Closed nkoester closed 3 years ago
Hi,
Thanks you for your interest in the Mattermost-LDAP project and for your detailed description.
I read it diagonally and your set up seems complete and well designed but a bit complex. I'd like to dig this issue with you, I think the demo in this repository could be extended with an openldap server. This will allow to perform more generic validation tests and make users PoC easier.
However, I have no free time this week, I don't think I can work on this before the week end.
Let me know if you advance on this subject,
Regards
I was finally able to follow up on this. sorry for the long delay. I could manage to get some basics working, ie.:
Congratulation you are authenticated !
)However:
ldap_base_dn = "ou=people,dc=example,dc=com"
and ldap_filter = "(objectClass=inetOrgPerson)"
but in my openldap server there exists a cn=chat
within a ou=groups
. Not sure how to filter thishttps://oauth.exmaple.com/oauth/resource.php?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D
and the browser shows a 401 error
The logs simply say:
mattermost-ldap_1 | 172.29.0.2 - - [14/Jan/2021:15:07:17 +0000] "GET /oauth/resource.php?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D HTTP/1.1" 401 236 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36"
mattermost-ldap_1 | [Thu Jan 14 15:14:06.869010 2021] [autoindex:error] [pid 17] [client 172.29.0.2:36678] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive, referer: http://oauth.example.com
Should I add some specific settings to my nginx?Not sure what is going wrong here? Any pointers?
Turns out I mixed up the endpoints :see_no_evil: and after deleting the database everything works. Additionally, I found the proper way to use group filters via memberOf
Hi,
Thank you for your update. I am happy that you finally came to a solution.
Your comment on Thursday gave me motivation to continue my work on integrating an OpenLDAP server in the Demo to create a standalone demonstration allowing to easily test and try Mattermost-LDAP. This is working now, I just need to complete the documentation :)
I saw your pull request I will review it this week to merge it as soon as possible. I really want to thank you for your contribution :)
I hope you will enjoy using Mattermost-LDAP
Regards
Describe the bug I am unable to get mattermost-ldap working together within an existing infrastructure making use of the following containers:
Individually, the named containers work, however trying to include mattermost-ldap fails. I am unsure where my configuration is bugged.
The setup looks as follows
Other things:
https://oauth.example.com/oauth/index.php
(I cannot auth here, error saysPassword has incorrect format ... Please try again
?)Sign in with:
button gives me a 503, redirecting me tooauth.example.com/oauth/resource.php ?response_type=code&client_id=XXXX&redirect_uri=https%3A%2F%2Fchat.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=YYYY%3D%3D
To Reproduce
.env content (xxx1-xxx5 are all different
openssl rand -hex 32
values)docker-compose.yaml content
log of mattermost-ldap (tried auth with github link and direct auth via https://oauth.example.com/oauth/index.php):
I'd love to allow acces for all users of the chat group (groupOfUniqueNames)
Expected behavior Well ... for it to work ¯\(ツ)/¯
Screenshots Will add if anything is unclear.
Project (please complete the following information):
Desktop
Smartphone: None used
Additional context Any help is highly appreciated! I did leave out many config files involved as they would be way too much. Let me know if you need anything else! Or anything is unclear.
Eventually, this type of configuration can be beneficial for users in similar surroundings. If I get it working I'd love to document my findings for other lost travelers.
Sidenote: Thanks for this great workaround :) I really fits the needs of the small NGO I am involved in. Managing all users among the platforms would be so much hassle!