From 723eb5140eaf174b0d04cc9067e68ab805cb14fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20K=C3=B6ster?= Date: Mon, 18 Jan 2021 11:18:23 +0100 Subject: [PATCH 1/2] Document usage with nginx-proxy-letsencry; Fixes #71 --- README.md | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 52d000e..d7816ba 100755 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ For more information about parameters, see beelow the configuration section of t Otherwise, for production, you need to create a directory to store PostgreSQL data. This directory will contain the Oauth database and allows data persistence, even if containers are stopped or restarted. By dafault, this Mattermost-LDAP implementation uses folder `data/` next to the `docker-compose.yaml` file to store data. This folder need to be created before running Docker compose : ```bash mkdir data -``` +``` For demo, you need to rename example configuration file without the example extension. ```bash @@ -266,6 +266,66 @@ Parameters 'ldap_bind_dn' and 'ldap_bind_pass' are required if your LDAP is rest To try your configuration you can use `ldap.php` available at the root of this project which use the LDAP library for PHP or you can use `ldapsearch` command in a shell. +### Additional information for usage with nginx-proxy, nginx-proxy-letsencrypt + +In case you want to use `nginx-proxy`, `nginx-proxy-letsencrypt`, and (for example) `openldap`, it is possible to use subdomains for your services. Following this approach you could have mattermost running on on `https://chat.example.com` and authenticate *via this container from `https://oauth.example.com`. This container will then have its own letsencypt certificate. + +You can add the following settings to your configuration files for this type of setup. + +docker-compose.yaml +```yaml +version: '3' + +[...] + +services: + mattermost-ldap: + + [...] + + expose: + - 80 + - 443 + + environment: + [...] + - VIRTUAL_HOST=oauth.example.com,www.oauth.example.com + - LETSENCRYPT_HOST=oauth.example.com,www.oauth.example.com + +[...] +``` + +.env +```bash +[...] + +redirect_uri = "https://chat.example.com/signup/gitlab/complete" + +[...] + +ldap_filter = "(&(objectClass=inetOrgPerson)(memberof=cn=chat,ou=groups,dc=example,dc=com))" + +[...] +``` + +This filter will additionally allow you to filter based on group affiliation within your LDAP server. + +Finally, add the following to your mattermost config.json to ensure the correct redirect. + +```json +[...] + "GitLabSettings": { + "Enable": true, + "Secret": "XXX", + "Id": "YYY", + "Scope": "", + "AuthEndpoint": "https://oauth.example.com/oauth/authorize.php", + "TokenEndpoint": "https://oauth.example.com/oauth/token.php", + "UserApiEndpoint": "https://oauth.example.com/oauth/resource.php" + }, +[...] +``` + ## Usage If you have succeeded previous step you only have to go to the login page of your Mattermost server and click on the Gitlab Button. You will be redirected to a form asking for your LDAP credentials. If your credentials are valid, you will be asked to authorize Oauth to give your information to Mattermost. After authorizing you should be redirected on Mattermost connected with your account. From b9cb9058e5c0e7aade73d29680d8103c4ea9916c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20K=C3=B6ster?= Date: Mon, 18 Jan 2021 11:27:18 +0100 Subject: [PATCH 2/2] Remove minor typos --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index d7816ba..d2004cd 100755 --- a/README.md +++ b/README.md @@ -268,7 +268,7 @@ To try your configuration you can use `ldap.php` available at the root of this p ### Additional information for usage with nginx-proxy, nginx-proxy-letsencrypt -In case you want to use `nginx-proxy`, `nginx-proxy-letsencrypt`, and (for example) `openldap`, it is possible to use subdomains for your services. Following this approach you could have mattermost running on on `https://chat.example.com` and authenticate *via this container from `https://oauth.example.com`. This container will then have its own letsencypt certificate. +In case you want to use `nginx-proxy`, `nginx-proxy-letsencrypt`, and (for example) `openldap`, it is possible to use subdomains for your services. Following this approach you could have mattermost running on on `https://chat.example.com` and authenticate via this container from `https://oauth.example.com`. This container will then have its own letsencypt certificate. You can add the following settings to your configuration files for this type of setup. @@ -301,8 +301,6 @@ services: redirect_uri = "https://chat.example.com/signup/gitlab/complete" -[...] - ldap_filter = "(&(objectClass=inetOrgPerson)(memberof=cn=chat,ou=groups,dc=example,dc=com))" [...] @@ -313,7 +311,6 @@ This filter will additionally allow you to filter based on group affiliation wit Finally, add the following to your mattermost config.json to ensure the correct redirect. ```json -[...] "GitLabSettings": { "Enable": true, "Secret": "XXX", @@ -323,7 +320,6 @@ Finally, add the following to your mattermost config.json to ensure the correct "TokenEndpoint": "https://oauth.example.com/oauth/token.php", "UserApiEndpoint": "https://oauth.example.com/oauth/resource.php" }, -[...] ``` ## Usage