{"id":13557511,"url":"https://github.com/matrix-org/matrix-synapse-ldap3","last_synced_at":"2026-03-11T00:07:33.567Z","repository":{"id":37381970,"uuid":"73203431","full_name":"matrix-org/matrix-synapse-ldap3","owner":"matrix-org","description":"An LDAP3 auth provider for Synapse","archived":false,"fork":false,"pushed_at":"2024-05-13T15:04:47.000Z","size":225,"stargazers_count":130,"open_issues_count":27,"forks_count":45,"subscribers_count":30,"default_branch":"main","last_synced_at":"2025-04-03T21:14:13.762Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/matrix-org.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-08T16:08:53.000Z","updated_at":"2025-03-18T21:49:02.000Z","dependencies_parsed_at":"2024-05-13T16:30:46.998Z","dependency_job_id":"bb0c62d2-bb81-46d2-ba4e-8125c21597c0","html_url":"https://github.com/matrix-org/matrix-synapse-ldap3","commit_stats":{"total_commits":97,"total_committers":35,"mean_commits":"2.7714285714285714","dds":0.8556701030927836,"last_synced_commit":"2584736204165f16c176567183f9c350ee253f74"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matrix-org%2Fmatrix-synapse-ldap3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matrix-org%2Fmatrix-synapse-ldap3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matrix-org%2Fmatrix-synapse-ldap3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matrix-org%2Fmatrix-synapse-ldap3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/matrix-org","download_url":"https://codeload.github.com/matrix-org/matrix-synapse-ldap3/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248618262,"owners_count":21134200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:04:23.605Z","updated_at":"2026-03-11T00:07:33.512Z","avatar_url":"https://github.com/matrix-org.png","language":"Python","funding_links":[],"categories":["Python","others"],"sub_categories":[],"readme":"Synapse LDAP Auth Provider\n==========================\n\nAllows synapse to use LDAP as a password provider.\n\nThis allows users to log in to synapse with their username and password from an\nLDAP server. There is also `ma1sd \u003chttps://github.com/ma1uta/ma1sd\u003e`_ (3rd party)\nthat offers more fully-featured integration.\n\nInstallation\n------------\n- Included as standard in the `deb packages \u003chttps://matrix-org.github.io/synapse/latest/setup/installation.html#matrixorg-packages\u003e`_ and\n  `docker images \u003chttps://matrix-org.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks\u003e`_ from matrix.org.\n- If you installed into a virtualenv:\n    - Ensure pip is up-to-date: `pip install -U pip`.\n    - Install the LDAP password provider: `pip install matrix-synapse-ldap3`.\n- For other installation mechanisms, see the documentation provided by the maintainer.\n\nUsage\n-----\n\nExample Synapse configuration:\n\n.. code:: yaml\n\n   modules:\n    - module: \"ldap_auth_provider.LdapAuthProviderModule\"\n      config:\n        enabled: true\n        uri: \"ldap://ldap.example.com:389\"\n        start_tls: true\n        base: \"ou=users,dc=example,dc=com\"\n        attributes:\n           uid: \"cn\"\n           mail: \"mail\"\n           name: \"givenName\"\n        #bind_dn:\n        #bind_password:\n        #filter: \"(objectClass=posixAccount)\"\n        # Additional options for TLS, can be any key from https://ldap3.readthedocs.io/en/latest/ssltls.html#the-tls-object\n        #tls_options:\n        #  validate: true\n        #  local_certificate_file: foo.crt\n        #  local_private_key_file: bar.pem\n        #  local_private_key_password: secret\n\nIf you would like to specify more than one LDAP server for HA, you can provide uri parameter with a list.\nDefault HA strategy of ldap3.ServerPool is employed, so first available server is used.\n\n.. code:: yaml\n\n   modules:\n    - module: \"ldap_auth_provider.LdapAuthProviderModule\"\n      config:\n        enabled: true\n        uri:\n           - \"ldap://ldap1.example.com:389\"\n           - \"ldap://ldap2.example.com:389\"\n        start_tls: true\n        base: \"ou=users,dc=example,dc=com\"\n        attributes:\n           uid: \"cn\"\n           mail: \"email\"\n           name: \"givenName\"\n        #bind_dn:\n        #bind_password:\n        #filter: \"(objectClass=posixAccount)\"\n        #tls_options:\n        #  validate: true\n        #  local_certificate_file: foo.crt\n        #  local_private_key_file: bar.pem\n        #  local_private_key_password: secret\n\nIf you would like to enable login/registration via email, or givenName/email\nbinding upon registration, you need to enable search mode. An example config\nin search mode is provided below:\n\n.. code:: yaml\n\n   modules:\n    - module: \"ldap_auth_provider.LdapAuthProviderModule\"\n      config:\n        enabled: true\n        mode: \"search\"\n        uri: \"ldap://ldap.example.com:389\"\n        start_tls: true\n        base: \"ou=users,dc=example,dc=com\"\n        attributes:\n           uid: \"cn\"\n           mail: \"mail\"\n           name: \"givenName\"\n        # Search auth if anonymous search not enabled\n        bind_dn: \"cn=hacker,ou=svcaccts,dc=example,dc=com\"\n        bind_password: \"ch33kym0nk3y\"\n        #filter: \"(objectClass=posixAccount)\"\n        #tls_options:\n        #  validate: true\n        #  local_certificate_file: foo.crt\n        #  local_private_key_file: bar.pem\n        #  local_private_key_password: secret\n\nAlternatively you can also put the ``bind_password`` of your service user into its\nown file to not leak secrets into your configuration:\n\n.. code:: yaml\n\n   modules:\n    - module: \"ldap_auth_provider.LdapAuthProviderModule\"\n      config:\n        enabled: true\n        # all the other options you need\n        bind_password_file: \"/var/secrets/synapse-ldap-bind-password\"\n\nPlease note that every trailing ``\\n`` in the password file will be stripped automatically.\n\nActive Directory forest support\n-------------------------------\n\nIf the ``active_directory`` flag is set to ``true``, an Active Directory forest will be\nsearched for the login details.\nIn this mode, the user enters their login details in one of the forms:\n\n- ``\u003clogin\u003e/\u003cdomain\u003e``\n- ``\u003cdomain\u003e\\\u003clogin\u003e``\n\nIn either case, this will be mapped to the Matrix UID ``\u003clogin\u003e/\u003cdomain\u003e`` (The \nnormal AD domain separators, ``@`` and ``\\``, cannot be used in Matrix User Identifiers, so \n``/`` is used instead.)\n\nLet's say you have several domains in the ``example.com`` forest:\n\n.. code:: yaml\n\n   modules:\n    - module: \"ldap_auth_provider.LdapAuthProviderModule\"\n      config:\n        enabled: true\n        mode: \"search\"\n        uri: \"ldap://main.example.com:389\"\n        base: \"dc=example,dc=com\"\n        # Must be true for this feature to work\n        active_directory: true\n        # Optional. Users from this domain may log in without specifying the domain part\n        default_domain: main.example.com\n        attributes:\n           uid: \"userPrincipalName\"\n           mail: \"mail\"\n           name: \"givenName\"\n        bind_dn: \"cn=hacker,ou=svcaccts,dc=example,dc=com\"\n        bind_password: \"ch33kym0nk3y\"\n\nWith this configuration the user can log in with either ``main\\someuser``,\n``main.example.com\\someuser``, ``someuser/main.example.com`` or ``someuser``.\n\nUsers of other domains in the ``example.com`` forest can log in with ``domain\\login``\nor ``login/domain``.\n\nPlease note that ``userPrincipalName`` or a similar-looking LDAP attribute in the format\n``login@domain`` must be used when the ``active_directory`` option is enabled.\n\nTroubleshooting and Debugging\n-----------------------------\n\n``matrix-synapse-ldap3`` logging is included in the Synapse homeserver log\n(typically ``homeserver.log``). The LDAP plugin log level can be increased to\n``DEBUG`` for troubleshooting and debugging by making the following modifications\nto your Synapse server's logging configuration file:\n\n- Set the value for `handlers.file.level` to `DEBUG`:\n\n.. code:: yaml\n\n   handlers:\n     file:\n       # [...]\n       level: DEBUG\n\n- Add the following to the `loggers` section:\n\n.. code:: yaml\n\n   loggers:\n      # [...]\n      ldap3:\n        level: DEBUG\n      ldap_auth_provider:\n        level: DEBUG\n\nFinally, restart your Synapse server for the changes to take effect:\n\n.. code:: sh\n\n   synctl restart\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatrix-org%2Fmatrix-synapse-ldap3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatrix-org%2Fmatrix-synapse-ldap3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatrix-org%2Fmatrix-synapse-ldap3/lists"}