Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
365 stars 72 forks source link

error: The system admin has turned off OAuth2 Service Provider #25

Closed Philipp1909 closed 5 years ago

Philipp1909 commented 6 years ago

I have tested it with the following setup Mattermost version 5.1.0 with a MySQL database Mattermost version 5.0.2 with a PostgreSQL database

user api

When I am trying to „sign in with GitLab“, i always get these errors. First error: The system admin has turned off OAuth2 Service Provider.

Then I have tried to enabled mattermost['service_enable_oauth_service_provider'] = true , it gave me a different error. Second error: Invalid client id

Someone here with the same problem and maybe with a solution?

Thank you for your help!

Crivaledaz commented 6 years ago

Hi,

I have not yet tested Mattermost version superior to 5.0.1, but it is possible Mattermost and GitLab has changed data exchanged during the SSO session. When I get some free time, I will try to update my Mattermost version and see what is going on.

Thank you for your feedback,

khronosschoty commented 6 years ago

I might be suffering from this same issue but I am unsure.

leosimony commented 5 years ago

Me too facing the same issue. Mattermost version "5.2.1" I read your reply that you haven't tested on the superior versions. I will try with the old versions then. I would appreciate your precious time on making this work on the newer versions as well.

Crivaledaz commented 5 years ago

Hi,

I use Mattermost version 5.5.0 (with PostgreSQL) in a Kubernetes cluster and Mattermost-LDAP module works well. I have never faced a similar error.

Can you provide more information about your configuration and the Mattermost logs with the error ?

leosimony commented 5 years ago

Thank you for your reply.

It's my bad that I mentioned the version wrong. It's 5.7.0 I am running a VMware virtual machine. We have 5.2.1 production version running, I have cloned it and upgraded to 5.7.0.

As per the installation procedure, I have tried updating the User API endpoint and other two settings in System console > Gitlab but I am unable to edit the auto-generated values. When I enter the Gitlab Site URL, the other three generates automatically and it's not editable. Tried editing the config.json that's not helping as well.

image 020

Crivaledaz commented 5 years ago

Actually, Mattermost has disabled these three fields since several versions, so you can't edit them in the admin panel.

There are two possible solutions to bypass this limitation :

  1. Until version 5.5.0 (at least, I have never used Mattermost 5.7.0), you can change these values directly in the config.json file. You must restart Mattermost after editing configuration to apply the new configuration. Nevertheless, your custom URL will not appear in System console > Gitlab because this is hard coded and not read from config.json. If you do not edit and save the Gitlab page, your configuration should not change in config.json. If Mattermost-LDAP is well configured and Mattermost can communicate with, you should success to connect to Mattermost with LDAP credentials.

  2. You can configure your Oauth server to act as a reverse proxy. If you use Nginx or Apache to serve Mattermost-LDAP this should not be difficult, you just need to bind :

    • /api/v4/user to /oauth/resource.php
    • /oauth/authorize to /oauth/authorize.php
    • /oauth/token to /oauth/token.php This should be transparent for mattermost and you should success to login in Mattermost via LDAP.

I note that you use https on the Oauth server, this is a good point, but you need to ensure your certificate is trusted by Mattermost Server, else Mattermost will fail to communicate with Mattermost-LDAP.

I hope these two tricks are still working with Mattermost 5.7.0. Try these and please keep me updated.

Regards,

leosimony commented 5 years ago

Hello Denis,

Thank you for the steps and suggestion about reverse proxy.

I had to enable

System Console > Customer Integrations > Enable OAuth 2.0 Service Provider

Then reverse proxy those URL's as you suggested and that did all the magic and LDAP integration works fine.

Crivaledaz commented 5 years ago

Hi,

So if I understand well, Mattermost has made some changes in Oauth integration after version 5.5. I will take a look when I have some free time.

Thank you for your feedback, I close the issue, but feel free to reopen it if there is still a problem.

Regards