This is a puppet module to manage configuration and installation of Mattermost-LDAP.
## Overview
Mattermost-LDAP is a module which provides an external LDAP authentication in Mattermost for the Team Edition. Actually, Mattermost and LDAP are mainly used by companies which should manage their servers, services and configurations with automated processes. Many companies use Puppet, an open-source software configuration management tool, to automated their configuration deployement.
This module installs and configures Mattermost-LDAP, to provide the LDAP support on Mattermost. For more information about Mattermost-LDAP please refer to : https://github.com/Crivaledaz/Mattermost-LDAP
The use of this puppet module substitute to the standard installation and configuration steps describe on the Mattermost-LDAP project page. See below to install and configure Mattermost-LDAP with puppet.
The Puppet Mattermost-LDAP module installs the oauth server and associated files from a release archive provided in this repository, create and configure a database for the oauth server depending on your database server (PostgreSQL or MySQL), and configures the oauth server to interact with LDAP according to settings you provide.
To know the dependencies necessary for Mattermost-LDAP (which will be installed with this puppet module), please refer to : https://github.com/Crivaledaz/Mattermost-LDAP
Move mattermostldap directory from the Puppet directory to /etc/puppet/modules on your Puppet Master, in order to install add this module in Puppet. Make a tar.gz archive with the oauth directory and it is recommended to put this archive on a http server. Thus, the archive will be reachable from a url.
If you have already a Mattermost server running, and a suitable database configured for the oauth server, this is the minimum you need to get Mattermost-LDAP working:
This will download project.tar.gz from your server, and extract the archive in /var/www/html. After running, this module ensure that PHP, php-pdo, php-ldap, php-pgsql is installed and httpd is installed and running. The oauth database will be configured and an oauth client, for Mattermost, will be created with id and secret provide. Moreover, Oauth server will be configure to interact with the LDAP and the oauth database.
Below, there is an example of Mattermost-LDAP Puppet module using Mattermost and PostgreSQL puppet module to install and configure all running on the same server (requires puppetlabs/postgresql and liger1978/mattermost):
With the above code, you should be able to access the Mattermost application at http://mattermost.company.com:8065 (with your company address) and sign in with your LDAP credentials using the Gitlab button.
If you have succeeded previous step you only have to go to the login page of your Mattermost server and click on the Gitlab Button. You will be redirected to a form asking for your LDAP credentials. If your credentials are valid, you will be asked to authorize Oauth to give your information to Mattermost. After authorizing you should be redirected on Mattermost connected with your account.
Keep in mind this will create a new account on your Mattermost server with information from LDAP. The process will fail if an existing user already use your LDAP email. To bind a user to the LDAP authentication, sign in mattermost with this user account, go in account settings > security > sign-in method and "switch to using Gitlab SSO".
The base URL of your Mattermost server. This is the URL provided in the site URL field in Mattermost admin panel. (ex : http://mattermost.company.com or http://mattermost.company.com:8065)
The LDAP Relative Directory Name suffixto identify a user in LDAP, see LDAP.php class for more information (use by authorize.php to check user credentials on LDAP)
The application ID shared with mattermost. This ID should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the ID is not filled, database will not be initialised and client will not be created.
The application secret shared with mattermost. This secret should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the secret is not filled, database will not be initialised and client will not be created. Secret must be different of the client ID.
The callback address where oauth will send tokens to Mattermost. Normally it should be http://mattermost.company.com/signup/gitlab/complete (and this is the default value)
The username of the user who create the Mattermost client in Oauth. This field has no impact, and could be used as a commentary field. By default this field is empty.
The date.timezone parameter for php.ini. This parameter will change the php.ini. This parameter must be set to avoid E.Notice raise by strtotime() (in Pdo.php). Note that if date.timezone is not defined, Mattermost will return a bad token request error. By default Europe/Paris (Because I love my country :D)
#### ldap_bind_dn (Optional)
The LDAP Directory Name of an service account to allow LDAP search. This ption is required if your LDAP is restrictive, else by default is an empty string (""). (ex : cn=mattermost_ldap,dc=Example,dc=com)
#### ldap_bind_pass (Optional)
The password associated to the service account to allow LDAP search. This ption is required if your LDAP you provide an bind user, else by default is an empty string ("").
This module has been tested on Centos 7 with PostgreSQL.
Others operating systems has not been tested yet but should work fine.
MySQL has not really been tested so it is possible there is some bugs with.
## Thanks
I wish to thank my company and my colleagues for their help and support. Also, I thank ligger1978 for his Mattermost Puppet module which inspires me a lot.
## Known issues
* LDAP authentication failed
Try to restart httpd service. If this persists verify your LDAP configuration or your credentials.
* PHP date timezone error
Edit php.ini to set up date.timezone option and restart httpd service.
* Token request failed
Try to add a new rule in your firewall (or use iptables -F on both Mattermost server and Oauth server)
