How to setup LDAP configuration for video
Wallenstein61 opened this issue · 0 comments
Hello,
In the c't artice about the LDAP configuration for jitsi the author mentioned that under the short link ct.de7yfk7 there is an explanation to setUp ldap. Although I did not find any documentation I gave it a try, however I took me some time to find out that the deployment description for the prosody-pod was incomplete. At least I did not get a ldap-connection until I extend the file team-video/templates/deploy_prosody.yaml by the appropriate LDAP variables.
With the following version of team-video/templates/deploy_prosody.yaml the saslauthd.conf-file is set up correctly in the prosody pod for ldap support.
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: {{ include "team-video.fullname" . }}-prosody
labels:
app: {{ include "team-video.fullname" . }}-prosody
spec:
replicas: 1
selector:
matchLabels:
app: {{ include "team-video.fullname" . }}-prosody
template:
metadata:
labels:
app: {{ include "team-video.fullname" . }}-prosody
annotations:
timestamp: "{{ now | unixEpoch }}"
spec:
containers:
- name: prosody
ports:
- containerPort: 5222
- containerPort: 5280
- containerPort: 5347
resources: {}
# restartPolicy: Always
{{ if eq .Values.auth.type "internal" }}
lifecycle:
postStart:
exec:
command: ["/bin/bash", "-c", "sleep 60; prosodyctl --config /config/prosody.cfg.lua register {{ .Values.auth.admin.user }}
{{ .Values.app.name }}.{{ .Values.app.domain }} {{ .Values.auth.admin.password }}"]
{{end}}
image: jitsi/prosody
imagePullPolicy: {{ .Values.app.pullpolicy }}
env:
{{ if .Values.auth.enabled}}
- name: ENABLE_AUTH
value: "true"
{{ if .Values.auth.guests}}
- name: ENABLE_GUESTS
value: "true"
{{end}}
- name: AUTH_TYPE
value: {{ .Values.auth.type }}
{{ if .Values.auth.ldapauthmethod}}
- name: LDAP_AUTH_METHOD
value: {{ .Values.auth.ldapauthmethod}}
{{end}}
{{ if .Values.auth.ldapurl }}
- name: LDAP_URL
value: {{ .Values.auth.ldapurl }}
{{end}}
{{ if .Values.auth.ldapusetls }}
- name: LDAP_USE_TLS
value: {{ .Values.auth.ldapusetls }}
{{end}}
{{ if .Values.auth.ldapstarttls }}
- name: LDAP_START_TLS
value: {{ .Values.auth.ldapstarttls }}
{{end}}
{{ if .Values.auth.ldaptlscacertfile }}
- name: LDAP_TLS_CACERT_FILE
value: {{ .Values.auth.ldaptlscacertfile }}
{{end}}
{{ if .Values.auth.ldaptlscacertdir }}
- name: LDAP_TLS_CACERT_DIR
value: {{ .Values.auth.ldaptlscacertdir }}
{{end}}
{{ if .Values.auth.ldapcheckpeer }}
- name: LDAP_TLS_CHECK_PEER
value: {{ .Values.auth.ldapcheckpeer }}
{{end}}
{{ if .Values.auth.ldapbase }}
- name: LDAP_BASE
value: {{ .Values.auth.ldapbase }}
{{end}}
{{ if .Values.auth.ldapbinddn }}
- name: LDAP_BINDDN
value: {{ .Values.auth.ldapbinddn }}
{{end}}
{{ if .Values.auth.ldapbindpw }}
- name: LDAP_BINDPW
value: {{ .Values.auth.ldapbindpw }}
{{end}}
{{ if .Values.auth.ldapfilter }}
- name: LDAP_FILTER
value: {{ .Values.auth.ldapfilter }}
{{end}}
{{ if .Values.auth.ldapversion }}
- name: LDAP_VERSION
value: {{ .Values.auth.ldapversion }}
{{end}}
{{end}}
- name: XMPP_DOMAIN
value: {{ .Values.app.name }}.{{ .Values.app.domain }}
{{ if .Values.auth.guests}}
- name: XMPP_GUEST_DOMAIN
value: guest.{{ .Values.app.name }}.{{ .Values.app.domain }}
{{end}}
- name: XMPP_AUTH_DOMAIN
value: auth.{{ .Values.app.name }}.{{ .Values.app.domain }}
- name: XMPP_MUC_DOMAIN
value: muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
- name: JICOFO_COMPONENT_SECRET
value: {{ .Values.secrets.jicofo.component }}
- name: JVB_COMPONENT_SECRET
value: {{ .Values.secrets.jvb.component }}
- name: JICOFO_AUTH_USER
value: focus
- name: JICOFO_AUTH_PASSWORD
value: {{ .Values.secrets.jicofo.auth }}
- name: JVB_AUTH_USER
value: jvb
- name: JVB_AUTH_PASSWORD
value: {{ .Values.secrets.jvb.auth }}
- name: LOG_LEVEL
value: {{ .Values.logLevel }}
- name: XMPP_INTERNAL_MUC_DOMAIN
value: internal-muc.{{ .Values.app.name }}.{{ .Values.app.domain }}
- name: TZ
value: Europe/Paris
Also the line
#ldapfilter: (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))
in values-video.yaml seems misleading. To get it work you should use %u as variable, not %uid. My version (also slightly simplified by ommiting superfluous operations) is
ldapfilter: (&(objectclass=person)(|(uid=%u)(|(mailPrimaryAddress=%u)(mail=%u))))
Hope this helps others
Wallenstein