From 2acf72e8090f5d3fe4f64223d2abb6039b0dedc9 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Thu, 14 Nov 2024 19:50:17 +0100 Subject: [PATCH] Corrected and expanded LDAP functionality. --- matrix/synapse/README.md | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md index fa8482b..1e9f4ef 100644 --- a/matrix/synapse/README.md +++ b/matrix/synapse/README.md @@ -314,9 +314,13 @@ password_providers: base: "ou=users,o=Example,dc=example,dc=com" attributes: uid: "uid" - mail: "email" - name: "givenName" + mail: "mail" + name: "cn" filter: "(&(objectClass=posixAccount)(accountStatus=active))" + + mode: "search" + bind_dn: "cn=matrix,ou=service,o=Example,dc=example,dc=com" + bind_password: "" ``` This would connect to ldap.example.com over TLS, and authenticate users that @@ -324,6 +328,12 @@ live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix accounts. Users will not be able to change their passwords via Matrix, they have to do that in LDAP. +The bottom 3 lines enable search mode, necessary to find users' displayname +and e-mail address. These values are in LDAP under the attributes "mail" and +"cn" (completely dependent on your LDAP DIT of course, this setup is common +for OpenLDAP). The bind_dn and bind_password are for the account Synapse can +use to connect and search, necessary if anonymous access is prohibited. + # Server configuration {#serverconfig} @@ -365,7 +375,31 @@ ip_range_blacklist: - 'fec0::/10' filter_timeline_limit: 500 +delete_stale_devices_after: 1y ``` These should be reasonable defaults, but do check the [Server block](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server) in Synapse's documentation for more options and information. + + +# Registration {#Registration} + +Registration of new users is configured under `conf.d/registration.yaml`: + +``` +enable_registration: false +enable_registration_without_verification: false +registrations_require_3pid: email +registration_shared_secret: +allow_guest_access: false + +enable_set_displayname: false +enable_3pid_changes: false +``` + +The last two lines prohibit users to change their displayname and 3pid-data +(i.e. e-mail address and phone number). In many cases you'd want them to be +able to set these, of course. But when you use LDAP, which provides these +values, you don't want users to change those. + +See for more options [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration).