Closed illuminated closed 4 years ago
danptr
commented
4 years ago I am having the same issue. Only, I wasn't even able to get to the mxisd logs. How were you able to retrieve them? The official documentation suggests using docker logs but that wasn't working for me.
And also, what errors do you get during the deployment process?
illuminated
commented
4 years ago I have a terminal window running sudo journalctl -f -u matrix-synapse so I'm checking it in real time. Couldn't find the logs myself anywhere...
I'll see what I can do later today/tonight with this. It's been almost a week of sleepless nights to make it work. If I don't find a solution, it's time to move on. My hands are tied in solving this, my attempts are done blindly, cannot check most of the things.
Re. errors, I was writing above about the errors I get when I add the attributes section, in the matrix_mxisd_configuration_extension_yaml. The mxisd server wouldn't want to run at all. Don't remember the actual output of those errors.
What I do have as a constant error is the matrix-dimension server. I'll kill it probably while solving this...
illuminated
commented
4 years ago The way to have LDAP login enabled is to disable mxisd;s LDAP. Have Synapse deal with it and it will work. Any combination of Synapse setings with mxisd's LDAP won't work. There are few issues with that:
mode: search in /matrix/synapse/config/homeserver.yaml and restarting the servers won't make it do it.
Would be nice to add new key: matrix_synapse_ext_password_provider_ldap_attributes_mode but I couldn't confirm it works.
So, I surrender.
I really wanted to make all this work.
spantaleev
commented
4 years ago Since we start one-off containers from systemd services and systemd already logs all their output via journald by default, we disable the default Docker logging functionality (with --log-driver=none). We disable Docker's logging to prevent logging to 2 different systems. Docker's own logging also creates huge non-rotating log files in /var/lib/docker/.. for long-running containers.
So, you can check logs for mxisd by doing journalctl -fu matrix-mxisd.
As for LDAP integration, I can't help since I haven't used it. Generally, I've heard that mxisd is much better at that than using the matrix-synapse-ldap3 password provider.
Adding new playbook variables to help with matrix-synapse-ldap3, etc., is also possible if you let me know what they should be or submit a pull request.
fnoah
commented
4 years ago @illuminated Have you tried doing it like this? According to this page the email attribute needs to be part of threepid. Also, for the uid you apparently need to define a type.
ldap:
attribute:
threepid:
email:
- 'mail'
uid:
type: uid
value: mail
name: cn
enabled: true
connection:
host: mail.mydomain.com
tls: false
port: 389
baseDNs: ['ou=People,dc=mydomain,dc=com']
bindDn: uid=kolab-service,ou=Special Users,dc=mydomain,dc=com
bindPassword: myPasswordNo... I've purged the entire ansible installation and installed manually everything and LDAP works now. Dimension was also a bit easier to setup that way. I'll write the settings that have mattered to my LDAP setup so that they can be added also here, it might help someone else.
fnoah
commented
4 years ago I'd appreciate it if you showed me your mxisd configuration for LDAP. While I am able to run the ansible playbook with the configuration I posted above, I am still having trouble getting LDAP login to work.
illuminated
commented
4 years ago I will later, not at my computer atm.
illuminated
commented
4 years ago Here are the mxisd settings I have put and homeserver.yaml (I've just noticed that I still have there the LDAP password provider... but my LDAP authentication works and I won't be touching it :) ). I'm using OpenLDAP provided by Kolab Groupware.
/etc/mxisd/mxisd.yaml
...
ldap:
enabled: true
connection:
host: '<my LDAP host>'
port: 389
bindDn: 'uid=kolab-service,ou=Special Users,dc=<second level domain>,dc=com'
bindPassword: '<password>'
baseDNs:
- 'ou=People,dc=<second level domain>,dc=com'
filter: '(objectclass=kolabinetorgperson)'
attribute:
uid:
type: 'uid'
value: 'uid'
name: 'cn'
threepid:
email:
- 'mail'
- 'alias'
directory:
attribute:
other:
- 'uid'
- 'mail'
- 'alias'
dns:
overwrite:
homeserver:
client:
- name: '<url to matrix>'
value: 'http://127.0.0.1:8008'
register:
allowed: true
invite: true
policy:
threepid:
email:
domain:
whitelist:
- '*<second level domain>.com'
- '*<alias of the second level domain>.com'
.../etc/matrix-synapse/homeserver.yaml
...
password_providers:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
uri: "ldap://<my LDAP domain>:389"
start_tls: false
base: "ou=People,dc=<second level domain>,dc=com"
attributes:
uid: "uid"
mail: "mail"
name: "cn"
bind_dn: "uid=kolab-service,ou=Special Users,dc=<second level domain>,dc=com"
bind_password: "<password>"
filter: "(objectclass=kolabinetorgperson)"
...The only issue I have is that users' attributes are not automatically mapped from LDAP to Riot, except for the uid, despite the settings above. I'll see if I can do something about that.
fnoah
commented
4 years ago Thanks for your configuration. I think I figured out how to use an mxisd LDAP identity store for authentication while still using this playbook. Here's my relevant configuration (/inventory/host_vars/matrix.DOMAIN/vars.yml) in case anyone else stumbles over this issue:
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090"
matrix_mxisd_configuration_extension_yaml: |
ldap:
enabled: true
connection:
host: mail.mydomain.com
tls: false
port: 389
baseDNs: ['ou=People,dc=mydomain,dc=com']
bindDn: uid=kolab-service,ou=Special Users,dc=mydomain,dc=com
bindPassword: myPassword
attribute:
name: gecos
uid:
type: uid
value: cn@spantaleev should I go ahead and try to improve the documentation for configuring LDAP (or other identity stores) for authentication over mxisd?
spantaleev
commented
4 years ago If you've got an idea about how to improve the documentation, please go ahead.
Please note that the REST Auth password provider does not necessarily need to be used with mxisd, etc. I've done a few integrations where I hook it to some other external system (not to mxisd and not to anything LDAP-based).. So use-cases for the password provider may vary.
pgera
commented
4 years ago I have this sort of working with an ldap store using the config similar to the one in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/272#issuecomment-544882726. For the last section of attribute mapping, this is what my config looks like:
attribute:
name: cn
uid:
type: 'uid'
value: 'uid'There are a couple of issues. One is that it even if riot's login says username, it also authenticates with email. Does anyone know how to disable this behaviour ? It seems like a bug to me. Second, is it possible to disable authentication methods other than username ? The main reason for this is that uniqueness of other attributes like email is not enforced generally at the ldap end. Only uid is guaranteed to be unique. And finally, is it possible to make matrix's store read only ? For example, right now, you can reset the password in riot, and then you can log in with both your ldap password and the new password you reset in riot.
illuminated
commented
4 years ago I know I wanted badly to make the authentication work with email/password.. as I have all services relying on LDAP using the same authentication method. It was easier and more convenient for my case. I'll look into these settings later and see if I can suggest something for you.
Metzlmane
commented
4 years ago mxisd is no longer developed and i switched to ma1sd which is a fork of it. This works pretty well
ldap:
enabled: true
connection:
host: 'ldap.de'
port: 636
tls: true
bindDn: 'uid=hehe,ou=1,dc=2,dc=3,dc=de'
bindPassword: 'yesofcourse'
baseDNs:
- 'ou=1,dc=2,dc=3,dc=de'
attribute:
uid:
type: 'uid'
value: 'uid'
name: 'cn'
threepid:
email:
- 'mail'
msisdn:
- 'telephoneNumber'
name:
- 'cn'If i want so start a new conversation, all people get listed by their names and emails. hope this helps
pgera
commented
4 years ago That was already working even with mxisd. The issues were that instead of username, you can also login with email. I don't think there is any change to that, right ? i.e. There are two distinct issues. 1) Bug: In riot, instead of username, email works (without toggling the field from username to email). 2) Missing feature: No way to disable email based authentication.
spantaleev
commented
4 years ago I don't see anything actionable we can do here, so I'll close this issue.
Hi everyone,
Has anyone been able to correctly set the LDAP authentication mechanism?
I have initially tried the built in, Synapse, implementation of LDAP, but have moved to mxisd. What I couldn't do with it, was to map LDAP fields to matrix. I want to have users login with their LDAP email address and password.
Adding extra fields in
matrix_mxisd_configuration_extension_yamlcauses the deployment process to stop with errors:Also, using these variables in vars.yml gives the deprecated error and halts the process also:
Is there a way to map fields? For a brief time I was able to login with LDAP uid and password, but now it is not possible again (I have probably changed something in the config that I can't find again): the log says that the user cannot be found in LDAP... (I'll figure that out).
Anyway, would love if someone with this kind of authentication working (LDAP with email/password auithentication in Riot) can share the experience.
On the LDAP side I have an instance of Kolab Groupware (kolab.org) and I already have external services using it for authentication without an issue. Thanks!