matrix-docker-ansible-deploy
matrix-docker-ansible-deploy copied to clipboard
spantaleev
can't config display name from AD LDAP
Trying to autofill attributes for users by ldap information Using matrix Element, identity server - ma1sd Is there any options for my issue? My configs: Vars: matrix_domain: dom.ru
matrix_synapse_federation_enabled: false
matrix_homeserver_implementation: synapse matrix_synapse_workers_enabled: true matrix_homeserver_generic_secret_key: 'key' matrix_synapse_ext_password_provider_rest_auth_enabled: true matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090" matrix_synapse_admin_enabled: true
matrix_ssl_retrieval_method: manually-managed matrix_ssl_lets_encrypt_support_email: '[email protected]'
matrix_postgres_connection_password: 'pass'
matrix_client_element_enabled: false
matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: true
matrix_ma1sd_enabled: true matrix_ma1sd_verbose_logging: true matrix_synapse_enable_registration: true matrix_synapse_registrations_require_3pid: "email" matrix_ma1sd_configuration_extension_yaml: | ldap: enabled: true connection: host: '10.180.0.9' tls: false port: 389 baseDNs: ['OU=Users,OU=dom,DC=ru'] bindDn: CN=user,OU=Users,OU=dom,DC=ru bindPassword: pass attribute: displayname: 'displayName' uid: type: 'uid' value: 'sAMAccountName' threepid: email: - 'mail' msisdn: - 'phone' - 'telephoneNumber' - 'mobile' other: - 'title' - 'department' - 'company' filter: '(objectClass=user)'
I think the problems lie with the ma1sd server itself, which has not been maintained for more than a year. We had the same problem with our LDAP-syncs and since a lot of the ma1sd features are not working anymore or are very buggy, you may need to prepopulate all your users with an DisplayName or Email by hand (with a python script or something) first. We are syncing all the LDAP users into matrix with a nightly running script, because the ma1sd way proofed to be unrealiable. For example, when we set the DisplayName by some LDAP value over ma1sd, the DisplayName got cut off somewhere in the middle because it cant recognize certain characters and there are not many ways to configure it (e.g. no regex afaik)
The same goes for the search, as ma1sd doesnt recognize the defined LDAP field values (e.g. firstname and sirname cannot be searched together but work as long as you search for only one of it)
I think the problems lie with the ma1sd server itself, which has not been maintained for more than a year. We had the same problem with our LDAP-syncs and since a lot of the ma1sd features are not working anymore or are very buggy, you may need to prepopulate all your users with an DisplayName or Email by hand (with a python script or something) first. We are syncing all the LDAP users into matrix with a nightly running script, because the ma1sd way proofed to be unrealiable. For example, when we set the DisplayName by some LDAP value over ma1sd, the DisplayName got cut off somewhere in the middle because it cant recognize certain characters and there are not many ways to configure it (e.g. no regex afaik)
The same goes for the search, as ma1sd doesnt recognize the defined LDAP field values (e.g. firstname and sirname cannot be searched together but work as long as you search for only one of it)
Do you have any guidance on how youre scripting the pre-population? How are you getting around the accounts being auto-deactivated if you don't provide a password? I can pull all of that data out of AD with powershell, to a csv and import using synapse-admin, but it won't pull the actual password, just a hash at best.
Sure! We ran into similar problems with ma1sd and its syncing (but we still needed its search). So we run the script below regularly to sync user from ldap into the matrix homeserver (but not the other way around!) we created a matrix-user which should handle the login, creation of users etc and called it something like: @service_userquery:domain.com (with matrix admin rights)
this script (originally by @maxmalek) populates the relevant users into the matrix homeserver and uses the passwords provided by the file here
You can configure the script any way you like:
# Data to login to matrix. User must be server admin.
HOMESERVER = "https://matrixHS.domain.com"
MATRIX_USER = "@service_userquery:domain.com"
MATRIX_LDAP_FIELD = "ldap_field_for_localpart_of_matrixID"
# LDAP config
LDAP_HOST='ldaps://ldap_server_address:3269'
LDAP_BIND_DN='CN=XXX,OU=YYY,OU=ZZZ,DC=AAA,DC=BBB,DC=CCC,DC=DDD'
LDAP_SEARCH_BASE_LIST=[
'OU=group1,DC=AAA,DC=BBB,DC=CCC,DC=DD'
, 'OU=group2,OU=YYY,DC=BBB,DC=CCC,DC=DDD,DC=DDD'
]
LDAP_SEARCH_FILTER='(memberOf=CN=My Matrix Users,OU=Groups,DC=example,DC=org)'
LDAP_SEARCH_FIELDS=['mail', MATRIX_LDAP_FIELD]
btw, the localpart oft a matrixID is the prefix, e.g. the "service_userquery" from "@service_userquery:domain.com" We have multiple search bases because of multiple user groups
However for auth, we have a SSO OIDC with keycloak
MATRIX_LDAP_FIELD = "ldap_field_for_localpart_of_matrixID"
To clarify, mainly due to compatibility with ma1sd's limitations we had to add an ldap field that stores the localpart for each matrix username. Would be nice if ma1sd could build this dynamically from other fields, eg. using some regex magic.
Sure! We ran into similar problems with ma1sd and its syncing (but we still needed its search). So we run the script below But where do the AD passwords come from? Are you building that list manually somehow? Is there a powershell command that populates that list? Thats essentially my issue; I want to use the existing AD passwords and I can't seem to get there from here.
So you added a field in Active Directory LDAP?
Well, you need to specify how the matrix account/ID should be put together. You can put any existinf ldap field for the localpart but take care that it is unique and doesnt contain weird characters! It makes sense to run a saml/OIDC kind of login to enable SSO (e.g. with keycloak), as that makes it nicer for the users to login, especially they are using other websites at your company as well