From 9cf9a1ec549cf6ab280f8974b41dbd2ce11c523d Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Tue, 27 Nov 2018 16:40:22 +0100 Subject: [PATCH 1/2] [auth-ldap] add template + vars for ldap auth --- roles/matrix-server/defaults/main.yml | 12 ++++++++++++ .../templates/synapse/homeserver.yaml.j2 | 19 ++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index c1701a60..a418f4f5 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -152,6 +152,18 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0/shared_secret_authenticator.py" matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" +# Enable this to activate LDAP password provider +matrix_synapse_ext_password_provider_ldap: false +matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" +matrix_synapse_ext_password_provider_ldap_tls: true +matrix_synapse_ext_password_provider_ldap_base: "" +matrix_synapse_ext_password_provider_ldap_attr_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attr_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attr_name: "name" +matrix_synapse_ext_password_provider_ldap_binddn: "" +matrix_synapse_ext_password_provider_ldap_bindpwd: "" +matrix_synapse_ext_password_provider_ldap_filter: "" + # The defaults below cause a postgres server to be configured (running within a container). # Using an external server is possible by tweaking all of the parameters below. diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index 67b9c966..d693b8c2 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -649,6 +649,23 @@ password_providers: config: sharedSecret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}" {% endif %} +{% if matrix_synapse_ext_password_provider_ldap %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" + start_tls: {{ matrix_synapse_ext_password_provider_ldap_tls }} + base: "{{ matrix_synapse_ext_password_provider_ldap_base }}" + attributes: + uid: "{{ matrix_synapse_ext_password_provider_ldap_attr_uid }}" + mail: "{{ matrix_synapse_ext_password_provider_ldap_attr_mail }}" + name: "{{ matrix_synapse_ext_password_provider_ldap_attr_name }}" + bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_binddn }}" + bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bindpwd }}" + {% if matrix_synapse_ext_password_provider_ldap_filter %} + filter: "{{ matrix_synapse_ext_password_provider_ldap_filter }}" + {% endif %} +{% endif %} {% endif %} @@ -779,4 +796,4 @@ enable_group_creation: false alias_creation_rules: - user_id: "*" alias: "*" - action: allow \ No newline at end of file + action: allow From bbf892883120cd8f26afd3ddadedc44113be8c72 Mon Sep 17 00:00:00 2001 From: Thomas vO Date: Wed, 28 Nov 2018 09:04:09 +0100 Subject: [PATCH 2/2] fix template and vars for ldap auth, add setup --- roles/matrix-server/defaults/main.yml | 12 ++++++------ .../tasks/setup/setup_synapse_ext.yml | 2 ++ .../tasks/setup/setup_synapse_ext_ldap.yml | 11 +++++++++++ .../templates/synapse/homeserver.yaml.j2 | 14 ++++++-------- 4 files changed, 25 insertions(+), 14 deletions(-) create mode 100644 roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index a418f4f5..f5cab0f3 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -155,13 +155,13 @@ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "" # Enable this to activate LDAP password provider matrix_synapse_ext_password_provider_ldap: false matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389" -matrix_synapse_ext_password_provider_ldap_tls: true +matrix_synapse_ext_password_provider_ldap_start_tls: true matrix_synapse_ext_password_provider_ldap_base: "" -matrix_synapse_ext_password_provider_ldap_attr_uid: "uid" -matrix_synapse_ext_password_provider_ldap_attr_mail: "mail" -matrix_synapse_ext_password_provider_ldap_attr_name: "name" -matrix_synapse_ext_password_provider_ldap_binddn: "" -matrix_synapse_ext_password_provider_ldap_bindpwd: "" +matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid" +matrix_synapse_ext_password_provider_ldap_attributes_mail: "mail" +matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" +matrix_synapse_ext_password_provider_ldap_bind_dn: "" +matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml index d202d94e..058cbc24 100644 --- a/roles/matrix-server/tasks/setup/setup_synapse_ext.yml +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext.yml @@ -4,6 +4,8 @@ - include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml +- include: tasks/setup/setup_synapse_ext_ldap.yml + - include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml - include: tasks/setup/setup_synapse_ext_mautrix_whatsapp.yml diff --git a/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml new file mode 100644 index 00000000..abe9d3bd --- /dev/null +++ b/roles/matrix-server/tasks/setup/setup_synapse_ext_ldap.yml @@ -0,0 +1,11 @@ +- set_fact: + matrix_synapse_password_providers_enabled: true + when: "matrix_synapse_ext_password_provider_ldap" + +- set_fact: + matrix_synapse_additional_loggers: > + {{ matrix_synapse_additional_loggers }} + + + {{ [{'name': 'ldap_auth_provider', 'level': 'INFO'}] }} + when: "matrix_synapse_ext_password_provider_ldap" + diff --git a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 index d693b8c2..0840f5b3 100644 --- a/roles/matrix-server/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-server/templates/synapse/homeserver.yaml.j2 @@ -654,17 +654,15 @@ password_providers: config: enabled: true uri: "{{ matrix_synapse_ext_password_provider_ldap_uri }}" - start_tls: {{ matrix_synapse_ext_password_provider_ldap_tls }} + start_tls: "{{ matrix_synapse_ext_password_provider_ldap_start_tls }}" base: "{{ matrix_synapse_ext_password_provider_ldap_base }}" attributes: - uid: "{{ matrix_synapse_ext_password_provider_ldap_attr_uid }}" - mail: "{{ matrix_synapse_ext_password_provider_ldap_attr_mail }}" - name: "{{ matrix_synapse_ext_password_provider_ldap_attr_name }}" - bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_binddn }}" - bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bindpwd }}" - {% if matrix_synapse_ext_password_provider_ldap_filter %} + uid: "{{ matrix_synapse_ext_password_provider_ldap_attributes_uid }}" + mail: "{{ matrix_synapse_ext_password_provider_ldap_attributes_mail }}" + name: "{{ matrix_synapse_ext_password_provider_ldap_attributes_name }}" + bind_dn: "{{ matrix_synapse_ext_password_provider_ldap_bind_dn }}" + bind_password: "{{ matrix_synapse_ext_password_provider_ldap_bind_password }}" filter: "{{ matrix_synapse_ext_password_provider_ldap_filter }}" - {% endif %} {% endif %} {% endif %}