Add support for disabling Synapse's local database for user auth

spantaleev · spantaleev · commit da6edc9cba78 · 2019-07-04T17:11:51.000+03:00
This is a new feature of Synapse v1.1.0. Discussed in #145 (Github Pull Request).
diff --git a/docs/configuring-playbook-ldap-auth.md b/docs/configuring-playbook-ldap-auth.md
@@ -17,4 +17,13 @@ matrix_synapse_ext_password_provider_ldap_attributes_name: "cn"
 matrix_synapse_ext_password_provider_ldap_bind_dn: ""
 matrix_synapse_ext_password_provider_ldap_bind_password: ""
 matrix_synapse_ext_password_provider_ldap_filter: ""
-```
+```
+
+
+## Authenticating only using a password provider
+
+If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
+
+```yaml
+matrix_synapse_password_config_localdb_enabled: false
+```
diff --git a/docs/configuring-playbook-rest-auth.md b/docs/configuring-playbook-rest-auth.md
@@ -13,3 +13,12 @@ matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: f
 matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
 matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
 ```
+
+
+## Authenticating only using a password provider
+
+If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
+
+```yaml
+matrix_synapse_password_config_localdb_enabled: false
+```
diff --git a/docs/configuring-playbook-shared-secret-auth.md b/docs/configuring-playbook-shared-secret-auth.md
@@ -9,4 +9,13 @@ If you decide that you'd like to let this playbook install it for you, you need
 ```yaml
 matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
-```
+```
+
+
+## Authenticating only using a password provider
+
+If you wish for users to **authenticate only against configured password providers** (like this one), **without consulting Synapse's local database**, feel free to disable it:
+
+```yaml
+matrix_synapse_password_config_localdb_enabled: false
+```
diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml
@@ -147,6 +147,11 @@ matrix_synapse_autocreate_auto_join_rooms: true
 # Controls password-peppering for Synapse. Not to be changed after initial setup.
 matrix_synapse_password_config_pepper: ""
 
+# Controls if Synapse allows people to authenticate against its local database.
+# It may be useful to disable this if you've configured additional password providers
+# and only wish authentication to happen through them.
+matrix_synapse_password_config_localdb_enabled: false
+
 # Controls the number of events that Synapse caches in memory.
 matrix_synapse_event_cache_size: "100K"
 
diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1099,7 +1099,7 @@ password_config:
    # database. This is ignored if `enabled` is false, and is only useful
    # if you have other password_providers.
    #
-   #localdb_enabled: false
+   localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled|to_json }}
 
    # Uncomment and change to a secret random string for extra security.
    # DO NOT CHANGE THIS AFTER INITIAL SETUP!

Original file line number	Diff line number	Diff line change
`@@ -1099,7 +1099,7 @@ password_config:`
`1099`	`1099`	# database. This is ignored if `enabled` is false, and is only useful
`1100`	`1100`	`# if you have other password_providers.`
`1101`	`1101`	`#`
`1102`		`- #localdb_enabled: false`
	`1102`	`+ localdb_enabled: {{ matrix_synapse_password_config_localdb_enabled\|to_json }}`
`1103`	`1103`
`1104`	`1104`	`# Uncomment and change to a secret random string for extra security.`
`1105`	`1105`	`# DO NOT CHANGE THIS AFTER INITIAL SETUP!`