Jitsi LDAP authentication

1. # cat /etc/prosody/conf.d/ldap.cfg.lua
2. -- Authentication configuration --                                                                                                                                                          
3. authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication                                                                                                            
4. ldap = {                                                                                                                                                                                    
5.     hostname      = 'ldap.example.com', -- LDAP server location                                                                                                                          
6.     -- use_tls       = true,                                                                                                                                                                
7.     bind_dn       = 'uid=ldapuser,ou=Users,o=Builtin,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)                                            
8.     bind_password = 'passldapuser', -- Bind password (optional if anonymous bind is supported)
9.  
10.     user = {
11.       basedn        = 'dc=example,dc=com',
12.       filter        = '(&(objectClass=prevPerson)(accountStatus=active)(|(o=example)))',
13.       usernamefield = 'uid',
14.       namefield     = 'cn',
15.     },
16. }
17.  
18. -----
19. # cat /etc/prosody/conf.d/example.com.cfg.lua
20. -- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
21. --plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
22.  
23. VirtualHost "example.com"
24.         -- enabled = false -- Remove this line to enable this host
25.         -- authentication = "anonymous"
26.         authentication = "ldap2"
27.         -- Properties below are modified by jitsi-meet-tokens package config
28.         -- and authentication above is switched to "token"
29.         --app_id="example_app_id"
30.         --app_secret="example_app_secret"
31.         -- Assign this host a certificate for TLS, otherwise it would use the one
32.         -- set in the global section (if any).
33.         -- Note that old-style SSL on port 5223 only supports one certificate, and will always
34.         -- use the global one.
35.         ssl = {
36.                 key = "/etc/prosody/certs/example.com.key";
37.                 certificate = "/etc/prosody/certs/example.com.crt";
38.         }
39.         -- we need bosh
40.         modules_enabled = {
41.             "bosh";
42.             "pubsub";
43.             "ping"; -- Enable mod_ping
44.         }
45.  
46. VirtualHost "guest.example.com"
47.     authentication = "anonymous"
48.  
49. Component "conference.example.com" "muc"
50.     --modules_enabled = { "token_verification" }
51. admins = { "focus@auth.example.com" }
52.  
53. Component "jitsi-videobridge.example.com"
54.     component_secret = "TXdIqDxC"
55.  
56. VirtualHost "auth.example.com"
57.     authentication = "internal_plain"
58.  
59. Component "focus.example.com"
60.     component_secret = "Z5FA8dV0"
61.  
62. -----
63. # Added the line "consider_bosh_secure = true" to /etc/prosody/prosody.cfg.lua
64.  
65. -----
66. # cat /etc/jitsi/meet/example.com-config.js
67. /* jshint maxlen:false */
68.  
69. var config = { // eslint-disable-line no-unused-vars
70. //    configLocation: './config.json', // see ./modules/HttpConfigFetch.js
71.     hosts: {
72.         domain: 'example.com',
73.         //anonymousdomain: 'guest.example.com',
74.         //authdomain: 'example.com',  // defaults to <domain>
75.         muc: 'conference.example.com', // FIXME: use XEP-0030
76.         //jirecon: 'jirecon.example.com',
77.         //call_control: 'callcontrol.example.com',
78.         //focus: 'focus.example.com', // defaults to 'focus.example.com'
79.     },
80. //  getroomnode: function (path) { return 'someprefixpossiblybasedonpath'; },
81. //  useStunTurn: true, // use XEP-0215 to fetch STUN and TURN server
82. //  useIPv6: true, // ipv6 support. use at your own risk
83.     useNicks: false,
84.     bosh: '//example.com/http-bind', // FIXME: use xep-0156 for that
85.     clientNode: 'http://jitsi.org/jitsimeet', // The name of client node advertised in XEP-0115 'c' stanza
86.     //focusUserJid: 'focus@auth.example.com', // The real JID of focus participant - can be overridden here
87.     //defaultSipNumber: '', // Default SIP number
88.  
89.     // Desktop sharing method. Can be set to 'ext', 'webrtc' or false to disable.
90.     desktopSharingChromeMethod: 'ext',
91.     // The ID of the jidesha extension for Chrome.
92.     desktopSharingChromeExtId: 'diibjkoicjeejcmhdnailmkgecihlobk',
93.     // The media sources to use when using screen sharing with the Chrome
94.     // extension.
95.     desktopSharingChromeSources: ['screen', 'window'],
96.     // Required version of Chrome extension
97.     desktopSharingChromeMinExtVersion: '0.1',
98.  
99.     // The ID of the jidesha extension for Firefox. If null, we assume that no
100.     // extension is required.
101.     desktopSharingFirefoxExtId: null,
102.     // Whether desktop sharing should be disabled on Firefox.
103.     desktopSharingFirefoxDisabled: true,
104.     // The maximum version of Firefox which requires a jidesha extension.
105.     // Example: if set to 41, we will require the extension for Firefox versions
106.     // up to and including 41. On Firefox 42 and higher, we will run without the
107.     // extension.
108.     // If set to -1, an extension will be required for all versions of Firefox.
109.     desktopSharingFirefoxMaxVersionExtRequired: -1,
110.     // The URL to the Firefox extension for desktop sharing.
111.     desktopSharingFirefoxExtensionURL: null,
112.  
113.     // Disables ICE/UDP by filtering out local and remote UDP candidates in signalling.
114.     webrtcIceUdpDisable: false,
115.     // Disables ICE/TCP by filtering out local and remote TCP candidates in signalling.
116.     webrtcIceTcpDisable: false,
117.  
118.     openSctp: true, // Toggle to enable/disable SCTP channels
119.     disableStats: false,
120.     disableAudioLevels: false,
121.     channelLastN: -1, // The default value of the channel attribute last-n.
122.     adaptiveLastN: false,
123.     //disableAdaptiveSimulcast: false,
124.     enableRecording: false,
125.     enableWelcomePage: true,
126.     //enableClosePage: false, // enabling the close page will ignore the welcome
127.                               // page redirection when call is hangup
128.     disableSimulcast: false,
129.     logStats: false, // Enable logging of PeerConnection stats via the focus
130. //    requireDisplayName: true, // Forces the participants that doesn't have display name to enter it when they enter the room.
131. //    startAudioMuted: 10, // every participant after the Nth will start audio muted
132. //    startVideoMuted: 10, // every participant after the Nth will start video muted
133. //    defaultLanguage: "en",
134. // To enable sending statistics to callstats.io you should provide Applicaiton ID and Secret.
135. //    callStatsID: "", // Application ID for callstats.io API
136. //    callStatsSecret: "", // Secret for callstats.io API
137.    /*noticeMessage: 'Service update is scheduled for 16th March 2015. ' +
138.    'During that time service will not be available. ' +
139.    'Apologise for inconvenience.',*/
140.    disableThirdPartyRequests: false,
141.    minHDHeight: 540,
142.    // If true - all users without token will be considered guests and all users
143.    // with token will be considered non-guests. Only guests will be allowed to
144.    // edit their profile.
145.    enableUserRolesBasedOnToken: false
146. };