Configuring Jitsi to use Google Secure LDAP

Published on August 03, 2025

An example that I couldn’t find elsewhere on the internet: Configuring Jitsi Meet to use Google Secure LDAP for authentication.

You can read about my experience trying to debug this configuration and ultimately using Claude to get to an answer.

I won’t repeat the Jitsi documentation or Google’s documentation. Here’s the key bits you need to know:

You need ldap_use_sasl: yes. You don’t need ldap_bind_dn and ldap_bind_pw.

These configurations work on Ubuntu 22.04, assuming you followed all the other steps Jitsi and Google provided.

`/etc/saslauthd.conf`

Replace dc=example,dc=com with your domain name using Distinguished Names format
Replace /path/to/Google_xyz.crt and /path/to/Google_xyz.key with wherever you uploaded the certificates Google provided when you created your LDAP client.
Make sure your certificate and key files are owned by root and accessible to the prosody user (or match your configuration).
This file is case sensitive in both keys and values.

# /etc/saslauthd.conf
ldap_servers: ldaps://ldap.google.com:636
ldap_search_base: dc=example,dc=com
ldap_filter: (mail=%u)
ldap_use_sasl: yes
ldap_sasl_mech: EXTERNAL
ldap_start_tls: no
ldap_tls_cert: /path/to/Google_xyz.crt
ldap_tls_key: /path/to/Google_xyz.key
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt

`/etc/default/saslauthd`

The key edits to this file are:

Add START=yes
Set MECHANISMS="ldap"
Set MECH_OPTIONS="/etc/saslauthd.conf"

This file is case sensitive in both keys and values.

START=yes

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="ldap"
MECHANISMS="ldap"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS="/etc/saslauthd.conf"

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"

← Back to Blog