Corrected and expanded LDAP functionality.

This commit is contained in:
Hans van Zijst 2024-11-14 19:50:17 +01:00 committed by Valentin Gagarin
parent 4cfa698ba4
commit 2acf72e809

View file

@ -314,9 +314,13 @@ password_providers:
base: "ou=users,o=Example,dc=example,dc=com"
attributes:
uid: "uid"
mail: "email"
name: "givenName"
mail: "mail"
name: "cn"
filter: "(&(objectClass=posixAccount)(accountStatus=active))"
mode: "search"
bind_dn: "cn=matrix,ou=service,o=Example,dc=example,dc=com"
bind_password: "<very secure password>"
```
This would connect to ldap.example.com over TLS, and authenticate users that
@ -324,6 +328,12 @@ live under `ou=users,o=Example,dc=example,dc=com` and that are active Posix
accounts. Users will not be able to change their passwords via Matrix, they
have to do that in LDAP.
The bottom 3 lines enable search mode, necessary to find users' displayname
and e-mail address. These values are in LDAP under the attributes "mail" and
"cn" (completely dependent on your LDAP DIT of course, this setup is common
for OpenLDAP). The bind_dn and bind_password are for the account Synapse can
use to connect and search, necessary if anonymous access is prohibited.
# Server configuration {#serverconfig}
@ -365,7 +375,31 @@ ip_range_blacklist:
- 'fec0::/10'
filter_timeline_limit: 500
delete_stale_devices_after: 1y
```
These should be reasonable defaults, but do check the [Server block](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server)
in Synapse's documentation for more options and information.
# Registration {#Registration}
Registration of new users is configured under `conf.d/registration.yaml`:
```
enable_registration: false
enable_registration_without_verification: false
registrations_require_3pid: email
registration_shared_secret: <long random string>
allow_guest_access: false
enable_set_displayname: false
enable_3pid_changes: false
```
The last two lines prohibit users to change their displayname and 3pid-data
(i.e. e-mail address and phone number). In many cases you'd want them to be
able to set these, of course. But when you use LDAP, which provides these
values, you don't want users to change those.
See for more options [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#registration).