Add LDAP authentication

[DoubleMalt]

This pul request enables LDAP authentication. If a users authenticate successfully via the configured LDAP server and are not yet in the local database, they are created.

Missing parts:

• get email from LDAP server
• get full name from LDAP server

[matrixbot]

Can one of the admins verify this patch?

[matrixbot]

Can one of the admins verify this patch?

[matrixbot]

Can one of the admins verify this patch?

[matrixbot]

Can one of the admins verify this patch?

[erikjohnston]

@matrixbot ok to test

(Sorry about the matrixbot spam)

[erikjohnston]

Oh, I'll need to add the new dependency manually to get the tests to run.

[erikjohnston]

Although see: http://matrix.org/jenkins/job/SynapseFlake8Packaging/176/violations/file/synapse/handlers/auth.py/ for some code style violations :)

[erikjohnston]

This is a bit hard to follow. Maybe something like the following is clearer?

if self.ldap_enabled:
    valid_ldap = yield self._check_ldap_password(user_id, password))
    if valid_ldap:
       defer.returnValue(True)

valid_password = yield self._check_local_password(user_id, password)
defer.returnValue(valid_password)

This way we don't attempt (and log) if we've tried to do LDAP each time someone logs in to a HS with LDAP disabled.

[DoubleMalt]

the first line of _check_ldap_password bails immediately if ldap_enabled is false. I can put the log level for the message on debug.

I honestly have a harder time parsing your code to see that it returns true if any of the two methods return true, but that's probably just my personal preference. I don't have a problem to change the code to you suggestion if you feel strongly about it :)

[erikjohnston]

I'd prefer if this only caught login failures, as otherwise it masks programmer/logic errors.

[DoubleMalt]

Good point. Will fix.

[erikjohnston]

Maybe make this a warning? Also, instead of string formatting you can do: logger.info("LDAP error: %s", e), which saves us doing unnecessary string formatting.

[erikjohnston]

Does python-ldap have a system dependency? If it does then I'd probably want to make the python-ldap dependency optional somehow, otherwise its going to break everyone's synapse on upgrade.

[DoubleMalt]

Unfortunately it depends on openldap-dev. How could I make it optional in the python-dependencies file?

[erikjohnston]

Unfortunately it depends on openldap-dev. How could I make it optional in the python-dependencies file?

I think the easiest is just to omit it from the dependency list entirely, and only try and import it if ldap is enabled. Since importing is cheap after its done initially, I'd probably import it in __init__ (to catch early if ldap is enabled, but they didn't add the dependency) and then just reimport it in _check_ldap_password

[erikjohnston]

The unit tests are failing due to the fact that Mocks evaluate to True. I propose being slightly evil and changing the ldap enabled tests to if self.ldap_enabled is True and if self.ldap_enabled is not True

[erikjohnston]

Line 234 needs to be updated now that this no longer raises but instead returns a boolean.

[DoubleMalt]

All checks pass :)

[erikjohnston]

Excellent! If you could just sign off on this contribution we can land it: https://github.com/matrix-org/synapse/blob/master/CONTRIBUTING.rst#sign-off

Simply replying here with Signed-off-by: Your Name <your@email.example.org>, is sufficient.

Also, feel free to add yourself to the AUTHORS.rst!

[erikjohnston]

Woo! Thanks :)

(The failure seems to be due to jenkins failing to set the commit status on github, intriguingly. All the tests pass though)

[aperezdc]

JFTR if you want to avoid the dependency of OpenLDAP installed in the system, a pure-Python option would be the ldap3 package.