Closed illuminated closed 4 years ago
I am having the same issue. Only, I wasn't even able to get to the mxisd
logs. How were you able to retrieve them? The official documentation suggests using docker logs
but that wasn't working for me.
And also, what errors do you get during the deployment process?
I have a terminal window running sudo journalctl -f -u matrix-synapse
so I'm checking it in real time. Couldn't find the logs myself anywhere...
I'll see what I can do later today/tonight with this. It's been almost a week of sleepless nights to make it work. If I don't find a solution, it's time to move on. My hands are tied in solving this, my attempts are done blindly, cannot check most of the things.
Re. errors, I was writing above about the errors I get when I add the attributes
section, in the matrix_mxisd_configuration_extension_yaml
. The mxisd server wouldn't want to run at all. Don't remember the actual output of those errors.
What I do have as a constant error is the matrix-dimension server. I'll kill it probably while solving this...
The way to have LDAP login enabled is to disable mxisd;s LDAP. Have Synapse deal with it and it will work. Any combination of Synapse setings with mxisd's LDAP won't work. There are few issues with that:
mode: search
in /matrix/synapse/config/homeserver.yaml
and restarting the servers won't make it do it.
Would be nice to add new key: matrix_synapse_ext_password_provider_ldap_attributes_mode
but I couldn't confirm it works.
So, I surrender.
I really wanted to make all this work.Since we start one-off containers from systemd services and systemd already logs all their output via journald by default, we disable the default Docker logging functionality (with --log-driver=none
). We disable Docker's logging to prevent logging to 2 different systems. Docker's own logging also creates huge non-rotating log files in /var/lib/docker/..
for long-running containers.
So, you can check logs for mxisd by doing journalctl -fu matrix-mxisd
.
As for LDAP integration, I can't help since I haven't used it. Generally, I've heard that mxisd is much better at that than using the matrix-synapse-ldap3 password provider.
Adding new playbook variables to help with matrix-synapse-ldap3, etc., is also possible if you let me know what they should be or submit a pull request.
@illuminated Have you tried doing it like this? According to this page the email attribute needs to be part of threepid
. Also, for the uid
you apparently need to define a type.
ldap:
attribute:
threepid:
email:
- 'mail'
uid:
type: uid
value: mail
name: cn
enabled: true
connection:
host: mail.mydomain.com
tls: false
port: 389
baseDNs: ['ou=People,dc=mydomain,dc=com']
bindDn: uid=kolab-service,ou=Special Users,dc=mydomain,dc=com
bindPassword: myPassword
No... I've purged the entire ansible installation and installed manually everything and LDAP works now. Dimension was also a bit easier to setup that way. I'll write the settings that have mattered to my LDAP setup so that they can be added also here, it might help someone else.
I'd appreciate it if you showed me your mxisd configuration for LDAP. While I am able to run the ansible playbook with the configuration I posted above, I am still having trouble getting LDAP login to work.
I will later, not at my computer atm.
Here are the mxisd settings I have put and homeserver.yaml (I've just noticed that I still have there the LDAP password provider... but my LDAP authentication works and I won't be touching it :) ). I'm using OpenLDAP provided by Kolab Groupware.
/etc/mxisd/mxisd.yaml
...
ldap:
enabled: true
connection:
host: '<my LDAP host>'
port: 389
bindDn: 'uid=kolab-service,ou=Special Users,dc=<second level domain>,dc=com'
bindPassword: '<password>'
baseDNs:
- 'ou=People,dc=<second level domain>,dc=com'
filter: '(objectclass=kolabinetorgperson)'
attribute:
uid:
type: 'uid'
value: 'uid'
name: 'cn'
threepid:
email:
- 'mail'
- 'alias'
directory:
attribute:
other:
- 'uid'
- 'mail'
- 'alias'
dns:
overwrite:
homeserver:
client:
- name: '<url to matrix>'
value: 'http://127.0.0.1:8008'
register:
allowed: true
invite: true
policy:
threepid:
email:
domain:
whitelist:
- '*<second level domain>.com'
- '*<alias of the second level domain>.com'
...
/etc/matrix-synapse/homeserver.yaml
...
password_providers:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
uri: "ldap://<my LDAP domain>:389"
start_tls: false
base: "ou=People,dc=<second level domain>,dc=com"
attributes:
uid: "uid"
mail: "mail"
name: "cn"
bind_dn: "uid=kolab-service,ou=Special Users,dc=<second level domain>,dc=com"
bind_password: "<password>"
filter: "(objectclass=kolabinetorgperson)"
...
The only issue I have is that users' attributes are not automatically mapped from LDAP to Riot, except for the uid, despite the settings above. I'll see if I can do something about that.
Thanks for your configuration. I think I figured out how to use an mxisd LDAP identity store for authentication while still using this playbook. Here's my relevant configuration (/inventory/host_vars/matrix.DOMAIN/vars.yml
) in case anyone else stumbles over this issue:
matrix_synapse_ext_password_provider_rest_auth_enabled: true
matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090"
matrix_mxisd_configuration_extension_yaml: |
ldap:
enabled: true
connection:
host: mail.mydomain.com
tls: false
port: 389
baseDNs: ['ou=People,dc=mydomain,dc=com']
bindDn: uid=kolab-service,ou=Special Users,dc=mydomain,dc=com
bindPassword: myPassword
attribute:
name: gecos
uid:
type: uid
value: cn
@spantaleev should I go ahead and try to improve the documentation for configuring LDAP (or other identity stores) for authentication over mxisd?
If you've got an idea about how to improve the documentation, please go ahead.
Please note that the REST Auth password provider does not necessarily need to be used with mxisd, etc. I've done a few integrations where I hook it to some other external system (not to mxisd and not to anything LDAP-based).. So use-cases for the password provider may vary.
I have this sort of working with an ldap store using the config similar to the one in https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/272#issuecomment-544882726. For the last section of attribute mapping, this is what my config looks like:
attribute:
name: cn
uid:
type: 'uid'
value: 'uid'
There are a couple of issues. One is that it even if riot's login says username, it also authenticates with email. Does anyone know how to disable this behaviour ? It seems like a bug to me. Second, is it possible to disable authentication methods other than username ? The main reason for this is that uniqueness of other attributes like email is not enforced generally at the ldap end. Only uid is guaranteed to be unique. And finally, is it possible to make matrix's store read only ? For example, right now, you can reset the password in riot, and then you can log in with both your ldap password and the new password you reset in riot.
I know I wanted badly to make the authentication work with email/password.. as I have all services relying on LDAP using the same authentication method. It was easier and more convenient for my case. I'll look into these settings later and see if I can suggest something for you.
mxisd is no longer developed and i switched to ma1sd which is a fork of it. This works pretty well
ldap:
enabled: true
connection:
host: 'ldap.de'
port: 636
tls: true
bindDn: 'uid=hehe,ou=1,dc=2,dc=3,dc=de'
bindPassword: 'yesofcourse'
baseDNs:
- 'ou=1,dc=2,dc=3,dc=de'
attribute:
uid:
type: 'uid'
value: 'uid'
name: 'cn'
threepid:
email:
- 'mail'
msisdn:
- 'telephoneNumber'
name:
- 'cn'
If i want so start a new conversation, all people get listed by their names and emails. hope this helps
That was already working even with mxisd. The issues were that instead of username, you can also login with email. I don't think there is any change to that, right ? i.e. There are two distinct issues. 1) Bug: In riot, instead of username, email works (without toggling the field from username to email). 2) Missing feature: No way to disable email based authentication.
I don't see anything actionable we can do here, so I'll close this issue.
Hi everyone,
Has anyone been able to correctly set the LDAP authentication mechanism?
I have initially tried the built in, Synapse, implementation of LDAP, but have moved to mxisd. What I couldn't do with it, was to map LDAP fields to matrix. I want to have users login with their LDAP email address and password.
Adding extra fields in
matrix_mxisd_configuration_extension_yaml
causes the deployment process to stop with errors:Also, using these variables in vars.yml gives the deprecated error and halts the process also:
Is there a way to map fields? For a brief time I was able to login with LDAP uid and password, but now it is not possible again (I have probably changed something in the config that I can't find again): the log says that the user cannot be found in LDAP... (I'll figure that out).
Anyway, would love if someone with this kind of authentication working (LDAP with email/password auithentication in Riot) can share the experience.
On the LDAP side I have an instance of Kolab Groupware (kolab.org) and I already have external services using it for authentication without an issue. Thanks!