search

kamax-matrix / mxisd

Federated Matrix Identity Server
GNU Affero General Public License v3.0
220 stars 112 forks source link

Riot+Synapse+Mxisd+LDAP. Not connecting #39

Closed arpsyapathy closed 6 years ago

arpsyapathy commented 6 years ago

Hello!. I can't connecting in Riot through LDAP =( What can i do wrong?

I did:

  1. Install Synapse on Ubuntu 16 from debian repo. Install with server name "matrix_server"
  2. Install Mxisd from .deb. Rename default conf to mxisd.yaml and set matrix.domain to "matrix_server"
  3. Install Authenticator module for synapse (https://github.com/kamax-io/matrix-synapse-rest-auth) and add to homeserver.yaml: password_providers:
  4. Add to mxisd.yaml LDAP:
ldap.enabled: true
ldap.connection.host: 'server.matrix.local'
ldap.connection.bindDn: 'CN=service_user,OU=Users,DC=Matrix,DC=Local'
ldap.connection.bindPassword: '***********'
ldap.connection.baseDn: 'OU=Users,DC=Matrix,DC=Local'
ldap.attribute.uid.type: 'uid'
ldap.attribute.uid.value: 'uid'
ldap.attribute.name: 'cn'
  1. Saved. Restart services. matrix-synapse and mxisd started. And listen on 8008 and 8090
  2. Trying to connect from Riot: 
    login: service_user
password: **********
URL homerserver: http://matrix_server:8008
URL of the identity server: http://matrix_server:8090
  3. No connecting. Invalid username and/or password. But login and pass are 100% true!
  4. In logs: homeserver: 
    2017-11-27 11:41:56,746 - synapse.access.http.8008 - 59 - INFO - POST-14- 192.168.0.2 - 8008 - Received request: POST /_matrix/client/r0/login?
2017-11-27 11:41:56,747 - synapse.rest.client.v1.login - 177 - INFO - POST-14- Got login request with identifier: {'type': 'm.id.user', 'user': 'service_user'}, medium: None, address: None, user: 'service_user'
2017-11-27 11:41:56,781 - synapse.handlers.auth - 479 - WARNING - POST-14- Attempted to login as @service_user:matrix_server but they do not exist
2017-11-27 11:41:56,782 - synapse.http.server - 123 - INFO - POST-14- <SynapseRequest at 0x7fb5e2fa7dd0 method=POST uri=/_matrix/client/r0/login? clientproto=HTTP/1.1 site=8008> SynapseError: 403 - Invalid password

mxisd:

Nov 27 11:41:56 matrix_server mxisd[5224]: .759  INFO [nio-8090-exec-7]       i.k.m.b.ldap.LdapAuthProvider : Performing auth for @service_user:matrix_server
Nov 27 11:41:56 matrix_server mxisd[5224]: .776  INFO [nio-8090-exec-7]       i.k.m.b.ldap.LdapAuthProvider : No match were found for @service_user:matrix_server

P.S. 1 service_user - CN attribute of AD user. CN and samAccountname avaible attributes for this user. Maybe in mxisd.yaml mistake for me? P.S. 2 My LDAP - Active Directory

Tell me please what i can do wrong?

Thank you advance!

maxidorius commented 6 years ago

Remove the ldap.attribute configuration items, those are needed if you use native LDAP, NOT Active Directory as explained in the documentation.

Madic- commented 6 years ago

Having the exact same problem and error messages. No solution so far for me. User and password are definitely correct

mxisd.log

i.k.m.c.auth.v1.AuthController : Requested to check credentials for @USER:matrix.SERVER.de
i.k.m.b.ldap.LdapAuthProvider : Performing auth for @USER:matrix.SERVER.de
i.k.m.b.ldap.LdapAuthProvider : No match were found for @USER:matrix.SERVER.de

homeserver.log

synapse.access.http.8008 - 59 - INFO - POST-26- 127.0.0.1 - 8008 - Received request: POST /_matrix/client/api/v1/login
synapse.rest.client.v1.login - 177 - INFO - POST-26- Got login request with identifier: None, medium: None, address: None, user: 'user'
synapse.handlers.auth - 479 - WARNING - POST-26- Attempted to login as @user:matrix.SERVER.de but they do not exist
synapse.http.server - 123 - INFO - POST-26- <SynapseRequest at 0x7f7325b034d0 method=POST uri=/_matrix/client/api/v1/login clientproto=HTTP/1.0 site=8008> SynapseError: 403 - Invalid password
synapse.access.http.8008 - 91 - INFO - POST-26- 127.0.0.1 - 8008 - {None} Processed request: 15ms (4ms, 0ms) (0ms/1) 68B 403 "POST /_matrix/client/api/v1/login HTTP/1.0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"

mxisd.yml

matrix.domain: 'matrix.SERVER.de'
server.name: 'matrix.SERVER.de'

dns.overwrite.homeserver.client:
  - name: 'matrix.SERVER.de'
    value: 'http://127.0.0.1:8008'

ldap:
  enabled: true
  connection:
    host: 'AD-SERVER'
    bindDn: 'DISTINGUISHED_NAME'
    bindPassword: 'PASSWORD'
    tls: false
    port: 389

homeserver.yml

password_providers:
    - module: "rest_auth_provider.RestAuthProvider"
      config:
        endpoint: "http://127.0.0.1:8090"

nginx proxy_pass config

        location /_matrix/identity/ {
                proxy_pass       http://127.0.0.1:8090/_matrix/identity/;
        }
        location /_matrix/client/r0/user_directory/ {
                proxy_pass       http://127.0.0.1:8090/_matrix/client/r0/user_directory/;
        }
        location / {
                proxy_pass       http://127.0.0.1:8008/;
        }
maxidorius commented 6 years ago

@Madic- case was solved with the following:

ldap:
  attribute:
    uid:
      type: 'uid'
      value: 'sAMAccountName'