LDAP authentification

Hi all,

I installer Jitsi-Meet using the latest components:
- Docker-CE_20.10.6 (2021-04-12),
- Docker-Compose-1.29,1
- Portainer-2.1.1 (with security)
- Jitsi Meet- 2.0.5765 (21-04-15)

From: jitsi_meet [NethServer Wiki]

basically the default network for docker images does not allow access to our Nethserver for security reasons. There is a special aqua network that will be set up with our Docker install that will allow docker images to access local ports on our Nethserver. That is how we will let Jitsi use our existing LDAP.

How can I create this special aqua network sot that I can add it to the prosody container.

I tried:

db dockrules set jitsiLdap aqua TCPPorts 389,636 status enabled
signal-event firewall-adjust

but the prosody container doesn’t see it in Portainer.

Michel-André

Cc @LayLow

Perhaps @djx can help here too.

What does it look like in portainer? Perhaps there was some change and aqua is not created by default, or are you trying to pre-configure everything before setting it up in Portainer?

docker network ls

aqua is there for sure

Hi all,

Thank you all for the replies.

After I did those two commands, nothing is shown in Portainer.

Test connectivity

In Portainer Settings → Authentication, I cannot Test connectivity to LDAP no matter how I try with all kind of parameters.

Connecting to the VM:

image1409×716 63 KB

I can Test connectivity to LDAP to my main NS server directly connected to the Inernet.

image1425×719 66.4 KB

iptables

On a VM following the wiki page, I see quite a lot of iptables rules.
- I do not know what created them: Docker, the above commands, the containers…

• The ouput of iptables -L is 419 lines long.
• On my main NS server it is 221 lines long.

On the VM with the latest components

# db dockrules set jitsiLdap aqua TCPPorts 389,636 status enabled
# signal-event firewall-adjust


# docker network list
NETWORK ID     NAME              DRIVER    SCOPE
a74772c44300   bridge            bridge    local
e8db272dc262   host              host      local
2340948149e5   meet_meet.jitsi   bridge    local
0fdf9e731055   none              null      local


# shutdown -r now

# docker-compose down && rm -rf .jitsi-meet-cfg/ && docker-compose up -d
Stopping meet_web_1     ... done
Stopping meet_jicofo_1  ... done
Stopping meet_prosody_1 ... done
Stopping meet_jvb_1     ... done
Removing meet_web_1     ... done
Removing meet_jicofo_1  ... done
Removing meet_prosody_1 ... done
Removing meet_jvb_1     ... done
Removing network meet_meet.jitsi
Creating network "meet_meet.jitsi" with the default driver
Creating meet_web_1     ... done
Creating meet_prosody_1 ... done
Creating meet_jicofo_1  ... done
Creating meet_jvb_1     ... done


# docker ps -a
CONTAINER ID   IMAGE                         COMMAND                  CREATED          STATUS          PORTS                                                                                      NAMES
140e0fe28628   jitsi/jvb:stable-5765-1       "/init"                  26 seconds ago   Up 10 seconds   0.0.0.0:4443->4443/tcp, :::4443->4443/tcp, 0.0.0.0:10000->10000/udp, :::10000->10000/udp   meet_jvb_1
0a057738e563   jitsi/jicofo:stable-5765-1    "/init"                  26 seconds ago   Up 11 seconds                                                                                              meet_jicofo_1
f1b132fdac9c   jitsi/web:stable-5765-1       "/init"                  38 seconds ago   Up 25 seconds   0.0.0.0:8000->80/tcp, :::8000->80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp             meet_web_1
4bab8393ad3c   jitsi/prosody:stable-5765-1   "/init"                  38 seconds ago   Up 26 seconds   5222/tcp, 5280/tcp, 5347/tcp                                                               meet_prosody_1
834d207eff80   portainer/portainer-ce        "/portainer --ssl --…"   9 days ago       Up 2 minutes    8000/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp                                        portainer


# docker network list
NETWORK ID     NAME              DRIVER    SCOPE
05f945e91be0   bridge            bridge    local
e8db272dc262   host              host      local
e49b3bbb8bbe   meet_meet.jitsi   bridge    local
0fdf9e731055   none              null      local

New VM with latest components

On a fresh intallation, in Portainer, I will try to create a network with the same parameters as Aqua and see what will happen:

image1419×695 52.7 KB

Michel-André

It’s possible their default docker container has changed (significantly) since I wrote the guide. I’ve been meaning to update my instance. I’ll give it a try this weekend and report back if I find anything special.

Hi @djx

Thank you for your valuable time.

If I can make a suggestion, could you adjust for Portainer CE version 2.1.1.

Thank you,

Michel-André

Hi @michelandre,

As you know I’ve been trying out jitsi-meet as well. As pointed out by @stephdl the aqua network is already present. To the end of the wiki post is a paragraph ‘Adding the Docker to the aqua network’ describing how you can join the aqua network from portainer.

I found that adding the following to the /opt/jitsi/docker-jitsi-meet/docker-compose.yml will add the network interface when composing.

At the end of the settings for prosody (immediately above # Focus component
) add the line

            ns-aqua:

It should read:

        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
            ns-aqua:

At the bottom of the file add:

    ns-aqua:
       external:
         name: aqua

I was planning to add this to the wiki when I had it all sorted out on a live server (instead of on my VM), but I’m still not ready for that.

Hope this helps.

René

Salut @Reheer

Thank you for this hint.

I am not using nethserver-docker but all the latest components. In the latest Docker CE i.e. 20.10.6, there is no aqua network so I have to create it.

Also, if you run docker-compose down && rm -rf .jitsi-meet-cfg/ && docker-compose up -d you have to re-attach aqua to prosody again (not sure about that but with your above modifications, I think it should resolve that).

I am creating a new VM to test the creation of an aqua network based on the same parameters as the one from nethserver-docker.
I googled a lot about the creation of a network in Docker and it is not so clear how to do it but I think I have to make a “bridged” one which is what aqua on nethserver-docker looks like.

It looks like the reason for the aqua network is for security reasons to not let containers fool around the NS LDAP, but Jitsi Meet reads LDAP for authentication and not for the creation of a user. I am confused about that reason.

It tooks me three months to resolve Matrix installation, so I am ready to put the same time for Jitsi Meet.

Michel-André

Hi @Reheer

Salut René,

I confirm, your solution is working.
Those added lines in /opt/jitsi/jitsidocker-compose.yml, will keep aqua network joined to jitsi_prosody_1 container after a reboot or after a docker-compose up -d.

● Identation is important, using no [TAB], only [SPACE].
● # Focus component is 4 [SPACE] from left margin.
● ns-aqua is 12 [SPACE] from left margin.

...
    # Focus component
    ##### Insert start
            ns-aqua:
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}
            ns-aqua:
    ##### Insert end
...
networks:
    meet.jitsi:

    ##### Insert start
    ns-aqua:
       external:
         name: aqua
    ##### Insert end

I completely started over using netserver-docker.

Since I’m using a VM, I still can’t connect to the local LDAP, only to the main server LDAP and even then, I had to require a new Let’s Encrypt certificate and add the CNAME of the LOCAL domain name to the new cert of the main NS server.

I had to use the FQDN of the main server, or the one from the LOCAL server, but I had to use only the LDAP main server credential to connect.

● With all that, the authentification still doesn’t work.

With DockerCE-20.10.6 and no aqua network, I was able to connect to main server LDAP without the need of a new Let’s Encrypt cert on the main server

Also, when VirtualBox VM starts, my webcam disappears, on both Win-8.1 (always) and Ubuntu-20.04.02 (sometime)…

Tomorrow is another day and another challenge.

Michel-André

Salut @Reheer,

From Jitsi, Authentication against local AD server not working.

From: Portainer → Containers → jitsi_prosody_1 → Console:

root@d6878aab57cb:/# apt-get update

root@d6878aab57cb:/# apt-get install ldap-utils

root@d6878aab57cb:/# ldapsearch -H ldaps://toto-dev.org:636  -x -D cn=ldapservice,dc=directory,dc=nh -w ABCDEF1234567890 -b dc=directory,dc=nh
...
# michelandre, People, directory.nh
dn: uid=michelandre,ou=People,dc=directory,dc=nh  
uidNumber: 1001
gidNumber: 1000
uid: michelandre
...
root@d6878aab57cb:/#

I modified /opt/jitsi/.env

ENABLE_GUESTS=0
ENABLE_AUTH=1
AUTH_TYPE=ldap
ENABLE_WELCOME_PAGE=1

AUTH_TYPE=ldap
LDAP_URL=ldaps://toto-dev.org:636
LDAP_BASE=dc=directory,dc=nh
LDAP_BINDDN=cn=ldapservice,dc=directory,dc=nh	
LDAP_BINDPW=ABCDEF1234567890
LDAP_FILTER=(uid=%u)
LDAP_AUTH_METHOD=bind
LDAP_USE_TLS=1

I then relaunched docker-compose:

# cd /opt/jitsi ; docker-compose down && rm -rf .jitsi-meet-cfg/ ; docker-compose up -d

THEN THE MIRACLE HAPPENS

https://meet.toto-dev.org:8443/.

image1428×708 107 KB

Thank you so much for that tip on making aqua persistent and mainly for the one to install ldapsearch with apt-get install ldap-utils. The latter allowed me to confirm, unlike Portainer, that prosody could connect to LOCAL LDAP.

Two posts and two problems resolved, I put you on my list of The Greatests.

You didn’t make my day, but my full month…

Michel-André

P.S. I think that Portainer has a bug for testing the connection to LDAP ???

Thank you!

I don’t know about that. I did find out that Prosody/saslauthd seems to be quite picky about the certificate. But… it works now, so no need to worry about a possible bug you’re no longer running into

Have a great day!
René

Salut @Reheer,

I think that the problem is because Jitsi is on a LOCAL VM.

When the container make a DNS query, it ends up that it is asking the router (my main server) for the FQDN’s IP of the LOCAL LDAP server.

It is normal that the router uses its own certificate instead of using the one from the redirection as it establishes a SSL communication chanel before analysing the request from the container.

In the .env file, I should use
→ LDAP_URL=ldaps://IP-ADDRESS
instead of
→ LDAP_URL=ldaps://toto.org
so the container won’t have to make a DNS request before connecting to the LOCAL LDAP.

I will have to test that…

Michel-André

Salut @Reheer,

RESULT

Failure
LDAP Result Code 200 “Network Error”: TLS handshake failed (x509: cannot validate certificate for 192.168.1.75 because it doesn’t contain any IP SANs)

I also tried witth:
→ LDAP_URL=ldaps://IP-ADDRESS:636
→ LDAP_URL=ldaps://IP-ADDRESS:389

Back to the drawing board,

Michel-André

P.S. Installing Jitsi is the best way to test my skill…

Have a look at: https://serverfault.com/questions/611120/failed-tls-handshake-does-not-contain-any-ip-sans
I think the correct file to edit should be /etc/pki/tls/openssl.cnf.
Note: I did not test this…

Salut @Reheer,

[ v3_ca ]
subjectAltName = IP:192.168.1.75

Request for a TEST certificate is working

Request for a PRODUCTION certificate failed:

[lun. mai 10 12:33:32 EDT 2021] Getting domain auth token for each domain
[lun. mai 10 12:33:32 EDT 2021] Getting webroot for domain='micronator-dev.org'
[lun. mai 10 12:33:32 EDT 2021] Getting new-authz for domain='micronator-dev.org'
[lun. mai 10 12:33:36 EDT 2021] Could not get nonce, let's try again.
[lun. mai 10 12:33:40 EDT 2021] Could not get nonce, let's try again.
...
[lun. mai 10 12:34:49 EDT 2021] Could not get nonce, let's try again.
[lun. mai 10 12:34:53 EDT 2021] Could not get nonce, let's try again.
[lun. mai 10 12:34:56 EDT 2021] Giving up sending to CA server after 20 retries.
[lun. mai 10 12:34:56 EDT 2021] Can not get domain new authz.
[lun. mai 10 12:34:56 EDT 2021] Please add '--debug' or '--log' to check more details.
[lun. mai 10 12:34:56 EDT 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Michel-André