An example that I couldn’t find elsewhere on the internet: Configuring Jitsi Meet to use Google Secure LDAP for authentication.
You can read about my experience trying to debug this configuration and ultimately using Claude to get to an answer.
I won’t repeat the Jitsi documentation or Google’s documentation. Here’s the key bits you need to know:
You need
ldap_use_sasl: yes
. You don’t needldap_bind_dn
andldap_bind_pw
.
These configurations work on Ubuntu 22.04, assuming you followed all the other steps Jitsi and Google provided.
/etc/saslauthd.conf
- Replace
dc=example,dc=com
with your domain name using Distinguished Names format - Replace
/path/to/Google_xyz.crt
and/path/to/Google_xyz.key
with wherever you uploaded the certificates Google provided when you created your LDAP client. - Make sure your certificate and key files are owned by
root
and accessible to theprosody
user (or match your configuration). - This file is case sensitive in both keys and values.
# /etc/saslauthd.conf
ldap_servers: ldaps://ldap.google.com:636
ldap_search_base: dc=example,dc=com
ldap_filter: (mail=%u)
ldap_use_sasl: yes
ldap_sasl_mech: EXTERNAL
ldap_start_tls: no
ldap_tls_cert: /path/to/Google_xyz.crt
ldap_tls_key: /path/to/Google_xyz.key
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
/etc/default/saslauthd
The key edits to this file are:
- Add
START=yes
- Set
MECHANISMS="ldap"
- Set
MECH_OPTIONS="/etc/saslauthd.conf"
This file is case sensitive in both keys and values.
START=yes
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="ldap"
MECHANISMS="ldap"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS="/etc/saslauthd.conf"
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"