Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:latest:applications:mattermost [2019/05/19 13:48]
maxbes created
documentation:latest:applications:mattermost [2019/06/05 14:24] (current)
Line 18: Line 18:
  
 <note warning> <note warning>
-The following configuration requires your user database to expose a numeric identifier for every user.+The following configuration requires your user database to expose a unique ​numeric identifier for every user.
 </​note>​ </​note>​
  
Line 44: Line 44:
 Mattermost does not use OpenID Connect to communicate with Gitlab, but uses plain OAuth2 instead. Because of that, LemonLDAP::​NG will not receive the ''​scope=''​ parameter and will display an error on the portal when trying to authenticate. Mattermost does not use OpenID Connect to communicate with Gitlab, but uses plain OAuth2 instead. Because of that, LemonLDAP::​NG will not receive the ''​scope=''​ parameter and will display an error on the portal when trying to authenticate.
  
-In order to fix this, we can add a fake OAuth2 authorize URL on the LemonLDAP::​NG server that will automatically add this ''​scope=''​ parametrer+In order to fix this, we can add a fake OAuth2 authorize URL on the LemonLDAP::​NG server that will automatically add this ''​scope=''​ parametrer, before sending the request to the correct OIDC URL
  
 Here is an example configuration for Nginx, add it in your Portal virtualhost before any other rewrite rule: Here is an example configuration for Nginx, add it in your Portal virtualhost before any other rewrite rule:
Line 52: Line 52:
 </​code>​ </​code>​
  
 +And if you are using Apache
 +
 +<​code>​
 +RewriteRule "​^/​oauth2/​gitlab_authorize(.*)$"​ "​https://​auth.example.com/​oauth2/​authorize?​$1scope=openid gitlab"​ [QSA,NE]
 +</​code>​
  
 ==== Configuring LemonLDAP ==== ==== Configuring LemonLDAP ====
Line 57: Line 62:
 We now have to configure LemonLDAP::​NG to recognize Mattermost as a valid OAuth2 relaying party and send it the information it needs to recognize a user. We now have to configure LemonLDAP::​NG to recognize Mattermost as a valid OAuth2 relaying party and send it the information it needs to recognize a user.
  
-[[ ../​idpopenidconnect | Add a new OpenID Connect]] relaying party with the following parameters:+Add a [[ ../​idpopenidconnect | new OpenID Connect relaying party ]] with the following parameters:
  
     * **Client ID**: the same you set in Mattermost configuration     * **Client ID**: the same you set in Mattermost configuration
Line 75: Line 80:
 The ''​id''​ attribute has to be different for each user, since this is the field Mattermost will use internally to map Gitlab identities to Mattermost accouts. The ''​id''​ attribute has to be different for each user, since this is the field Mattermost will use internally to map Gitlab identities to Mattermost accouts.
 </​note>​ </​note>​
 +
 +==== Troubleshooting ====
 +
 +If you see a HTTP code 500 when going back to mattermost, with a panic() in ''​(*GitLabUser).IsValid(...)''​ , it probably means that you are not exporting the correct attributes, but it can also mean that ''​id''​ is exported as a JSON string.
 +
 +If this case, it can help to create a macro, for example ''​uidNumber_n'',​ with a value of ''​$uidNumber + 0''​ to force conversion to a numeric value. You must then export it as the ''​id''​ field in the Relaying Party configuration.