Merge pull request #5 from moan0s/matrix-ldap-registration-proxy

Matrix ldap registration proxy
2022-09-16 22:04:28 +02:00 · 2022-09-16 22:04:28 +02:00 · dd5844524b
parent 54d5741ec1 cd21525b4b
commit dd5844524b
5 changed files with 44 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -45,6 +45,8 @@ Using this playbook, you can get the following services configured on your serve

 - (optional, advanced) the [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) LDAP Auth password provider module

+- (optional, advanced) the [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy)  a proxy that handles Matrix registration requests and forwards them to LDAP.
+
 - (optional, advanced) the [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) spam checker module

 - (optional, advanced) the [Matrix Corporal](https://github.com/devture/matrix-corporal) reconciliator and gateway for a managed Matrix server
--- a/docs/configuring-playbook-matrix-ldap-registration-proxy.md
+++ b/docs/configuring-playbook-matrix-ldap-registration-proxy.md
@ -0,0 +1,30 @@
+# Setting up matrix-ldap-registration-proxy (optional)
+
+The playbook can install and configure [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) for you.
+
+This proxy handles Matrix registration requests and forwards them to LDAP.
+
+**Please note:** This does support the full Matrix specification for registrations. It only provide a very coarse
+implementation of a basic password registration.
+
+## Quickstart
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+
+```yaml
+matrix_ldap_registration_proxy_enabled: true
+```
+
+That is enough if you use the synapse external password provider via LDAP.
+If you want to use your own credentials add the following to your  `inventory/host_vars/matrix.DOMAIN/vars.yml`:
+
+
+
+# LDAP credentials
+```yaml
+matrix_ldap_registration_proxy_ldap_uri: <URI>
+matrix_ldap_registration_proxy_ldap_base_dn: <DN>
+matrix_ldap_registration_proxy_ldap_user: <USER>
+matrix_ldap_registration_proxy_ldap_password: <password>
+```
+TODO: is the block above correct? Else indicate that it can only be used with the LDAP password provider for Synapse
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -86,6 +86,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up the LDAP password provider module](configuring-playbook-ldap-auth.md) (optional, advanced)

+- [Setting up the ldap-registration-proxy](configuring-playbook-matrix-ldap-registration-proxy.md) (optional, advanced)
+
 - [Setting up Synapse Simple Antispam](configuring-playbook-synapse-simple-antispam.md) (optional, advanced)

 - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (optional, advanced)
--- a/roles/matrix-ldap-registration-proxy/defaults/main.yml
+++ b/roles/matrix-ldap-registration-proxy/defaults/main.yml
@ -7,9 +7,6 @@ matrix_ldap_registration_proxy_enabled: true
 matrix_ldap_registration_proxy_container_image_self_build_repo: "https://gitlab.com/activism.international/matrix_ldap_registration_proxy.git"
 matrix_ldap_registration_proxy_container_image_self_build_branch: "{{ matrix_ldap_registration_proxy_version }}"

-matrix_ldap_registration_proxy_docker_image: "{{ matrix_ldap_registration_proxy_docker_image_name_prefix }}activism.international/matrix_ldap_registration_proxy:{{ matrix_ldap_registration_proxy_version }}"
-matrix_ldap_registration_proxy_docker_image_name_prefix: "localhost/"
-
 matrix_ldap_registration_proxy_version: "296246afc6a9b3105e67fcf6621cf05ebc74b873"

 matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ldap_registration_proxy"
@ -17,8 +14,6 @@ matrix_ldap_registration_proxy_base_path: "{{ matrix_base_data_path }}/matrix_ld
 matrix_ldap_registration_proxy_docker_src_files_path: "{{ matrix_ldap_registration_proxy_base_path }}/docker-src/matrix_ldap_registration_proxy"
 matrix_ldap_registration_proxy_config_path: "{{ matrix_ldap_registration_proxy_base_path }}/config"

-matrix_ldap_registration_proxy_appservice_public_enabled: false
-
 matrix_ldap_registration_proxy_ldap_uri: ""
 matrix_ldap_registration_proxy_ldap_base_dn: ""
 matrix_ldap_registration_proxy_ldap_user: ""
@ -27,16 +22,20 @@ matrix_ldap_registration_proxy_matrix_server_name: "{{ matrix_domain }}"
 matrix_ldap_registration_proxy_matrix_server_url: "https://{{ matrix_server_fqn_matrix }}"

 # Controls whether the self-check feature should validate SSL certificates.
-matrix_ldap_registration_proxy_self_check_validate_certificates: true
+matrix_matrix_ldap_registration_proxy_self_check_validate_certificates: true

 matrix_ldap_registration_proxy_container_port: 8080
 # Controls whether the matrix_ldap_registration_proxy container exposes its HTTP port (tcp/{{ matrix_ldap_registration_proxy_container_port }} in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8080"), or empty string to not expose.
-matrix_ldap_registration_proxy_container_http_host_bind_port: ''
+matrix_ldap_registration_proxy_container_http_host_bind_port: '8585'}'

-matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{ matrix_ldap_registration_proxy_container_port }}"
-matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{ matrix_ldap_registration_proxy_container_port }}"
+# `matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw` contains the raw port number extracted from `matrix_ldap_registration_proxy_container_http_host_bind_port`,
+ # which can contain values like this: ('1234', '127.0.0.1:1234', '0.0.0.0:1234')
+ matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw: "{{ '' if matrix_ldap_registration_proxy_container_http_host_bind_port == '' else (matrix_ldap_registration_proxy_container_http_host_bind_port.split(':')[1] if ':' in matrix_ldap_registration_proxy_container_http_host_bind_port else matrix_ldap_registration_proxy_container_http_host_bind_port) }}"
+
+matrix_ldap_registration_proxy_registration_addr_with_container: "matrix-ldap_registration-proxy:{{  matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"
+matrix_ldap_registration_proxy_registration_addr_sans_container: "127.0.0.1:{{  matrix_ldap_registration_proxy_container_http_host_bind_port_number_raw }}"


 # A list of extra arguments to pass to the container
--- a/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2
+++ b/roles/matrix-ldap-registration-proxy/templates/systemd/matrix-ldap-registration-proxy.service.j2
@ -13,8 +13,8 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ matrix_systemd_unit_home_path }}"
-ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix_ldap_registration_proxy 2>/dev/null || true'
-ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix_ldap_registration_proxy 2>/dev/null || true'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-ldap-registration-proxy 2>/dev/null || true'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-ldap-registration-proxy 2>/dev/null || true'

 # matrix_ldap_registration_proxy writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
 # so /tmp needs to be mounted with an exec option.