From 22523c0e420b94f1ba9bc6562286a60987392f38 Mon Sep 17 00:00:00 2001 From: haslersn Date: Tue, 4 Dec 2018 17:19:35 +0100 Subject: [PATCH] Support configuring mxisd's identity stores (two of them) mxisd supports several identity stores. Add support to configure two of them: * synapseSql (storing identities directly in Synapse's database) * LDAP This removed the need to copy `mxisd.yaml.j2` to the inventory in case one wants to use LDAP as identity store. Note that the previous solution (copying `mxisd.yaml.j2` was poor because of two reasons: * The copy remains outdated in case the original is updated in future versions of this repo. * The role's configuration should be in one place (configured only through role variables) instead of in multiple. Configuring more identity stores through role variables can be supported in the future. --- roles/matrix-server/defaults/main.yml | 33 +++++++++++ .../templates/mxisd/mxisd.yaml.j2 | 59 +++++++++++++++++-- 2 files changed, 87 insertions(+), 5 deletions(-) diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml index d8b45fdf4..c85ae7964 100644 --- a/roles/matrix-server/defaults/main.yml +++ b/roles/matrix-server/defaults/main.yml @@ -237,6 +237,39 @@ matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data" # Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups matrix_mxisd_matrixorg_forwarding_enabled: false +# mxisd has serveral supported identity stores. +# One of them is storing identities directly in Synapse's database. +# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md +matrix_mxisd_synapsesql_enabled: true +matrix_mxisd_synapsesql_type: postgresql +matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} + +# LDAP is another identity store that's supported by mxisd. +# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/ldap.md +matrix_mxisd_ldap_enabled: false +matrix_mxisd_ldap_connection_host: ldapHostnameOrIp +matrix_mxisd_ldap_connection_tls: false +matrix_mxisd_ldap_connection_port: 389 +matrix_mxisd_ldap_connection_baseDn: OU=Users,DC=example,DC=org +matrix_mxisd_ldap_connection_bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org +matrix_mxisd_ldap_connection_bindPassword: TheUserPassword +# The following keys are optional: +# matrix_mxisd_ldap_filter: "" +# matrix_mxisd_ldap_attribute_uid_type: uid +# matrix_mxisd_ldap_attribute_uid_value: sAMAccountName +# matrix_mxisd_ldap_attribute_name: cn +# matrix_mxisd_ldap_attribute_threepid_email: +# - mail +# - otherMailAttribute +# matrix_mxisd_ldap_attribute_threepid_msisdn: +# - phone +# - otherPhoneAttribute +# matrix_mxisd_ldap_identity_filter: "" +# matrix_mxisd_ldap_identity_medium: "" +# matrix_mxisd_ldap_auth_filter: "" +# matrix_mxisd_ldap_directory_filter: "" + + # Specifies which template files to use when configuring mxisd. # If you'd like to have your own different configuration, feel free to copy and paste # the original files into your inventory (e.g. in `inventory/host_vars//`) diff --git a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 index 99c2d3d6b..58930284e 100644 --- a/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 +++ b/roles/matrix-server/templates/mxisd/mxisd.yaml.j2 @@ -10,10 +10,59 @@ threepid.medium.email.connectors.smtp.host: matrix-mailer threepid.medium.email.connectors.smtp.port: 587 threepid.medium.email.connectors.smtp.tls: 0 -synapseSql.enabled: true -synapseSql.type: postgresql -synapseSql.connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }} - {% if matrix_mxisd_matrixorg_forwarding_enabled %} forward.servers: ['matrix-org'] -{% endif %} \ No newline at end of file +{% endif %} + +synapseSql.enabled: {{ matrix_mxisd_synapsesql_enabled }} +synapseSql.type: {{ matrix_mxisd_synapsesql_type }} +synapseSql.connection: {{ matrix_mxisd_synapsesql_connection }} + +ldap.enabled: {{ matrix_mxisd_ldap_enabled }} +ldap.connection.host: {{ matrix_mxisd_ldap_connection_host }} +ldap.connection.tls: {{ matrix_mxisd_ldap_connection_tls }} +ldap.connection.port: {{ matrix_mxisd_ldap_connection_port }} +ldap.connection.baseDn: {{ matrix_mxisd_ldap_connection_baseDn }} +ldap.connection.bindDn: {{ matrix_mxisd_ldap_connection_bindDn }} +ldap.connection.bindPassword: {{ matrix_mxisd_ldap_connection_bindPassword }} + +{% if matrix_mxisd_ldap_filter is defined %} +ldap.filter: {{ matrix_mxisd_ldap_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_uid_type is defined %} +ldap.attribute.uid.type: {{ matrix_mxisd_ldap_attribute_uid_type }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_uid_value is defined %} +ldap.attribute.uid.value: {{ matrix_mxisd_ldap_attribute_uid_value }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_name is defined %} +ldap.attribute.name: {{ matrix_mxisd_ldap_attribute_name }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_threepid_email is defined %} +ldap.attribute.threepid.email: {{ matrix_mxisd_ldap_attribute_threepid_email|to_yaml }} +{% endif %} + +{% if matrix_mxisd_ldap_attribute_threepid_msisdn is defined %} +ldap.attribute.threepid.msisdn: {{ matrix_mxisd_ldap_attribute_threepid_msisdn|to_yaml }} +{% endif %} + +{% if matrix_mxisd_ldap_identity_filter is defined %} +ldap.identity.filter: {{ matrix_mxisd_ldap_identity_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_identity_medium is defined %} +ldap.identity.medium: {{ matrix_mxisd_ldap_identity_medium }} +{% endif %} + +{% if matrix_mxisd_ldap_auth_filter is defined %} +ldap.auth.filter: {{ matrix_mxisd_ldap_auth_filter }} +{% endif %} + +{% if matrix_mxisd_ldap_directory_filter is defined %} +ldap.directory.filter: {{ matrix_mxisd_ldap_directory_filter }} +{% endif %} +