Categorygithub.com/jech/galene-ldap
modulepackage
0.0.0-20250115222047-6de51be51aed
Repository: https://github.com/jech/galene-ldap.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
25
Dependents
0
Files
543 SLOC

# README

Galene-ldap: LDAP integration for the Galene videoconferencing server.

For more information about Galene, please see https://galene.org.

  1. Build galene-ldap

    CGO_ENABLED=0 go build -ldflags='-s -w'

  2. Create galene-ldap.json

There are two ways to perform client authentication using LDAP: using the BIND request or matching passwords on the client side. Using BIND is recommended.

In order to use BIND, your galene-ldap.json should look like this:

{
  "httpAddress": ":8444",
  "ldapServer": "ldap://localhost:389",
  "ldapBase": "ou=users,dc=yunohost,dc=org",
  "key": {"alg":"HS256","k":"xxx","key_ops":["sign","verify"],"kty":"oct"},
  "groups": ["test-auth"],
}

The field groups indicates the set of Galene groups that galene-ldap will authorise; you will also need to configure these groups on the Galene side (see below).

The field key should be a (private or shared) key in JWK format; You can generate a shared key using:

jose jwk gen -i '{"kty":"oct","alg":"HS256"}' -o shared.jwk

and a private/public keypair using

jose jwk gen -i '{"kty":"EC","alg":"ES256"}' -o private.jwk
jose jwk pub -i private.jwk -o public.jwk

In order to use client-side matching, set the field ldapClientSideValidate to true, and define a privileged user with access to the passwords using the fields ldapAuthDN and ldapAuthPassword:

{
  "httpAddress": ":8444",
  "ldapServer": "ldap://localhost:389",
  "ldapBase": "ou=users,dc=yunohost,dc=org",
  "ldapClientSideValidate": true,
  "ldapAuthDN": "cn=admin,dc=yunohost,dc=org",
  "ldapAuthPassword": "xxx",
  "key": {"alg":"HS256","k":"xxx","key_ops":["sign","verify"],"kty":"oct"},
  "groups": ["test-auth"],
}

3. Provide a TLS server certificate

cp /etc/letsencrypt/live/example.org/privkey.pem key.pem
cp /etc/letsencrypt/live/example.org/fullchain.pem cert.pem

4. Run galene-ldap

nohup ./galene-ldap -debug &

5. Configure a group in Galene

Create a file groups/test-auth.json with the following contents:

{
    "authServer": "https://galene-ldap.example.org:8444",
    "authKeys": [
      {"alg":"HS256","k":"xxx","key_ops":["sign","verify"],"kty":"oct"}
    ]
}

The authServer field is the URL at which you instance of galene-ldap is publicly accessible (it is okay to put it behind a reverse proxy). The authKeys field is a list of keys, and must include the key used by galene-ldap (or at least its public part, if you're using asymmetric keying).

Configuration file reference

The galene-ldap.json file may contain the following fields:

  • groups, the set of groups we will validate; requests for groups outside this set will cause the client to fail login or to fallback to password authentication, depending on passwordFallback;
  • passwordFallback, if true, then the client will be instructed to fallback to password authentication if the group or user is not found; by default, we instruct the client fail logins for unknown users, which avoids leaking passwords to the server;
  • httpAddress, the address on which the HTTPS server listens, in the format host:port;
  • insecure, if true we run HTTP instead of HTTPS; this is only suitable when running behind a reverse proxy that terminates TLS;
  • key, the key used for signing tokens, in JWK format;
  • ldapServer, the URL of the LDAP server (ldap:// or ldaps://);
  • ldapBase, the base DN used for user searches;
  • ldapAuthDN and ldapAuthPassword, the DN and password we will bind as before performing a search; it not specified, we perform an anonymous BIND;
  • ldapClientSideValidate, if true, then we validate passwords in the client; by default, we validate passwords by attempting a BIND.
  • defaultPermissions: the permissions to give to users. If not set, it defaults to ["present", "message"].

-- Juliusz Chroboczek