jicofo doesn't handle dynamic or multiple "login-url"s

[berolinux]

Description

I'm trying to get my self-hosted jitsi-installation to allow authenticating users from 2 subdomains using LDAP. In Prosody, this works:

VirtualHost "subdomain1.example.com"
  authentication = "ldap";
  ldap_server = "ldap.subdomain1.example.com:389";
  ldap_base = "dc=example,dc=com";
  ldap_filter = "(uid=$user)";
  [...]

VirtualHost "subdomain2.example.com"
  authentication = "ldap";
  ldap_server = "ldap.subdomain2.example.com:389";
  [...]

Everything is handled correctly here, I see the ldap query ending up on the right ldap server.

But it becomes a problem as soon as jicofo enters the picture:
If it is configured as

jicofo {
  authentication {
    enabled = true
    type = XMPP
    login-url = "subdomain1.example.com"
    allowed-domains = [
      "subdomain1.example.com",
      "subdomain2.example.com"
    ]
[...]

it works for users from subdomain1.example.com, but not users from subdomain2.example.com (who are authenticated correctly, but then rejected as "not authorized user domain".

If I change login-url to "subdomain2.example.com", it works for users from subdomain2.example.com, but not users from subdomain1.example.com.

It would be extremely useful if jicofo had a setting to allow picking the right one - either a login-url = "${domain}" (the domain is obviously known at that time...), or a method to specify multiple options (login-url = [ "subdomain1.example.com", "subdomain2.example.com" ]).

---

Current behavior

Prosody accepts the multiple subdomain configuration, but jicofo can (apparently) handle only one.

Expected Behavior

Multiple subdomain configuration works across all components

Possible Solution

Probably the best option would be to expand variables in the jicofo { authentication { login-url } } setting.

Steps to reproduce

Create a setup with multiple subdomains as given in the example in the description, try to log in with users from both subdomains

Environment details

jitsi/prosody:stable-9646 and jitsi/jicofo:stable-9646 docker containers

[damencho]

We have plans to drop any authentication code from jicofo. You better rely on prosody for anything that is authentication related.

[berolinux]

Thanks for the quick reply, dropping the duplicated authentication does seem to be the best way forward. But it isn't clear to me how to enforce authentication for moderators using only Prosody -- if I set authentication enabled=false in jicofo, unauthenticated users can become moderators.
Prosody's authentication works, but - other than using jicofo - I can't find a way to force a user trying to become moderator to authenticate. (authentication="anonymous" is in my Prosody config only for the guest.* VirtualHosts).
Any pointers?

[damencho]

You can add your custom prosody module that handles setting participants from the authenticated virtualhost to be moderators, and the guest domain will stay non moderator.