add optinal ldap auth provider

2019-01-19 22:02:52 +01:00 · 2019-01-19 22:02:52 +01:00 · 5e740b25ed
parent 8182009a14
commit 5e740b25ed
4 changed files with 49 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -50,6 +50,17 @@ matrix_http_bind_port: 8008
 matrix_https_bind_ips: "{{ matrix_http_bind_ips }}"
 matrix_https_bind_port: 8448

+matrix_ldap_auth_enabled: False
+matrix_ldap_auth_server: ldaps://ldap.example.com:636
+matrix_ldap_auth_use_starttls: "false"
+matrix_ldap_auth_basedn: "ou=users,dc=example,dc=com"
+matrix_ldap_auth_uid_attr: "uid"
+matrix_ldap_auth_mail_attr: "email"
+matrix_ldap_auth_name_attr: "cn"
+# matrix_ldap_auth_binddn: uid=myuser,ou=users,dc=example,dc=com # defaults to not set
+# matrix_ldap_auth_bind_password: # defaults to not set
+# matrix_ldap_auth_filter: (objectClass=posixAccount) # defaults to not set
+
 matrix_postgres_enabled: False
 matrix_postgres_ssl_mode: disable
 matrix_postgres_ssl_root_cert: /etc/pki/tls/certs/ca-bundle.trust.crt
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -33,6 +33,13 @@
        virtualenv: "{{ matrix_base_dir }}/env"
        virtualenv_command: /usr/bin/python3 -m venv

+    - name: Install ldap3 auth provider
+      pip:
+        name: "matrix-synapse-ldap3"
+        virtualenv: "{{ matrix_base_dir }}/env"
+        virtualenv_command: /usr/bin/python3 -m venv
+      when: matrix_ldap_auth_enabled
+
    - name: Create signing key
      shell: "{{ matrix_base_dir }}/env/bin/python -c \"from signedjson import key; file = open('{{ matrix_conf_dir }}/{{ matrix_base_url | urlsplit('hostname')  }}.signing.key','w'); key.write_signing_keys(file, [key.generate_signing_key('first')]); file.close()\""
      args:
--- a/templates/opt/matrix/config/homeserver.yml.j2
+++ b/templates/opt/matrix/config/homeserver.yml.j2
@ -686,7 +686,28 @@ password_config:
 #         #bind_password:
 #         #filter: "(objectClass=posixAccount)"

-
+{% if matrix_ldap_auth_enabled %}
+password_providers:
+    - module: "ldap_auth_provider.LdapAuthProvider"
+      config:
+          enabled: true
+          uri: "{{ matrix_ldap_auth_server }}"
+          start_tls: "{{ matrix_ldap_auth_use_starttls }}"
+          base: "{{ matrix_ldap_auth_basedn }}"
+          attributes:
+              uid: "{{ matrix_ldap_auth_uid_attr }}"
+              mail: "{{ matrix_ldap_auth_mail_attr }}"
+              name: "{{ matrix_ldap_auth_name_attr }}"
+          {% if matrix_ldap_auth_binddn is defined %}
+          bind_dn: "{{ matrix_ldap_auth_binddn }}"
+          {% endif %}
+          {% if matrix_ldap_auth_bind_password is defined %}
+          bind_password: "{{ matrix_ldap_auth_bind_password }}"
+          {% endif %}
+          {% if matrix_ldap_auth_filter is defined %}
+          filter: "{{ matrix_ldap_auth_filter }}"
+          {% endif %}
+{% endif %}

 # Clients requesting push notifications can either have the body of
 # the message sent in the notification poke along with other details
--- a/templates/opt/matrix/config/logging.config.j2
+++ b/templates/opt/matrix/config/logging.config.j2
@ -20,6 +20,7 @@ handlers:
        backupCount: 10
        filters: [context]
        encoding: utf8
+        level: DEBUG
    console:
        class: logging.StreamHandler
        formatter: precise
@ -34,6 +35,14 @@ loggers:
        # information such as access tokens.
        level: INFO

+    {% if matrix_ldap_auth_enabled %}
+    ldap3:
+        level: DEBUG
+
+    ldap_auth_provider:
+        level: DEBUG
+    {% endif %}
+
 root:
    level: INFO
    handlers: [file, console]