email and displayname are not updated on matrix side when they are changed on LDAP server

matrix-org / matrix-synapse-ldap3

An LDAP3 auth provider for Synapse

Apache License 2.0

127 stars 46 forks source link

email and displayname are not updated on matrix side when they are changed on LDAP server #117

Open masscream opened 3 years ago

masscream commented 3 years ago

When I login through LDAP account, the cn and mail attributes are linked to name and e-mail in my matrix profile. If I then change them LDAP account, the attributes are not updated on the matrix server.

To Reproduce Steps to reproduce the behavior:

Login as an LDAP user for the first time to the server
Change your cn andmail attributes on the LDAP side
Login onto your matrix profile again
No change is passed from your LDAP server (clearing cache not helped)

Expected behavior The linked attributes shall be passed from the LDAP server any time.

Server (please complete the following information):

OS: RHEL 8.3
Browser: Web version of Element in FF
Version: 78.10.0esr
matrix-synapse 1.32.2
matrix-synapse-ldap3 0.1.4
openldap (another server) @(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org

richvdh commented 3 years ago

I think this is a dup of #109

masscream commented 3 years ago

I think this is a dup of #109

I'm sorry, but this is not the dup of #109 as I read, the point is a little bit different. While I agree with @azmeuk that

That would be great if other attributes could be read too, such as telephone, avatar (inetOrgPerson has a photo attribute), preferred language.

I'm having a different problem, which is that anything that the extension works with from the database all the time is just username and password. While it also pretends that the name (cn) and mail attributes are important too, it copies them only for the first time during the first login and then it completely stops caring about them, no matter if a user wants to change his/her name or e-mail which is common, it saves these values to the synapse shadow database, stored probably inside its sql file and does not allow any easy way to change them. Imho that is not the way it should work, or it shall not even copy these values from the database during the synapse profile creation, then what @azmeuk mentions would come into play. Please reopen the thread. Thank you.

richvdh commented 3 years ago

ok sorry, your description was very long and wasn't very easy to follow. I've edited the description - hopefully it is correct now?

(you also mention that password changes in Element are not reflected back on the LDAP server, for which see https://github.com/matrix-org/matrix-synapse-ldap3/issues/50)

masscream commented 3 years ago

Np, yes it can be. Actually the previous one from @clokep was correct as well. They are not updated both directions because when the synapse creates its own profile, it touches only these entries in the database and that is that problem. I don't care about the way synapse => LDAP because I use the database for more apps and therefore I find better the concept - Administer the database and every app should update theirs, instead of every app touching the database, every its own way which calls for a conflict sooner or later. So I disabled any updates directly in the synapse conf, however synapse doesn't care also the way LDAP => itself, which makes the problem. Thanks

behrmann commented 2 years ago

With matrix-org/synapse#12195 it should be possible to implement this.

behrmann commented 2 years ago

Maybe I was too optimistic. I though the change might be as simple as

mail = response["attributes"].get("mail", [None])
mail = mail[0] if len(mail) == 1 else None
if self.conf.update_profile_information and mail:
    await self.account_handler.store_remote_3pid_association(
        user_id, "email", mail, "???"
    )

but I'm unsure about what the correct choice for the id_server argument of store_remote_3pid_association would be.