Authorisation in LDAP

[amelentjev]

Is there a possibility to combine this product with mxisd and authorise users in LDAP instead of using password from config file?

[spantaleev]

I have never tested this, but you should be able to use External authentication via REST API calls and point it to mxisd's authentication endpoint (/_matrix-internal/identity/v1/check_credentials?).

mxisd would then query LDAP and return a response.

I'm not sure if this endpoint is documented anywhere in the mxisd docs (I couldn't find it), but reading the README for matrix-synapse-rest-password-provider suggests that mxisd does (or could) provide such an endpoint.

matrix-corporal and matrix-synapse-rest-password-provider are compatible when it comes to such an authentication endpoint.

---

In any case, matrix-corporal requires that you periodically list all users and dump them to a matrix-corporal policy file. So, while authentication will ultimately be happening via mxisd+LDAP, all users would still need to be manually passed along to matrix-corporal.

[amelentjev]

I've tried with latest synapse matrix server and riot web client. Reconciliation works well, but user cannot login : according to debug log it stops at matrix.DetermineFullUserId(payload.User, me.homeserverDomainName). In payload.User user is empty. Seems to be something is changed in login process.

[amelentjev]

I've just thought: what if I'll pass all requests to /_matrix/client/r0/login directly to mxisd, as it was before ? Will all remaining functionality works?

[spantaleev]

Make sure you're on the latest version of Corporal, or authentication may fail with such an error (payload.User user is empty). Things have changed spec-wise and riot-web is sending the username in another parameter now. Newer versions of Corporal (>=1.7.0) have been made to handle it.

I guess you could try passing all login requests to mxisd as well.. Not sure what mxisd does internally and if it could work.

[amelentjev]

I've tried both variants (with REST authentication in policy going to mxisd and with all request for /login going to mxisd), they all works. Thank's for your help. One more thing : when proxying requests through matrix-corporal, there is many similar lines in nginx error.log : upstream prematurely closed connection while reading response header from upstream, request: "GET /_matrix/client/r0/sync?filter=0&timeout=30000&since=s12264_865078_7562_9145_5117_35_212_363_72 since parameter is varying. Is it correct behaviour?

[spantaleev]

I can observe the same on one of my servers as well, but it's not happening every time, so it looks a bit hard to figure out why.

Make sure your TimeoutMilliseconds configuration value is set to something large (at least 45000, which is the default). If the Synapse server is overloaded, an even higher value may be necessary.

Basically, the request goes to nginx, then to Corporal, then to Synapse. Due to &timeout=30000 (rather standard for clients to send such a large timeout), Synapse is instructed to keep the request open for some 30ish seconds. Corporal is supposed to wait that long as well (because TimeoutMilliseconds defaults to 45000 / 45 seconds). But.. if Synapse is too slow and goes those 45 seconds (even though it was instructed to return a response after some 30ish seconds), the connection will be closed and we may see the behavior you've mentioned.

There might also be other reasons for seeing this behavior.. We should probably try to figure it out.

[sents]

I can confirm ldap-authentification to work with ma1sd, matrix-corporal 1.5.0 and synapse 1.11.

[cmuller]

I also confirm that it works with: ma1uta/ma1sd:2.3.0, matrixdotorg/synapse:v1.12.3, devture/matrix-corporal:1.9.0. Maybe you can close this issue(?)

[spantaleev]

Thanks for confirming! Closing :)