diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index 5d63cf26..5658b8a9 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -17,4 +17,13 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index 6c3e4189..f35c0f49 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -13,3 +13,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false ``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 26675f4c..0ec60d2e 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -9,4 +9,13 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0658fac2..30274f2f 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -147,6 +147,11 @@ matrix_synapse_autocreate_auto_join_rooms: true # Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" +# Controls if Synapse allows people to authenticate against its local database. +# It may be useful to disable this if you've configured additional password providers +# and only wish authentication to happen through them. +matrix_synapse_password_config_localdb_enabled: false + # Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 35c3bbe0..8100a1bb 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1099,7 +1099,7 @@ password_config: # database. This is ignored if `enabled` is false, and is only useful # if you have other password_providers. # - #localdb_enabled: false + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP!