Skip to content

Commit

Permalink
Migrate from Apache to Nginx - Add HTTPS support - fix #80
Browse files Browse the repository at this point in the history
  • Loading branch information
Denis CLAVIER committed Dec 10, 2021
1 parent 1dda144 commit 04f4661
Show file tree
Hide file tree
Showing 7 changed files with 130 additions and 236 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
config_init.sh
config_ldap.php
config_db.php
data
certs

123 changes: 37 additions & 86 deletions Container.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ Install using containers - Docker/Podman

The easiest way to setup Mattermost-LDAP is using the docker-compose implementation.

For production use, you must use the `docker-copose.yaml` file available at the root of this repository. Unlike the Demo, this docker-compose file only setup Mattermost-LDAP with an Apache server and a PostgreSQL database.
For production use, you must use the [`docker-compose.yaml`](https://github.com/Crivaledaz/Mattermost-LDAP/blob/master/docker-compose.yaml) file available at the root of this repository. Unlike the Demo, this docker-compose file only setup Mattermost-LDAP with an Nginx server linked to a PHP engine and a PostgreSQL database.

This implementation uses an embedded Oauth server, which can be configured by environment variables.
This implementation uses the repository Oauth server, which can be configured by environment variables.

## Requirements

Expand All @@ -17,137 +17,88 @@ For more information about Podman installation, see official documentation : htt

## Preparation

First, you need to clone (or download and extract) this repository on your server :
First, you need to clone (or download and extract) this repository on your server with:
```bash
git clone https://github.com/Crivaledaz/Mattermost-LDAP
cd Mattermost-LDAP
```

Then, before running the docker-compose file, you need to adapt LDAP and DB parameters. All parameters are gathered in the `env.example` file and they are passed to Postgres and Oauth server by environment variables.
Then, before running the docker-compose file, you need to adapt LDAP and DB parameters. All parameters are gathered in `environment` sections in the [`docker-compose.yaml`](https://github.com/Crivaledaz/Mattermost-LDAP/blob/master/docker-compose.yaml) file and they are passed to Postgres and Oauth server by environment variables.

Copy the `env.example` file to `.env` and edit it to change with your values.
You must edit the docker-compose file to adapt parameters with your values.

**Warning** : Postgres root password and database Oauth password must be changed. Client and secret tokens must be generated randomly, using `openssl rand -hex 32`.

For more information about available parameters, refer to the [configuration section](https://github.com/Crivaledaz/Mattermost-LDAP#configuration) of the repository README.

Otherwise, for production, you need to create a directory to store PostgreSQL data. This directory will contain the Oauth database and allows data persistence, even if containers are stopped or restarted. By default, this Mattermost-LDAP implementation uses folder `data/` next to the `docker-compose.yaml` file to store data. This folder need to be created before running Docker compose :

```bash
mkdir data
```

To use Mattermost-LDAP with your own Mattermost server, you need to configure your Mattermost instance as described in section "Configure Mattermost".
To use Mattermost-LDAP with your own Mattermost server, you need to configure your Mattermost instance as described in section "Configure Mattermost" below.

## Configure Mattermost

Active Gitlab authentication in `System Console > Gitlab` (or `config.json`) and fill application id and secret with the two tokens got during install section. For the next fields use this :

```
User API Endpoint : http://HOSTNAME/oauth/resource.php
Auth Endpoint: http://HOSTNAME/oauth/authorize.php
Token Endpoint: http://HOSTNAME/oauth/token.php
```

Change `HOSTNAME` by hostname or ip of the server where you have installed Mattermost-LDAP module.

Since Mattermost 4.9, these fields are disabled in admin panel, so you need to edit directly section `GitLabSettings` in the Mattermost configuration file `config.json`.
Active Gitlab authentication in Mattermost configuration and fill GitLab parameters, with your values. To do this, you need to edit the `config.json` file or change parameters in Mattermost configuration table if you use configuration in the database.

In the `config.json` file, GitLab configuration is gathered in the section `GitLabSettings`. You have to enable it and to fill parameters with your values. Once completed, the section should look like :
In the `config.json` file, GitLab configuration is gathered in the section `GitLabSettings`. Adapt this section with your values, it should seems like this :

```
"GitLabSettings": {
"Enable": true,
"Secret": "fedcba987654321fedcba987654321",
"Id": "123456789abcdef123456789abcdef",
"Scope": "",
"AuthEndpoint": "http://localhost/oauth/authorize.php",
"TokenEndpoint": "http://localhost/oauth/token.php",
"UserApiEndpoint": "http://localhost/oauth/resource.php"
"AuthEndpoint": "https://<HOSTNAME>/oauth/authorize.php",
"TokenEndpoint": "https://<HOSTNAME>/oauth/token.php",
"UserApiEndpoint": "https://<HOSTNAME>/oauth/resource.php"
},
```

*Note* : You need to restart the Mattermost server to take into account the change.
Change `<HOSTNAME>` by the hostname or ip of the server where you have installed Mattermost-LDAP module. The `Secret` and `Id` parameters should contain the tokens generated previously.

## Usage

Once the `.env` file have been adapted, you can run the docker-compose file with the following commands :
```bash
# With Docker
docker-compose build
docker-compose up -d
**Note** : You need to restart the Mattermost server to take into account the change.

# With Podman
podman-compose build
podman-compose up -d
```
## HTTPS configuration

The build command allows Docker compose to build necessary image. Images use are available in the [Docker/](Docker) directory of this repository. The up command starts all services described in the Docker compose file.
Since Mattermost-LDAP version 2.1, HTTPS is enable by default to protect sensitive data exchanged between users and Mattermost-LDAP (LDAP username and password).

Once all services are started, go to Mattermost server and click on GitLab button to login with LDAP credential on Mattermost-LDAP. Then, if you login successfully and authorize Mattermost-LDAP to transmit your data to Mattermost, you should be log on Mattermost.
You need to provide a pair of TLS certificates and to store these in a directory named `certs`. To generate self-signed certificates you can use the following command :

To stop Mattermost server and Mattermost-LDAP, use the following command :
```bash
# With Docker
docker-compose down

# With Podman
podman-compose down
mkdir certs
openssl req -x509 -newkey rsa:4096 -sha256 -days 364 -nodes -keyout certs/key.pem -out certs/cert.pem -subj '/CN=<HOSTNAME>' -extensions san -config <( echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=DNS:localhost,<HOSTNAME>')
```

## Extension

### Additional information for usage with nginx-proxy, nginx-proxy-letsencrypt

In case you want to use `nginx-proxy`, `nginx-proxy-letsencrypt`, and (for example) `openldap`, it is possible to use subdomains for your services. Following this approach you could have mattermost running on on `https://chat.example.com` and authenticate via this container from `https://oauth.example.com`. This container will then have its own letsencypt certificate.
Replace `<HOSTNAME>` by the hostname serving the Oauth server (ie: the server where you have installed Mattermost-LDAP).

You can add the following settings to your configuration files for this type of setup.
**Remark** : By default, Mattermost does not trust self-signed certificate. To remediate you need to add the certificate to the Mattermost server certificate bundle or change the parameter `EnableInsecureOutgoingConnection` to true in the Mattermost configuration (`config.json`).

In `docker-compose.yaml` :
```yaml
version: '3'
Alternatively, you can use your own certificates and place them in the `certs` directory. This directory will be consumed by the Nginx container as a volume.

[...]
*Note* : Your certificates should be in PEM format and must be named `cert.pem` and `key.pem`, to match the Nginx configuration.

services:
mattermost-ldap:

[...]

expose:
- 80
- 443

environment:
[...]
- VIRTUAL_HOST=oauth.example.com,www.oauth.example.com
- LETSENCRYPT_HOST=oauth.example.com,www.oauth.example.com

[...]
```
## Usage

In `.env`:
Once you have adapted environement paramters in the docker-compose file, you can run Mattermost-LDAP with the following commands (from the root of the repository) :
```bash
[...]

redirect_uri = "https://chat.example.com/signup/gitlab/complete"

ldap_filter = "(&(objectClass=inetOrgPerson)(memberof=cn=chat,ou=groups,dc=example,dc=com))"
# With Docker
docker-compose up -d

[...]
# With Podman
podman-compose up -d
```
The previous command starts all services described in the Docker compose file. The `-d` argument allows to start all container in background, in a detached mode.

This filter will additionally allow you to filter based on group affiliation within your LDAP server.
Once all services are started, go to Mattermost server and click on GitLab button to login with LDAP credential on Mattermost-LDAP. Then, if you login successfully and authorize Mattermost-LDAP to transmit your data to Mattermost, you should be log on Mattermost.

Finally, add the following to your mattermost `config.json` to ensure the correct redirect.
To stop Mattermost-LDAP, use the following command :
```bash
# With Docker
docker-compose down

```json
"GitLabSettings": {
"Enable": true,
"Secret": "XXX",
"Id": "YYY",
"Scope": "",
"AuthEndpoint": "https://oauth.example.com/oauth/authorize.php",
"TokenEndpoint": "https://oauth.example.com/oauth/token.php",
"UserApiEndpoint": "https://oauth.example.com/oauth/resource.php"
},
# With Podman
podman-compose down
```
26 changes: 0 additions & 26 deletions Docker/mattermostldap/Dockerfile

This file was deleted.

6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ See Limitation section for more information.

## Quick Start - Demonstration

To test and try Mattermost-LDAP, you can use the demonstration available in the `Demo/` folder. This demonstration is based on a docker-compose implementation describe in the `Demo/docker-compose.yaml` file.
To test and try Mattermost-LDAP, you can use the demonstration available in the `Demo/` folder. This demonstration is based on a docker-compose implementation describe in the [`Demo/docker-compose.yaml` file](https://github.com/Crivaledaz/Mattermost-LDAP/blob/master/Demo/docker-compose.yaml).

This docker-compose file instantiate a Mattermost Server from the official preview image provides by Mattermost, a Mattemrost-LDAP pre-configured server with a PostgreSQL database and an OpenLDAP server with a test user : John DOE.

Expand Down Expand Up @@ -64,7 +64,7 @@ docker-compose up -d
podman-compose up -d
```

The up command starts all services described in the Docker compose file. The `-d` argument allow to start all container in background, in a detach mode.
The up command starts all services described in the Docker compose file. The `-d` argument allows to start all container in background, in a detach mode.

Once all services are started, go to Mattermost server. Mattermost should be available after a few seconds on localhost : http://localhost.

Expand Down Expand Up @@ -104,7 +104,7 @@ Configuration files are provided with examples and default values. Each config f

You can find a detailed description of each parameters available below.

**Note** : For container, these variables are overload by environment variables define in `.env` file or `docker-compose.yaml` file.
**Note** : For container, these variables are overload by environment variables define in the [`docker-compose.yaml`](https://github.com/Crivaledaz/Mattermost-LDAP/blob/master/docker-compose.yaml) file.

### Init script parameters

Expand Down
75 changes: 42 additions & 33 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -1,29 +1,38 @@
version: '3'
services:
mattermost-ldap:
build: Docker/mattermostldap
image: mattermostldap
nginx:
image: nginx
restart: always
ports:
- 80:80
- 443:443
volumes:
- ./oauth:/var/www/html/oauth
- ./oauth.conf:/etc/nginx/conf.d/oauth.conf:ro
- ./certs:/etc/nginx/certs
links:
- "php:php"
php:
build: ./Docker/php-ldap-pgsql
image: php-ldap-pgsql
volumes:
- ./oauth:/var/www/html/oauth
environment:
- ldap_host
- ldap_port
- ldap_version
- ldap_start_tls
- ldap_search_attribute
- ldap_base_dn
- ldap_filter
- ldap_bind_dn
- ldap_bind_pass
- db_host
- db_port
- db_type
- db_name
- db_user
- db_pass

ldap_host: ldap://ldap.company.com:389/
ldap_port: 389
ldap_version: 3
ldap_start_tls: 0
ldap_search_attribute: uid
ldap_base_dn: "ou=People,o=Company"
ldap_filter: "(objectClass=*)"
ldap_bind_dn: ""
ldap_bind_pass: ""
db_host: "127.0.0.1"
db_port: "5432"
db_type: "pgsql"
db_name: "oauth_db"
db_user: "oauth"
db_pass: "oauth_secure-pass"
db:
image: postgres:alpine
restart: always
Expand All @@ -32,17 +41,17 @@ services:
- ./db_init/config_init.sh.example:/docker-entrypoint-initdb.d/config_init.sh
- ./data/:/var/lib/postgresql/data/
environment:
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_HOST_AUTH_METHOD
- client_id
- client_secret
- redirect_uri
- grant_types
- scope
- user_id
- db_user
- db_pass
- db_name
- db_host
- db_port
POSTGRES_USER: postgres
POSTGRES_PASSWORD: rootroot
POSTGRES_HOST_AUTH_METHOD: trust
client_id: 123456789abcdef123456789abcdef
client_secret: fedcba987654321fedcba987654321
redirect_uri: "https://mattermost.company.com/signup/gitlab/complete"
grant_types: "authorization_code"
scope: "api"
user_id: ""
db_user: "oauth"
db_pass: "oauth_secure-pass"
db_name: "oauth_db"
db_host: "127.0.0.1"
db_port: "5432"
Loading

0 comments on commit 04f4661

Please sign in to comment.