Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jicofo doesn't handle dynamic or multiple "login-url"s #1179

Open
berolinux opened this issue Oct 16, 2024 · 3 comments
Open

jicofo doesn't handle dynamic or multiple "login-url"s #1179

berolinux opened this issue Oct 16, 2024 · 3 comments

Comments

@berolinux
Copy link

berolinux commented Oct 16, 2024
edited
Loading

Description

I'm trying to get my self-hosted jitsi-installation to allow authenticating users from 2 subdomains using LDAP. In Prosody, this works:

VirtualHost "subdomain1.example.com"
  authentication = "ldap";
  ldap_server = "ldap.subdomain1.example.com:389";
  ldap_base = "dc=example,dc=com";
  ldap_filter = "(uid=$user)";
  [...]

VirtualHost "subdomain2.example.com"
  authentication = "ldap";
  ldap_server = "ldap.subdomain2.example.com:389";
  [...]

Everything is handled correctly here, I see the ldap query ending up on the right ldap server.

But it becomes a problem as soon as jicofo enters the picture:
If it is configured as

jicofo {
  authentication {
    enabled = true
    type = XMPP
    login-url = "subdomain1.example.com"
    allowed-domains = [
      "subdomain1.example.com",
      "subdomain2.example.com"
    ]
[...]

it works for users from subdomain1.example.com, but not users from subdomain2.example.com (who are authenticated correctly, but then rejected as "not authorized user domain".

If I change login-url to "subdomain2.example.com", it works for users from subdomain2.example.com, but not users from subdomain1.example.com.

It would be extremely useful if jicofo had a setting to allow picking the right one - either a login-url = "${domain}" (the domain is obviously known at that time...), or a method to specify multiple options (login-url = [ "subdomain1.example.com", "subdomain2.example.com" ]).

Current behavior

Prosody accepts the multiple subdomain configuration, but jicofo can (apparently) handle only one.

Expected Behavior

Multiple subdomain configuration works across all components

Possible Solution

Probably the best option would be to expand variables in the jicofo { authentication { login-url } } setting.

Steps to reproduce

Create a setup with multiple subdomains as given in the example in the description, try to log in with users from both subdomains

Environment details

jitsi/prosody:stable-9646 and jitsi/jicofo:stable-9646 docker containers
@damencho
Copy link
Member

We have plans to drop any authentication code from jicofo. You better rely on prosody for anything that is authentication related.

@berolinux
Copy link
Author

berolinux commented Oct 16, 2024
edited
Loading

Thanks for the quick reply, dropping the duplicated authentication does seem to be the best way forward. But it isn't clear to me how to enforce authentication for moderators using only Prosody -- if I set authentication enabled=false in jicofo, unauthenticated users can become moderators.
Prosody's authentication works, but - other than using jicofo - I can't find a way to force a user trying to become moderator to authenticate. (authentication="anonymous" is in my Prosody config only for the guest.* VirtualHosts).
Any pointers?

@damencho
Copy link
Member

You can add your custom prosody module that handles setting participants from the authenticated virtualhost to be moderators, and the guest domain will stay non moderator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@berolinux @damencho