Authentication support?

BrutalBirdie

@ocelotsloth ldap integration is comming in the near future.

rmdes

@ocelotsloth a temporary "fix" would be to add a basic auth with .htpasswd authentication
in the nginx conf file of your jitsi app /etc/nginx/applications/

find the name of your nginx conf file with

step 2 and step 3 from here https://www.cyberciti.biz/faq/nginx-password-protect-directory-with-nginx-htpasswd-authentication/ should do the work

beware you're modifying a cloudron generated file that could change later and remove your changes.

chetbaker

@rmdes just a clarification question about that temporary "fix": will that mean you are password protecting the subdomain of your self-hosted jitsi homepage or just anyone willing to join a created meeting will need a password to log in?

rmdes

@chetbaker both
You can use this approach to create several users/pass allowing other people to join
but the moment you put this in place, you can't access the jitsi without a user/pass

chetbaker

@rmdes thanks! I was digging in some of the jitsi documentation and there's something called secure domain that in the handbook seems to be different than LDAP. Would that work?

rmdes

@chetbaker I don't think so, better wait for LDAP support cos it will bring you authentication and a closed jitsi server in one shot

chetbaker

@rmdes oh no, for sure! I was thinking more on something like this while we wait for LDAP

rmdes

@chetbaker This could be a path to explore outside of a cloudron context, but within cloudron I'm not sure I have the know-how to talk about this, maybe @nebulon can chime in?

nebulon

Package version 0.2.0 now has LDAP integration. This allows authentication of users but also enables the guest mode as outlined in https://jitsi.github.io/handbook/docs/devops-guide/secure-domain#enable-anonymous-login-for-guests

imc67

@nebulon very good news!!

How do we disable anonymous access so only LDAP?

hakunamatata

@nebulon
I just installed the update but now the app is stuck starting. Log excerpt:

Mar 02 22:57:04 => Ensure directories
Mar 02 22:57:04 => Create configs
Mar 02 22:57:04 ==> Configuring static assets
Mar 02 22:57:04 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:04 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 02 22:57:05 => Ensure directories
Mar 02 22:57:05 => Create configs
Mar 02 22:57:05 ==> Configuring static assets
Mar 02 22:57:05 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:05 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 02 22:57:06 => Ensure directories
Mar 02 22:57:06 => Create configs
Mar 02 22:57:06 ==> Configuring static assets
Mar 02 22:57:06 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:06 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 02 22:57:07 => Ensure directories
Mar 02 22:57:07 => Create configs
Mar 02 22:57:07 ==> Configuring static assets
Mar 02 22:57:07 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:07 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 02 22:57:09 => Ensure directories
Mar 02 22:57:09 => Create configs
Mar 02 22:57:09 ==> Configuring static assets
Mar 02 22:57:09 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:09 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable
Mar 02 22:57:11 => Ensure directories
Mar 02 22:57:11 => Create configs
Mar 02 22:57:11 ==> Configuring static assets
Mar 02 22:57:11 ==> Configuring SASLauthd for LDAP
Mar 02 22:57:11 /app/code/start.sh: line 17: CLOUDRON_LDAP_URL: unbound variable

Running Cloudron v7.1.2 on Ubuntu 20.04.3 LTS. Reverted to Jitsi package v0.1.0 for now.

avatar1024

@hakunamatata Same here

girish

@nebulon I guess the package should have optionalSso flag set?

nebulon

As this is still an app marked as unstable, update issues are to be expected. Since the current package relies on LDAP and does not yet support optionalSso, existing instances have to be reintsalled. Since jitsi is mostly stateless though, this shouldn't be an issue. Sorry for not mentioning this upfront.

luckow

@nebulon My expected behavior is: starting a new conference/meeting brings a pop-up ("if you are the moderator, please sign in"). But this does not work with the new package (yes, fresh install) at first. It feels like the public jitsi from the first package. Am I missing any configuration?

jdaviescoates

@nebulon I just installed a fresh install to see/ test LDAP support but when installing it just talks about "Dahboard visibility" not "User management" like other LDAP enabled apps:

jdaviescoates

@nebulon and when going to https://meet.uniteddiversity.coop/ any anonymous user can still create a room and be granted moderator rights on the room they create. Looks like something isn't quite right.

I'm still on Cloudron 7.0.4 is LDAP Jitsi only available on 7.1 or something?

nebulon

@jdaviescoates you are right, the jitsi app package version 0.2.0 is only available for Cloudrons running 7.1.2

luckow

@nebulon Interesting phenomenon: there is a folder in Prosody that cannot be accessed via the Web Filemanger. In the terminal, this is not a problem.

nebulon

@luckow that seems to be a filemanager client side bug. Thanks for reporting.

Regardless of that, I do wonder if that folder needs to be there in the first place. There is nothing which should be changed or touched by the admin without risking breaking, so I think I will move most of that, if not all to /run