New users can't login (register?)

Thatoo commented 2 months ago

Describe the bug

Old users can connect to synapse thanks to Element app and CAS. New created user can't login thanks to CAS.

Context

Hardware: Old laptop or computer
YunoHost version: 11.2.11.2
I have access to my server: Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no
Using, or trying to install package version/branch: 1.104.0~ynh1
If upgrading, current package version: 1.104.0~ynh1

Steps to reproduce

Create a new user. Connect to SSO with this user. Go to app.element.io Choose our synapse server adress Click on "Continue with CAS" Reach to the SSO screen

Expected behavior

Be redirected to an url like /_matrix/client/r0/login/cas/ticket?redirectUrl= as it is the case for old accounts who have already used synapse server in the past.

Logs

in logs, I can see that when I attempt to login with new account :

2024-04-20 10:43:52,656 - synapse.rest.client.login - 677 - INFO - GET-10- Redirecting to https://matrix.DOMAINE.NAME/_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAINE.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F
2024-04-20 10:43:52,656 - synapse.access.http.8008 - 472 - INFO - GET-10- 10.0.242.87 - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/cas?redirectUrl=https%3A%2F%2Fapp.element.io%2F&org.matrix.msc3824.action=login HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0" [0 dbevts]
2024-04-20 10:43:57,005 - synapse.federation.sender - 1019 - INFO - wake_destinations_needing_catchup-2- Destination public.cat has outstanding catch-up, waking up.
2024-04-20 10:44:02,007 - synapse.federation.sender - 1019 - INFO - wake_destinations_needing_catchup-2- Destination public.cat has outstanding catch-up, waking up.
2024-04-20 10:44:07,008 - synapse.federation.sender - 1019 - INFO - wake_destinations_needing_catchup-2- Destination public.cat has outstanding catch-up, waking up.

and this when I login with old account :

2024-04-20 10:46:39,604 - synapse.rest.client.login - 677 - INFO - GET-21- Redirecting to https://matrix.DOMAINE.NAME/_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAINE.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F
2024-04-20 10:46:39,605 - synapse.access.http.8008 - 472 - INFO - GET-21- 10.0.242.87 - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/cas?redirectUrl=https%3A%2F%2Fapp.element.io%2F&org.matrix.msc3824.action=login HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0" [0 dbevts]
2024-04-20 10:46:46,469 - synapse.http.client - 426 - INFO - GET-22- Received response to GET https://matrix.DOMAINE.NAME/_matrix/cas_server.php/proxyValidate?ticket=4a39ce2bde831b79060d6bf50682a8ed2cdf9d0d3a12aeb9aba01066821d474bba3b1572be160a6d5ed2a1a59e72a4980c79&service=https%3A%2F%2Fmatrix.DOMAINE.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F: 200
2024-04-20 10:46:46,473 - synapse.handlers.sso - 374 - INFO - GET-22- Found existing mapping for IdP 'cas' and remote_user_id 'USER': @USER:DOMAINE.NAME
2024-04-20 10:46:46,492 - synapse.access.http.8008 - 472 - INFO - GET-22- 10.0.242.87 - 8008 - {None} Processed request: 0.047sec/-0.000sec (0.017sec, 0.002sec) (0.002sec/0.009sec/4) 13948B 200 "GET /_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/&ticket=4a39ce2bde831b79060d6bf50682a8ed2cdf9d0d3a12aeb9aba01066821d474bba3b1572be160a6d5ed2a1a59e72a4980c79 HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0" [0 dbevts]
2024-04-20 10:46:46,622 - synapse.access.http.8008 - 472 - INFO - GET-23- 10.0.242.87 - 8008 - {None} Processed request: 0.007sec/-0.000sec (0.001sec, 0.001sec) (0.001sec/0.003sec/2) 2834B 200 "GET /_matrix/media/v1/thumbnail/DOMAINE.NAME/ZFwtqLGXOCBezgCJpwvEEcnd?width=64&height=64&method=crop HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0" [0 dbevts]
2024-04-20 10:46:46,895 - synapse.storage.databases.main.event_push_actions - 1321 - INFO - rotate_notifs-9- Rotating notifications
2024-04-20 10:46:46,898 - synapse.storage.databases.main.event_push_actions - 1525 - INFO - rotate_notifs-9- Rotating notifications up to: 44483
2024-04-20 10:46:46,902 - synapse.storage.databases.main.event_push_actions - 1611 - INFO - rotate_notifs-9- Rotating notifications, handling 0 rows
2024-04-20 10:46:46,910 - synapse.storage.databases.main.event_push_actions - 1696 - INFO - rotate_notifs-9- Rotating notifications, deleted 0 push actions
2024-04-20 10:46:47,003 - synapse.federation.sender - 1019 - INFO - wake_destinations_needing_catchup-5- Destination public.cat has outstanding catch-up, waking up.
2024-04-20 10:46:47,007 - synapse.handlers.presence - 913 - INFO - persist_presence_changes-3- Persisting 1 unpersisted presence updates
2024-04-20 10:46:47,057 - synapse.util.caches.lrucache - 218 - INFO - LruCache._expire_old_entries-9- Dropped 0 items from caches
2024-04-20 10:46:47,096 - synapse.storage.databases.main.metrics - 399 - INFO - generate_user_daily_visits-0- Calling _generate_user_daily_visits

Josue-T commented 2 months ago

Thanks to report the issue. I can't reproducte the issue on my side so it's a bit more complex.

What is the result of grep '# LDAP Filter anonymous user Applied' /opt/yunohost/matrix-synapse/lib/python3.9/site-packages/ldap_auth_provider.py ?

Thatoo commented 2 months ago

:~ $ sudo grep -A 10 '# LDAP Filter anonymous user Applied' /opt/yunohost/matrix-synapse/lib/python3.9/site-packages/ldap_auth_provider.py
        # LDAP Filter anonymous user Applied
        ldap_config = _LdapConfig(
            enabled=config.get("enabled", False),
            mode=LDAPMode.SEARCH
            if config.get("mode", "simple") == "search"
            else LDAPMode.SIMPLE,
            uri=config["uri"],
            start_tls=config.get("start_tls", False),
            tls_options=config.get("tls_options"),
            validate_cert=config.get("validate_cert", True),
            base=config["base"],

Josue-T commented 2 months ago

And grep _matrix/cas_server.php /var/log/nginx/*-access.log ?

Thatoo commented 2 months ago

:~ $ sudo grep _matrix/cas_server.php /var/log/nginx/matrix.DOMAIN.NAME-access.log
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:04:15 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:14:43 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - USER1 [20/Apr/2024:10:15:39 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
::1 - - [20/Apr/2024:10:15:39 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=a898e7d0578f35172474d240c15602bfac9c4c3b861249d373dbc2e02223f8d4d24bd01e3faeedc84321c722743dc774088b&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"
XXX.XXX.XXX.XXX - USER1 [20/Apr/2024:10:17:20 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
::1 - - [20/Apr/2024:10:17:20 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=483073aa23bd5c88683cb566da434565db741e3c961489e1b5aa2cfa7c1623864ce9bf0bd870cf489909c404e9edd9f8c9b2&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"
XXX.XXX.XXX.XXX - USER2 [20/Apr/2024:10:22:12 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
::1 - - [20/Apr/2024:10:22:13 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=9c6bd4a9fe9751113a6d926abc2f1b3d2c12df484ae6b830d325bbe0f0fee50755c44da86df59edf3064b02c3d8bad91e264&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 385 "-" "Synapse/1.104.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:23:28 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:33:05 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:33:13 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fapp.element.io%2F&sso_login=7DE8288312186CFA8B14CBEFE292CD2F9EF3E4CADF4407816A9F987AB8A3EF8C516620A5CBA4705B4FE5DB05EE7CC7578F3E04EC94A1BECB0AB85DBF59753878 HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:33:13 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/ HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:33:40 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fapp.element.io%2F&sso_login=25CD14A13F77241A40551D2FD71CCEF9947971E50CCC2F67C79729E17E661D61EFAA3C5A2385EE3BAF0947F19C1848AC37EAE7AADD8BC88483E973D43A59C3C9 HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - USER1 [20/Apr/2024:10:33:40 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/ HTTP/2.0" 302 0 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
::1 - - [20/Apr/2024:10:33:40 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=def69e70e129a6dedb10d0f6dd8c73d281ad254cf6bdb4c0695694a38600194a773546ac02357a6dd898a6fc7ec47e491adc&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:43:52 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:44:03 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fapp.element.io%2F&sso_login=6B0BB36C2CE59B45CB2F3531FF8898F3763CA5705F6827550DAF1AAEB5661204A87E365C2DEBF08DA940C8070710B72465E9577EA8EBBC14F4F49810A8657F93 HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:44:03 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/ HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:46:39 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - - [20/Apr/2024:10:46:46 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fapp.element.io%2F&sso_login=5326C463A78D479089D4668536C9ADEAA730B4D97C3C6E427113FBE78B631D0F33527D322F706658C0C44B9C9C621624EB1734062851D38651FA85E1CAD6AE63 HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
XXX.XXX.XXX.XXX - USER1 [20/Apr/2024:10:46:46 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/ HTTP/2.0" 302 0 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0"
::1 - - [20/Apr/2024:10:46:46 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=4a39ce2bde831b79060d6bf50682a8ed2cdf9d0d3a12aeb9aba01066821d474bba3b1572be160a6d5ed2a1a59e72a4980c79&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"
YYY.YYY.YYY.YYY - - [20/Apr/2024:11:58:46 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 138 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
YYY.YYY.YYY.YYY - - [20/Apr/2024:11:59:46 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fapp.element.io%2F&sso_login=E5BC654E73B8670C9D0E7D023E66292B321A01B7FDB28164ACB346BB84EC3149980A37469C84E90A2C058E9306E1D1D9A03A589E5F775A14A3B0F9B4E3DB3705 HTTP/2.0" 302 138 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
YYY.YYY.YYY.YYY - USER1 [20/Apr/2024:11:59:47 +0200] "GET /_matrix/cas_server.php/login?service=https://matrix.DOMAIN.NAME/_matrix/client/r0/login/cas/ticket?redirectUrl=https://app.element.io/ HTTP/2.0" 302 0 "https://DOMAIN.NAME/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
::1 - - [20/Apr/2024:11:59:48 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=ed8867f98ee6664f0f52fb4b59ad1039eb95ab6b4cdedb27d8d98393fe263cdb018eb970f6cd927ae79e029529d681680ff8&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"
YYY.YYY.YYY.YYY - USER1 [20/Apr/2024:12:18:11 +0200] "GET /_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
::1 - - [20/Apr/2024:12:18:11 +0200] "GET /_matrix/cas_server.php/proxyValidate?ticket=c583d2b530125b19e380a721503645da94ed5863ea53336f330fed78f9a8974b24f27c300ff36b3af0ee0b7f63c471dc5535&service=https%3A%2F%2Fmatrix.DOMAIN.NAME%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fapp.element.io%252F HTTP/1.1" 200 375 "-" "Synapse/1.104.0"

USER1 and USER2 are two old users who have a matrix account from before the update. I could not find any username of a new user (post update).

Josue-T commented 2 months ago

Reach to the SSO screen

Do you mean on domain.tld/yunohost/sso ?

Thatoo commented 2 months ago

Exactly. An old user is redirected, as expected, to domain.tld/_matrix/client/r0/login/cas/ticket?redirectUrl=xxxxxxxx A new user is redirected to domain.tld/yunohost/sso

Josue-T commented 2 months ago

are you sure that the user have the permission to access to synapse (with yunohost user permission list synapse) ?

(note we can discuss with matrix it might be easier)

Thatoo commented 2 months ago

~ $ sudo yunohost user permission list synapse
permissions: 
  synapse.admin_api: 
    allowed: 
      - admins
      - visitors
  synapse.main: 
    allowed: all_users
  synapse.server_api: 
    allowed: visitors
  synapse.server_client_infos: 
    allowed: visitors

Josue-T commented 2 months ago

If you try this from the new user https://domain.tld/_matrix/cas_server.php what is the result ? And what is nginx log that you have related to this request ?

Thatoo commented 2 months ago

https://domain.tld/_matrix/cas_server.php redirect the new user to https://domain.tld/yunohost/sso

Well actually it's the same for old user also.

The log I mention wasn't nginx log but tail -f /var/log/matrix-synapse/homeserver.log

Josue-T commented 2 months ago

Well I think if there are a redirection to the yunohost sso it's more an issue on nginx/sso side than on synapse it's why I would like the log of nginx to understand why there are this redirection. Can you share me also the content of /etc/ssowat/conf.json and /etc/ssowat/conf.json.persistent.

Thatoo commented 2 months ago

sudo cat /etc/ssowat/conf.json
{
    "additional_headers": {
        "Auth-User": "uid",
        "Email": "mail",
        "Name": "cn",
        "Remote-User": "uid"
    },
    "domains": [
        "domain2.tld",
        "domain.tld",
        "USER1.domain.tld",
        "USER2.domain.tld",
        "gdev.domain.tld",
        "matrix.domain.tld",
        "admin.matrix.domain.tld",
        "domain3.tld",
        "borgserver.domain3.tld"
    ],
    "permissions": {
        "core_skipped": {
            "auth_header": false,
            "label": "Core permissions - skipped",
            "public": true,
            "show_tile": false,
            "uris": [
                "domain2.tld/yunohost/admin",
                "domain.tld/yunohost/admin",
                "USER1.domain.tld/yunohost/admin",
                "USER2.domain.tld/yunohost/admin",
                "gdev.domain.tld/yunohost/admin",
                "matrix.domain.tld/yunohost/admin",
                "admin.matrix.domain.tld/yunohost/admin",
                "domain3.tld/yunohost/admin",
                "borgserver.domain3.tld/yunohost/admin",
                "domain2.tld/yunohost/api",
                "domain.tld/yunohost/api",
                "USER1.domain.tld/yunohost/api",
                "USER2.domain.tld/yunohost/api",
                "gdev.domain.tld/yunohost/api",
                "matrix.domain.tld/yunohost/api",
                "admin.matrix.domain.tld/yunohost/api",
                "domain3.tld/yunohost/api",
                "borgserver.domain3.tld/yunohost/api",
                "re:^[^/]/502%.html$",
                "re:^[^/]*/%.well%-known/ynh%-diagnosis/.*$",
                "re:^[^/]*/%.well%-known/acme%-challenge/.*$",
                "re:^[^/]*/%.well%-known/autoconfig/mail/config%-v1%.1%.xml.*$"
            ],
            "users": []
        },
        "my_webapp__2.main": {
            "auth_header": true,
            "label": "Site de USER1",
            "public": true,
            "show_tile": true,
            "uris": [
                "USER1.domain.tld"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                "USER3",
                "USER4",
                "USER5",
                "USER6",
                "NEWUSER2",
                "USER8",
                "USER9",
                "USER10",
                "USER11",
                "ADMIN1",
                "USER12",
                "USER13",
                "USER2",
                "NEWUSER1",
                "USER7"
            ]
        },
        "piwigo.main": {
            "auth_header": true,
            "label": "Galerie de USER2",
            "public": true,
            "show_tile": true,
            "uris": [
                "USER2.domain.tld"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                "USER3",
                "USER4",
                "USER5",
                "USER6",
                "NEWUSER2",
                "USER8",
                "USER9",
                "USER10",
                "USER11",
                "ADMIN1",
                "USER12",
                "USER13",
                "USER2",
                "NEWUSER1",
                "USER7"
            ]
        },
        "synapse-admin.main": {
            "auth_header": true,
            "label": "Synapse Admin",
            "public": false,
            "show_tile": true,
            "uris": [
                "admin.matrix.domain.tld"
            ],
            "use_remote_user_var_in_nginx_conf": false,
            "users": [
                "ADMIN1"
            ]
        },
        "synapse.admin_api": {
            "auth_header": false,
            "label": "Synapse (Server administration API.)",
            "public": true,
            "show_tile": false,
            "uris": [
                "matrix.domain.tld/_synapse"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                "ADMIN1"
            ]
        },
        "synapse.main": {
            "auth_header": true,
            "label": "Synapse",
            "public": false,
            "show_tile": false,
            "uris": [
                "matrix.domain.tld",
                "matrix.domain.tld/_matrix/cas_server.php/login"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                "USER3",
                "USER4",
                "USER5",
                "USER6",
                "NEWUSER2",
                "USER8",
                "USER9",
                "USER10",
                "USER11",
                "ADMIN1",
                "USER12",
                "USER13",
                "USER2",
                "NEWUSER1",
                "USER7"
            ]
        },
        "synapse.server_api": {
            "auth_header": false,
            "label": "Synapse (Server access for client apps.)",
            "public": true,
            "show_tile": false,
            "uris": [
                "matrix.domain.tld/_matrix"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": []
        },
        "synapse.server_client_infos": {
            "auth_header": false,
            "label": "Synapse (Server info for clients. (well-known))",
            "public": true,
            "show_tile": false,
            "uris": [
                "domain.tld/.well-known/matrix"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": []
        }
    },
    "portal_domain": "domain.tld",
    "portal_path": "/yunohost/sso/",
    "redirected_regex": {
        "domain.tld/yunohost[\\/]?$": "https://domain.tld/yunohost/sso/"
    },
    "redirected_urls": {},
    "theme": "default"

sudo cat /etc/ssowat/conf.json.persistent
{
    "permissions": {
        "custom_protected": {
            "auth_header": true, 
            "label": "Custom permissions - protected", 
            "public": false, 
            "show_tile": false, 
            "uris": [
                "matrix.domain.tld/_matrix/cas_server.php/login"
            ], 
            "users": [
                "USER1", 
                "ADMIN1", 
                "USER2", 
                "USER4",
                "USER5",
                "USER5",
                "USER6",
                "USER7"
            ]
        }, 
        "custom_skipped": {
            "auth_header": false, 
            "label": "Custom permissions - skipped", 
            "public": true, 
            "show_tile": false, 
            "uris": [
                "matrix.domain.tld/_matrix", 
                "domain.tld/.well-known/matrix/"
            ], 
            "users": []
        }
    }, 
    "redirected_urls": {
    }
}

Je remarque que NEWUSER1 and NEWUSER2 are not listed in/etc/ssowat/conf.json.persistent

"permissions": {
        "custom_protected": {
            "users": [
            ]
        }, 
}

and also some old users aren't listed neither. Maybe I'll try (if I can) if thoose old user account can connect or not.

Thatoo commented 2 months ago

Indeed, if I try to login in app.element.io with CAS on matrix.domain.tld with one of the old user account not listed in /etc/ssowat/ :

conf.json.persistent
"permissions": {
        "custom_protected": {
            "users": [
            ]
        }, 
}

it doesn't work neither.

I'd like to add also the fact that in /etc/ssowat/conf.json.persistent :

{
    "permissions": {
    "redirected_urls": {
    }
}

are actually listed two very old redirection unused today (i removed them before copy/paste).

So it sounds like /etc/ssowat/conf.json.persistent is very much not up to date.

Josue-T commented 2 months ago

Well it depends. Since a long time synapse don't manage this file. So either you have a really old install and there still are some dirty thing linked to the history or you did a customization.

Thatoo commented 2 months ago

I have a very old installation I guess but no customization.

What should I do?

Can I delete /etc/ssowat/conf.json.persistent and ask yunohost to recreate one?

Well actually, if synapse don't manage it anymore, I guess yunohost won't generate any as everything is related to synapse in it except

{
    "permissions": {
    "redirected_urls": {
    }
}

which are also very old redirection unused today anyway.

So it sounds like a heritage unnecessary.

Josue-T commented 2 months ago

No the /etc/ssowat/conf.json.persistent config file explicitly made for customization so yunohost won't manage it. The only reason that this file was modified by synapse is before the permission existed and there was no way to do what we needed so we used this file but it was like a hack. But now since a long time it's not managed by anything.

If you don't need any customization you can just put {} in this file it will be enough.

Thatoo commented 2 months ago

Thank you @Josue-T . I did that and it solved this issue!

YunoHost-Apps / synapse_ynh