Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to add identity server als identity server in element client. #112

Open
NiTRoeSE opened this issue Mar 31, 2022 · 1 comment
Open

Unable to add identity server als identity server in element client. #112

NiTRoeSE opened this issue Mar 31, 2022 · 1 comment

Comments

@NiTRoeSE
Copy link

Ive set up the ma1sd via docker and configured it properly like described in documentation.
If i want to use the identity server as identity server in element client its not possible to add it.

any help would be create

thanks in advanced!
@s0p4LiN
Copy link

s0p4LiN commented May 25, 2022
edited
Loading

In this example, I installed ma1sd on Matrix server itself. It is working smoothly.
I don't know if it will be helpfull.

You need to announce the identity provider through NGINX and not choosing the Identity from the clients.

  • /etc/nginx/sites-available/matrix
server {
    listen 80;
    server_name matrix.company.lan;
    return 301 https://matrix.company.lan$request_uri;
}

server {
    listen 443 ssl;
    server_name matrix.company.lan;
    root /var/www/synapse-admin;
    index index.html index.php index.htm;
    
    ssl_certificate /etc/ssl/certs/matrix.pem;
    ssl_certificate_key /etc/ssl/certs/matrix-privkey.pem;

    
     location /.well-known/matrix/server {
        return 200 '{"m.server": "matrix.company.lan:8448"}';
        add_header Content-Type application/json;
      }

     location /.well-known/matrix/client {
        return 200 '{"m.homeserver": {"base_url": "https://matrix.company.lan"},"m.identity_server": {"base_url": "https://matrix.company.lan"},"io.element.e2ee": {"default": false, "secure_backup_required": true, "secure_backup_setup_methods": ["passphrase"]}}';
        #add_header Content-Type application/json;
        default_type application/json;
        add_header "Access-Control-Allow-Origin" *;
         }


     location /_matrix/client/r0/login {
        proxy_pass http://localhost:8090;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

     location /_matrix/client/r0/user_directory {
        proxy_pass http://localhost:8090/_matrix/client/r0/user_directory;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

     location /_matrix/identity {
        proxy_pass http://localhost:8090/_matrix/identity;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $remote_addr;
    }


#    location /_matrix { 
     location ~* ^(\/_matrix|\/_synapse|\/client) {        
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host; 
        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;

    }

}

# This is used for Matrix Federation
# which is using default TCP port '8448'
server {
    listen 8448 ssl;
    server_name matrix.company.lan;

    ssl_certificate /etc/ssl/certs/matrix.pem;
    ssl_certificate_key /etc/ssl/certs/matrix-privkey.pem;

    location / {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
    }
}
  • /etc/nginx/sites-available/element
server {
    listen 80;
    server_name chat.company.lan;
    return 301 https://chat.company.lan$request_uri;
}
 

server {
    listen 443 ssl;
    server_name chat.company.lan;
    root /var/www/element/;
    index index.html index.php index.htm;

    ssl_certificate /etc/ssl/certs/chat.pem;
    ssl_certificate_key /etc/ssl/certs/chatpvkey.pem;
    #ssl_dhparam /etc/ssl/certs/dhparam-chat.pem;
    
    access_log /var/log/nginx/chat.company.lan.access.log;
    error_log /var/log/nginx/chat.company.lan.error.log;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000";
#    add_header Content-Security-Policy "frame-ancestors 'none'";
    
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ecdh_curve X25519:P-521:P-384:P-256;
    ssl_prefer_server_ciphers on;
    
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 15m;
    ssl_session_tickets off;

    location / {
                try_files $uri $uri/ =404;
        }

    location = /index.html {
        add_header Cache-Control "no-cache";
    }

}

/etc/matrix-synapse/homeserver.yaml

modules:
pid_file: "/var/run/matrix-synapse.pid"
public_baseurl: https://matrix.company.lan/
presence:

listeners:
  - port: 8008
    tls: false
    type: http
    x_forwarded: true
    bind_addresses: ['::1', '127.0.0.1']
    resources:
      - names: [client, federation]
        compress: false

manhole_settings:
limit_usage_by_mau: false
limit_remote_rooms:
templates:

retention:
  enabled: true
  default_policy:
    min_lifetime: 7d
    max_lifetime: 30d

caches:
  per_cache_factors:

database:
  name: psycopg2
  txn_limit: 10000
  args:
    user: synapse_db_user
    password: xxxxxxxxxx
    database: synapse_db
    host: xxx.xxx.xxx.xxx
    port: 5432
    cp_min: 5
    cp_max: 10
    keepalives_idle: 10
    keepalives_interval: 10
    keepalives_count: 3

log_config: "/etc/matrix-synapse/log.yaml"
media_store_path: "/element-data/media"
max_upload_size: 15M
url_preview_accept_language:
oembed:
turn_uris: [ "turn:coturn.company.lan:5349?transport=udp", "turn:coturn.company.lan:5349?transport=tcp" ]
turn_shared_secret: "9ab7fb7521002kukukuku7485c27b5"
enable_registration: false
registration_shared_secret: uukkukukuuk
account_threepid_delegates:
enable_set_displayname: false
metrics_flags:
room_prejoin_state:
macaroon_secret_key: ukukukukukku
signing_key_path: "/etc/matrix-synapse/homeserver.signing.key"
old_signing_keys:
  
trusted_key_servers:
  - server_name: "matrix.org"

saml2_config:
  sp_config:
  user_mapping_provider:
    config:

oidc_providers:
cas_config:
sso:

password_config:
   policy:

ui_auth:
email:
push:

user_directory:
    search_all_users: true

stats:
opentracing:
redis:

password_providers:
  - module: "rest_auth_provider.RestAuthProvider"
    config:
      endpoint: "http://10.100.120.110:8090"
  • /etc/ma1sd/ma1sd.yaml
matrix:
  domain: 'matrix.company.lan'
  v1: false
  v2: true

directory:
  exclude:
    homeserver: true

dns:
  overwrite:
    homeserver:
      client:
        - name: 'matrix.company.lan'
          value: 'http://localhost:8008'

enable_registration: false
key:
  path: '/var/lib/ma1sd/keys'

storage:
  provider:
    sqlite:
      database: '/var/lib/ma1sd/store.db'

ldap:
  enabled: true
  lookup: true 
  activeDirectory: true
  defaultDomain: 'company.lan'
  connection:
    host: 'dc01.company.lan'
    tls: true
    port: 636
    bindDn: 'CN=account,OU=dep1,OU=Company,DC=company,DC=lan'
    bindPassword: 'password'
    baseDNs:
      - 'ou=Company,dc=company,dc=lan'
  attribute:
    uid:
      type: 'uid'
      value: 'sAMAccountName'
    name: 'cn'

hashing:
  enabled: true 
  pepperLength: 20 
  rotationPolicy: per_requests
  hashStorageType: sql
  algorithms:
    - sha256 
  requests: 10 

logging:
  root: error     # default level for all loggers (apps and thirdparty libraries)
  app: info       # log level only for the ma1sd
  requests: false # or true to dump full requests and responses

@s0p4LiN s0p4LiN mentioned this issue May 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NiTRoeSE @s0p4LiN