Special configuration

Enabling guest users for Meeting rooms

Available starting with Kopano Meet 0.18.0.

Kopano Meet supports the possibility to invite external users (which do not have a user account of their own and therefore connat llgin through Konnect) into dedicated Meeting rooms. These rooms can be identified by their url.

The following components need to be available and configured to allow external users:

  • Kopano Konnect (minimal required version >=0.20.0)
  • Kopano Kwmserver (minimal required version >=0.15.1)
  • Kopano Meet (minimal required version >=0.18.0)

Configuring Konnect for guest users

For the guest mode to work the administrator has to register Meet as a client inside of Kopano Konnect. This registration is neccesary since guests require additional scopes as well has a JSON Web Key (JWK) so that Konnect can perform the actual login for the guests.

Generating Keys

Before adding the key to the client registy a new ECDSA key needs to be generated.

$ openssl ecparam -name prime256v1 -genkey -noout -out ecparam.pem
$ openssl ec -in ecparam.pem -out meet-kwmserver.pem

The pem encoded EC PRIVATE KEY part from meet-kwmserver.pem now needs to be converted into a JSON Web Key (JWK). For convenience a helper utility is included for this within Kopano Konnect.

$ kopano-konnectd utils jwk-from-pem --yaml meet-kwmserver.pem
crv: P-256
d: mr9hsFCC8q4v4I4Yv1HHSUoU2ax4X_vRKm60CkLb8XE
kid: meet-kwmserver
kty: EC
use: sig
x: 3h9BEMjO0CSP1vILZrT8ALN1XLp3B4F9q26HKghiqns
"y": pBnvjxvEFIymNB82xeQFNkpo01jxEprEPmxxdx1DS74

Konnect Client Registry

In below example registration file (expected location for this file is /etc/kopano/konnectd-identifier-registration.yaml, does not exist by default) the value kopano.dev needs to be replaced with the actual FQDN. Additionally the value below keys: needs to be replaced with the locally generated JWK.

clients:
- id: kpop-https://kopano.dev/meet/
  name: Kopano Meet
  application_type: web
  trusted: true
  redirect_uris:
  - https://kopano.dev/meet/
  trusted_scopes:
  - konnect/guestok
  - kopano/kwm
  jwks:
    keys:
    - kty: EC
      use: sig
      crv: P-256
      d: mr9hsFCC8q4v4I4Yv1HHSUoU2ax4X_vRKm60CkLb8XE
      kid: meet-kwmserver
      x: 3h9BEMjO0CSP1vILZrT8ALN1XLp3B4F9q26HKghiqns
      y: pBnvjxvEFIymNB82xeQFNkpo01jxEprEPmxxdx1DS74
  request_object_signing_alg: ES256

Konnect configuration

Now that we have generated our client registry we can configure Konnect to use it, as well as make the other required changes for the guest mode.

The following values need to be adapted in /etc/kopano/konnectd.cfg:

  • Uncomment identifier_registration_conf and make sure it points to the registry created above, e.g.: - identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml
  • uncomment and switch allow_client_guests to yes - allow_client_guests = yes

On restart of Konnect the following log line will indicate that Konnect is now configured to enable guest users for Meet:

time="2019-03-28T09:29:14Z" level=info msg="identity guest manager set up"

Configuring Kwmserver for guest users

Kwmserver also needs to be made aware the guest mode and Meet as a registered client. Luckily the same file already configured in Konnect can simply be reused in Kwmserver.

The following values need to be adapted in /etc/kopano/kwmserverd.cfg:

  • uncomment and switch enable_guest_api to yes: - enable_guest_api = yes
  • uncomment registration_conf and point it to the same file as previously done in Konnect: - registration_conf = /etc/kopano/konnectd-identifier-registration.yaml
  • uncomment and configure the name prefix for guest channels. The below setting will make all rooms starting with group/public rooms that guests can join: - public_guest_access_regexp = ^group/public/.*

Configuring Meet for guest users

Last but not least we need to make Meet aware of the guest functionality as well. This is done in /usr/share/kopano-kweb/www/config/kopano/meet.json.

After copying the file from the example directory (e.g. /usr/share/doc/kopano-meet-webapp/config.json.in) open it and modify the below block so that it reads "enabled": "true":

..
  "guests": {
    "enabled": "true"
  },
..

Using the guest mode

With the above configuration users can now create rooms where external users can join existing calls. To create such a room the user has to:

  • click on the “new call button”
  • in the dialogue followed by this click on “new public group”
  • choose a name that starts with “public/”, like for example “public/customer-a”
  • after the groups has been entered, click on “share group”.
  • before sharing the link the user currently needs to add #guest=1 to the end of the url

Enabling screensharing

Available starting with Kopano Meet 0.19.0.

Screensharing is automatically enabled once a browser with support for the “Screen Capture API” is detected.

Supported browsers include:

  • Google Chrome >=72
  • Mozilla Firefox >= 66
  • Kopano DeskApp >=2.2.3