mirror
/
docker-jitsi-meet
mirror of https://github.com/jitsi/docker-jitsi-meet
2
0
Fork 0
Code Issues Releases Wiki Activity

prosody: introduce AUTH_TYPE

Browse Source 
It simplifies selecting the desired authentication type, instead of
having a boolean for each.
pull/104/head
Saúl Ibarra Corretgé 6 years ago
parent 9ff3ce295c
commit 8da61612e9
5 changed files with 38 additions and 32 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 36
      README.md
  2. 3
      docker-compose.yml
  3. 9
      env.example
  4. 20
      prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
  5. 2
      prosody/rootfs/defaults/saslauthd.conf

36
README.md
Unescape View File

@ -130,9 +130,27 @@ Variable | Description | Example
--- | --- | --- --- | --- | ---
`ENABLE_AUTH` | Enable authentication | 1 `ENABLE_AUTH` | Enable authentication | 1
`ENABLE_GUESTS` | Enable guest access | 1 `ENABLE_GUESTS` | Enable guest access | 1
`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1 `AUTH_TYPE` | Select authentication type (internal, jwt or ldap) | internal
Variables that might be configured if the `ENABLE_LDAP_AUTH` is set: #### Internal authentication
The default authentication mode (`internal`) uses XMPP credentials to authenticate users.
To enable it you have to enable authentication with `ENABLE_AUTH` and set `AUTH_TYPE` to `internal`,
then configure the settings you can see below.
Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
In order to do that, first execute a shell in the corresponding container:
``docker-compose exec prosody /bin/bash``
Once in the container, run the following command to create a user:
``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
#### Authentication using LDAP
You can use LDAP to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
set `AUTH_TYPE` to `ldap`, then configure the settings you can see below.
Variable | Description | Example Variable | Description | Example
--- | --- | --- --- | --- | ---
@ -149,23 +167,13 @@ Variable | Description | Example
`LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt `LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
`LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs `LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs
Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
In order to do that, first execute a shell in the corresponding container:
``docker-compose exec prosody /bin/bash``
Once in the container, run the following command to create a user:
``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
#### Authentication using JWT tokens #### Authentication using JWT tokens
You can also use JWT tokens to authenticate users. To enable it you have to enable authentication via both You can use JWT tokens to authenticate users. To enable it you have to enable authentication with `ENABLE_AUTH` and
`ENABLE_AUTH` & `JWT_ENABLE_TOKEN_AUTH` environment variables and configure the settings you can see below. set `AUTH_TYPE` to `jwt`, then configure the settings you can see below.
Variable | Description | Example Variable | Description | Example
--- | --- | --- --- | --- | ---
`JWT_ENABLE_TOKEN_AUTH` | Enable authentication via JWT tokens | 1
`JWT_APP_ID` | Application identifier | my_jitsi_app_id `JWT_APP_ID` | Application identifier | my_jitsi_app_id
`JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret `JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret
`JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client `JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client

3
docker-compose.yml
Unescape View File

@ -38,9 +38,9 @@ services:
volumes: volumes:
- ${CONFIG}/prosody:/config - ${CONFIG}/prosody:/config
environment: environment:
- AUTH_TYPE
- ENABLE_AUTH - ENABLE_AUTH
- ENABLE_GUESTS - ENABLE_GUESTS
- ENABLE_LDAP_AUTH
- LDAP_URL - LDAP_URL
- LDAP_BASE - LDAP_BASE
- LDAP_BINDDN - LDAP_BINDDN
@ -68,7 +68,6 @@ services:
- JVB_AUTH_PASSWORD - JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER - JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD - JIGASI_XMPP_PASSWORD
- JWT_ENABLE_TOKEN_AUTH
- JWT_APP_ID - JWT_APP_ID
- JWT_APP_SECRET - JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS - JWT_ACCEPTED_ISSUERS

9
env.example
Unescape View File

@ -62,13 +62,12 @@ TZ=Europe/Amsterdam
# Enable guest access. # Enable guest access.
#ENABLE_GUESTS=1 #ENABLE_GUESTS=1
# Select authentication type: internal, jwt or ldap
#AUTH_TYPE=internal
# JWT auuthentication # JWT auuthentication
# #
# Enable authentication via JWT tokens.
#JWT_ENABLE_TOKEN_AUTH=1
# Application identifier. # Application identifier.
#JWT_APP_ID=my_jitsi_app_id #JWT_APP_ID=my_jitsi_app_id
@ -85,10 +84,6 @@ TZ=Europe/Amsterdam
# LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page) # LDAP authentication (for more information see the Cyrus SASL saslauthd.conf man page)
# #
# Enable LDAP authentication in prosody via SASL mechanism.
# Note: turn on ENABLE_AUTH for get it work.
#ENABLE_LDAP_AUTH=1
# LDAP url for connection. # LDAP url for connection.
#LDAP_URL=ldaps://ldap.domain.com/ #LDAP_URL=ldaps://ldap.domain.com/

20
prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
Unescape View File

@ -2,26 +2,29 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" } plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
http_default_host = "{{ .Env.XMPP_DOMAIN }}" http_default_host = "{{ .Env.XMPP_DOMAIN }}"
{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_ISSUERS }} {{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }}
{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }}
{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }}
asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" } asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
{{ end }} {{ end }}
{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_AUDIENCES }} {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_AUDIENCES }}
asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" } asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" }
{{ end }} {{ end }}
VirtualHost "{{ .Env.XMPP_DOMAIN }}" VirtualHost "{{ .Env.XMPP_DOMAIN }}"
{{ if .Env.ENABLE_AUTH | default "0" | toBool }} {{ if $ENABLE_AUTH }}
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }} {{ if eq $AUTH_TYPE "jwt" }}
authentication = "token" authentication = "token"
app_id = "{{ .Env.JWT_APP_ID }}" app_id = "{{ .Env.JWT_APP_ID }}"
app_secret = "{{ .Env.JWT_APP_SECRET }}" app_secret = "{{ .Env.JWT_APP_SECRET }}"
allow_empty_token = false allow_empty_token = false
{{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} {{ else if eq $AUTH_TYPE "ldap" }}
authentication = "cyrus" authentication = "cyrus"
cyrus_application_name = "xmpp" cyrus_application_name = "xmpp"
allow_unencrypted_plain_auth = true allow_unencrypted_plain_auth = true
{{ else }} {{ else if eq $AUTH_TYPE "internal" }}
authentication = "internal_plain" authentication = "internal_plain"
{{ end }} {{ end }}
{{ else }} {{ else }}
@ -38,14 +41,14 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
{{ if .Env.XMPP_MODULES }} {{ if .Env.XMPP_MODULES }}
"{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}"; "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
{{ end }} {{ end }}
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "ldap") }}
"auth_cyrus"; "auth_cyrus";
{{end}} {{end}}
} }
c2s_require_encryption = false c2s_require_encryption = false
{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.ENABLE_GUESTS | default "0" | toBool) }} {{ if and $ENABLE_AUTH (.Env.ENABLE_GUESTS | default "0" | toBool) }}
VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}" VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}"
authentication = "anonymous" authentication = "anonymous"
c2s_require_encryption = false c2s_require_encryption = false
@ -81,3 +84,4 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
Component "focus.{{ .Env.XMPP_DOMAIN }}" Component "focus.{{ .Env.XMPP_DOMAIN }}"
component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}" component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}"

2
prosody/rootfs/defaults/saslauthd.conf
Unescape View File

@ -1,4 +1,4 @@
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} {{ if eq (.Env.AUTH_TYPE | default "internal") "ldap" }}
ldap_servers: {{ .Env.LDAP_URL }} ldap_servers: {{ .Env.LDAP_URL }}
ldap_search_base: {{ .Env.LDAP_BASE }} ldap_search_base: {{ .Env.LDAP_BASE }}
ldap_bind_dn: {{ .Env.LDAP_BINDDN }} ldap_bind_dn: {{ .Env.LDAP_BINDDN }}

Write Preview
Loading…
Cancel
Save