roles/matrix-synapse: better ldap integration

read password from config file instead of generating one new every time

roles/matrix-synapse/defaults/main.yaml

@@ -6,9 +6,11 @@ synapse_domain: '{{ domain }}'
 ldap_server: 'ldap1.dmz.{{ domain }}'
 ldap_domain: '{{ domain }}'
 ldap_basedn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
+ldap_tls_enabled: true
 ldap_tls_server_ca: '{{ tls_root_ca }}'
+ldap_renew_secret: false
 synapse_coturn_integration: true
-coturn_host: 'matrix'
+coturn_host: 'turn'
 coturn_fqdn: 'turn.{{ domain }}'
 coturn_port: '3478'
 ...

roles/matrix-synapse/tasks/main.yaml

@@ -43,14 +43,14 @@
       - 'python3-psycopg2'
 
 - block:
-    - name: 'create synapse DB'
+    - name: 'PGSQL | create synapse DB'
       postgresql_db:
         name: 'synapse'
         encoding: 'UTF-8'
         lc_collate: 'C'
         lc_ctype: 'C'
         template: 'template0'
-    - name: 'create synapse DB user'
+    - name: 'PGSQL | create synapse DB user'
       postgresql_user:
         name: 'matrix-synapse'
         db: 'synapse'
@@ -79,30 +79,50 @@
     nginx_proxy_location_path: '{{ synapse_nginx_proxy_location_path }}'
   notify: 'restart nginx'
 
-- name: 'generate matrix ldap password'
-  gen_passwd: 'length=32'
-  register: synapse_ldap_passwd
+- name: 'try to read LDAP service password'
+  command: 'sed -n "s/^\s\+bind_password: \"\(.\+\)\"$/\1/p" /etc/matrix-synapse/homeserver.yaml'
+  register: synapse_read_ldap_passwd
+  no_log: true
   tags:
     - 'service_password'
 
-- name: 'set matrix ldap password in ldap'
-  delegate_to: 'localhost'
-  ldap_passwd:
-    dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'
-    passwd: '{{ synapse_ldap_passwd.passwd }}'
-    server_uri: 'ldap://{{ ldap_server }}'
-    start_tls: true
-    bind_dn: '{{ ldap_admin_dn }}'
-    bind_pw: '{{ ldap_admin_pw }}'
+- name: 'set LDAP service password'
+  set_fact:
+    synapse_ldap_passwd: '{{ synapse_read_ldap_passwd.stdout | d("") }}'
+  no_log: true
   tags:
     - 'service_password'
 
-- name: 'update ldap tls server ca'
+- block:
+    - name: 'LDAP | generate client service password'
+      gen_passwd: 'length=32'
+      register: 'synapse_ldap_gen_passwd'
+      no_log: true
+      tags:
+        - 'service_password'
+    - name: 'LDAP | set client service password on server'
+      delegate_to: 'localhost'
+      ldap_passwd:
+        dn: 'cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}'
+        passwd: '{{ synapse_ldap_gen_passwd.passwd }}'
+        server_uri: 'ldap://{{ ldap_server }}'
+        start_tls: '{{ ldap_tls_enabled }}'
+        bind_dn: '{{ ldap_admin_dn }}'
+        bind_pw: '{{ ldap_admin_pw }}'
+    - name: 'LDAP | set client service password on client'
+      set_fact:
+        synapse_ldap_passwd: '{{ synapse_ldap_gen_passwd.passwd }}'
+      no_log: true
+  when: synapse_ldap_passwd == '' or ldap_renew_secret
+  tags:
+    - 'service_password'
+
+- name: 'LDAP | update client root ca'
   copy:
     content: '{{ ldap_tls_server_ca }}'
     dest: '/etc/ldap/server_ca.crt'
 
-- name: 'configure ldap client'
+- name: 'LDAP | configure client'
   copy:
     src: 'ldap.conf'
     dest: '/etc/ldap/ldap.conf'

roles/matrix-synapse/templates/homeserver.yaml.j2

@@ -1563,9 +1563,9 @@ password_providers:
         attributes:
            uid: "uid"
            mail: "mail"
-           name: "sn"
+           name: "cn"
         bind_dn: "cn={{ host_fqdn }},ou=Server,{{ ldap_basedn }}"
-        bind_password: "{{ synapse_ldap_passwd.passwd }}"
+        bind_password: "{{ synapse_ldap_passwd }}"
         filter: "(authorizedService=matrix)"