[le-firehawk]

It seems cryus saslauthd does not want to play with any form of LDAP filter

Here is the filters I have tried:

LDAP_FILTER=(&(uid=%u)) # Works
#LDAP_FILTER=(&(uid=%u)(|(objectclass=inetOrgPerson))(|(memberof=cn=fs-jitsi,cn=groups,cn=accounts,dc=my,dc=domain))) # Unknown error
#LDAP_FILTER='(&(uid=%u)(memberOf=CN=fs-jitsi,CN=groups,CN=accounts,DC=my,DC=domain))' # Unknown error
#LDAP_FILTER='(&(memberOf=cn=fs-jitsi,cn=groups,cn=accounts,dc=my,dc=domain)(uid=%u))' # Unknown error

I also experimented with the additional options from my pull request, applying any one of them would stop authentication from working:

#LDAP_GROUP_ATTR=memberOf
#LDAP_GROUP_DN=CN=fs-jitsi,DC=my,DC=domain
#LDAP_GROUP_DN=cn=fs-jitsi,dc=my,dc=domain
#LDAP_GROUP_DN='dc=my,dc=domain'
#LDAP_GROUP_DN='cn=fs-jitsi,cn=groups,cn=accounts,dc=my,dc=domain'

#LDAP_GROUP_MATCH_METHOD=filter
#LDAP_GROUP_FILTER=(|(cn=fs-jitsi))
#,cn=groups,cn=accounts,dc=my,dc=domain

#LDAP_GROUP_SEARCH_BASE=CN=fs-jitsi,CN=accounts,CN=groups,DC=my,DC=domain

I will try to get a second opinion from my senpai on what I may be doing wrong