The easiest way to setup Mattermost-LDAP is using the docker-compose implementation.
For production use, you must use the docker-compose.yaml file available at the root of this repository. Unlike the Demo, this docker-compose file only setup Mattermost-LDAP with an Nginx server linked to a PHP engine and a PostgreSQL database.
This implementation uses the repository Oauth server, which can be configured by environment variables.
To use docker-compose implementation, you need to install Docker and Docker compose. For CentOS 8 and Fedora, it is recommended to use Podman and Podman compose instead of Docker and Docker compose.
For more information about Docker installation, see official guide : https://docs.docker.com/engine/install/
For more information about Podman installation, see official documentation : https://podman.io/getting-started/installation.html
First, you need to clone (or download and extract) this repository on your server with:
git clone https://github.com/Crivaledaz/Mattermost-LDAP
cd Mattermost-LDAPThen, before running the docker-compose file, you need to adapt LDAP and DB parameters. All parameters are gathered in environment sections in the docker-compose.yaml file and they are passed to Postgres and Oauth server by environment variables.
You must edit the docker-compose file to adapt parameters with your values.
Warning : Postgres root password and database Oauth password must be changed. Client and secret tokens must be generated randomly, using openssl rand -hex 32.
For more information about available parameters, refer to the configuration section of the repository README.
Otherwise, for production, you need to create a directory to store PostgreSQL data. This directory will contain the Oauth database and allows data persistence, even if containers are stopped or restarted. By default, this Mattermost-LDAP implementation uses folder data/ next to the docker-compose.yaml file to store data. This folder need to be created before running Docker compose :
mkdir dataTo use Mattermost-LDAP with your own Mattermost server, you need to configure your Mattermost instance as described in section "Configure Mattermost" below.
Active Gitlab authentication in Mattermost configuration and fill GitLab parameters, with your values. To do this, you need to edit the config.json file or change parameters in Mattermost configuration table if you use configuration in the database.
In the config.json file, GitLab configuration is gathered in the section GitLabSettings. Adapt this section with your values, it should seems like this :
"GitLabSettings": {
"Enable": true,
"Secret": "fedcba987654321fedcba987654321",
"Id": "123456789abcdef123456789abcdef",
"Scope": "",
"AuthEndpoint": "https://<HOSTNAME>/oauth/authorize.php",
"TokenEndpoint": "https://<HOSTNAME>/oauth/token.php",
"UserApiEndpoint": "https://<HOSTNAME>/oauth/resource.php"
},
Change <HOSTNAME> by the hostname or ip of the server where you have installed Mattermost-LDAP module. The Secret and Id parameters should contain the tokens generated previously.
Note : You need to restart the Mattermost server to take into account the change.
Since Mattermost-LDAP version 2.1, HTTPS is enable by default to protect sensitive data exchanged between users and Mattermost-LDAP (LDAP username and password).
You need to provide a pair of TLS certificates and to store these in a directory named certs. To generate self-signed certificates you can use the following command :
mkdir certs
openssl req -x509 -newkey rsa:4096 -sha256 -days 364 -nodes -keyout certs/key.pem -out certs/cert.pem -subj '/CN=<HOSTNAME>' -extensions san -config <( echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo 'subjectAltName=DNS:localhost,<HOSTNAME>')Replace <HOSTNAME> by the hostname serving the Oauth server (ie: the server where you have installed Mattermost-LDAP).
Remark : By default, Mattermost does not trust self-signed certificate. To remediate you need to add the certificate to the Mattermost server certificate bundle or change the parameter EnableInsecureOutgoingConnection to true in the Mattermost configuration (config.json).
Alternatively, you can use your own certificates and place them in the certs directory. This directory will be consumed by the Nginx container as a volume.
Note : Your certificates should be in PEM format and must be named cert.pem and key.pem, to match the Nginx configuration.
Once you have adapted environement paramters in the docker-compose file, you can run Mattermost-LDAP with the following commands (from the root of the repository) :
# With Docker
docker-compose up -d
# With Podman
podman-compose up -dThe previous command starts all services described in the Docker compose file. The -d argument allows to start all container in background, in a detached mode.
Once all services are started, go to Mattermost server and click on GitLab button to login with LDAP credential on Mattermost-LDAP. Then, if you login successfully and authorize Mattermost-LDAP to transmit your data to Mattermost, you should be log on Mattermost.
To stop Mattermost-LDAP, use the following command :
# With Docker
docker-compose down
# With Podman
podman-compose down