Jitsi Meet is an open videoconferencing platform that easily integrates with Active Directory (AD). Such integration allows using corporate accounts for login, simplifying administration and improving security. In this guide we’ll go through how to connect Jitsi Meet (in Docker) to AD based on Windows Server 2016, and show proven debugging methods that help avoid common errors.

Important: using LDAP without encryption is insecure. For testing this is acceptable, but in production you must use LDAPS (port 636) with valid certificates.

Preparing Active Directory

For integration we need a separate bind account through which Prosody will search for users and verify passwords.

1. Create the bind account

1. In the Active Directory Users and Computers console create a new user, for example:

   • Name = bind
   • SamAccountName = binduser

2. Set a strong password (for example, "YourStrongPassword!") and clear the User must change password at next logon flag.

3. In the Delegation section grant “Read all user information” rights for the required OU.

2. Get the user’s DN

On the domain controller run the PowerShell command:

Get-ADUser -Identity "binduser" -Properties DistinguishedName

Example output:

CN=bind,CN=Users,DC=example,DC=local

This DistinguishedName value is used when configuring Jitsi.

3. Relax the bind policy (for testing)

If the error Strong auth required appears, temporarily allow a looser mode:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 1
Restart-Service NTDS -Force

Value 1 enables “Negotiate signing” mode. After testing it’s important to return 2 and switch to LDAPS.

Configuring Jitsi Meet in Docker

In the root of the docker-jitsi-meet project edit the .env file, setting the LDAP parameters:

ENABLE_AUTH=1
AUTH_TYPE=ldap
LDAP_URL=ldap://your-dc.example.com:389/
LDAP_BASE=DC=example,DC=local
LDAP_BINDDN=CN=bind,CN=Users,DC=example,DC=local
LDAP_BINDPW=YourBindPassword
LDAP_FILTER=(sAMAccountName=%u)
LDAP_AUTH_METHOD=bind
LDAP_VERSION=3
LDAP_USE_TLS=0
LDAP_TLS_CHECK_PEER=0
ENABLE_GUESTS=0

If you want login by address user@domain.local, change the filter to:

LDAP_FILTER=(userPrincipalName=%u)

Configuring DNS via extra_hosts

Sometimes the prosody container cannot see the domain controller if Docker uses public DNS. To avoid this issue, specify the DC’s IP address manually via extra_hosts in docker-compose.yaml.

Example section:

services:
  prosody:
    image: jitsi/prosody:latest
    extra_hosts:
      - "your-dc.example.com:192.168.1.10"

After that restart the stack:

docker compose down
docker compose up -d

Checking Prosody Configuration

To make sure the settings have applied, enter the prosody container and open the file:

docker compose exec prosody bash
cat /etc/saslauthd.conf

The parameters should match the variables from .env.

Testing and Debugging

Before enabling authentication you need to ensure LDAP and SASL work correctly.

1. Install tools

apt-get update
apt-get install -y ldap-utils 

2. Check the bind account

ldapsearch -x -H ldap://your-dc.example.com:389 \
  -D "CN=bind,CN=Users,DC=example,DC=local" \
  -w 'YourBindPassword' \
  -b "DC=example,DC=local" "(sAMAccountName=user)"

If the command returns the user entry — the connection is established successfully.

3. Check user authentication

testsaslauthd -u user -p 'UserPassword' -s xmpp -r meet.jitsi

Expected result:

0: OK "Success."

Verifying Login via Web Interface

After configuration open https://your-jitsi.com and log in with an AD account. If everything is set up correctly, login succeeds and the user can create conferences.

Debugging and Diagnostics

To avoid wasting time guessing, perform debugging step-by-step.

Check network connection and AD availability

View Prosody logs

docker compose logs prosody | grep -i "auth\|ldap\|failure"

For more detailed diagnostics enable debug mode for saslauthd:

killall saslauthd
saslauthd -d -a ldap -O /etc/saslauthd.conf -n 5

Then run the check:

testsaslauthd -u user -p 'Password' -s xmpp -r meet.jitsi

Common errors:

• Unknown — incorrect DN or filter.
• Invalid credentials — wrong binduser password.
• Bind failed — TLS issue or AD security policy.

Check account status in Active Directory

On the domain controller you can check the account status:

Get-ADUser user -Properties LockedOut, BadLogonCount, DistinguishedName
Unlock-ADAccount -Identity user

Failed login attempts are shown in Event Viewer → Windows Logs → Security (event 4625). If there are no such entries, Jitsi cannot connect to AD.

Common Problems and Solutions

Conclusion

Integrating Jitsi Meet with Active Directory centralizes authentication, making it secure and convenient. The main points are to correctly specify the DN and LDAP filters, and thoroughly check the connection using ldapsearch and testsaslauthd. After a successful setup it’s important to enable LDAPS and restore strict security policies on the domain controller.