From da6edc9cba781f03a424dd65c09a98bfcb4912aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 4 Jul 2019 17:11:51 +0300 Subject: [PATCH] Add support for disabling Synapse's local database for user auth This is a new feature of Synapse v1.1.0. Discussed in #145 (Github Pull Request). --- docs/configuring-playbook-ldap-auth.md | 11 ++++++++++- docs/configuring-playbook-rest-auth.md | 9 +++++++++ docs/configuring-playbook-shared-secret-auth.md | 11 ++++++++++- roles/matrix-synapse/defaults/main.yml | 5 +++++ .../templates/synapse/homeserver.yaml.j2 | 2 +- 5 files changed, 35 insertions(+), 3 deletions(-) diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md index 5d63cf264..5658b8a90 100644 --- a/docs/configuring-playbook-ldap-auth.md +++ b/docs/configuring-playbook-ldap-auth.md @@ -17,4 +17,13 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn" matrix_synapse_ext_password_provider_ldap_bind_dn: "" matrix_synapse_ext_password_provider_ldap_bind_password: "" matrix_synapse_ext_password_provider_ldap_filter: "" -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md index 6c3e41898..f35c0f49e 100644 --- a/docs/configuring-playbook-rest-auth.md +++ b/docs/configuring-playbook-rest-auth.md @@ -13,3 +13,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false ``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md index 26675f4c8..0ec60d2ea 100644 --- a/docs/configuring-playbook-shared-secret-auth.md +++ b/docs/configuring-playbook-shared-secret-auth.md @@ -9,4 +9,13 @@ If you decide that you'd like to let this playbook install it for you, you need ```yaml matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE -``` \ No newline at end of file +``` + + +## Authenticating only using a password provider + +If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it: + +```yaml +matrix_synapse_password_config_localdb_enabled: false +``` diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 0658fac25..30274f2f1 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -147,6 +147,11 @@ matrix_synapse_autocreate_auto_join_rooms: true # Controls password-peppering for Synapse. Not to be changed after initial setup. matrix_synapse_password_config_pepper: "" +# Controls if Synapse allows people to authenticate against its local database. +# It may be useful to disable this if you've configured additional password providers +# and only wish authentication to happen through them. +matrix_synapse_password_config_localdb_enabled: false + # Controls the number of events that Synapse caches in memory. matrix_synapse_event_cache_size: "100K" diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 35c3bbe01..8100a1bb1 100644 --- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1099,7 +1099,7 @@ password_config: # database. This is ignored if `enabled` is false, and is only useful # if you have other password_providers. # - #localdb_enabled: false + localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }} # Uncomment and change to a secret random string for extra security. # DO NOT CHANGE THIS AFTER INITIAL SETUP!