In the Mattermost docs it says that you can either change configurations through a webpage or through the config.json file. Is there a default username / password created for administering Mattermost?
Also, wouldn’t it be reasonable to set the default Mattermost configuration to use the local LDAP/AD configuration for user access and disable signups? This would be consistent with other applications (like Nextcloud) and what is expected from self-hosting or a typical SMB setup.
Do you mean of NethServer of Mattermost?
NethServer only contains the so called “Team” Version of Mattermost, it’s so called “free” version.
You seem to want the commercial versions of Mattermost, meaning a paid for version!
NethServer can easily run an AD for free, it’s just Mattermost can’t use the AD…
My 2 cents
Andy
Thanks! That clears up a lot. How about the system configuration page?
What do you mean by this?
I don’t use Mattermost, so I really can’t help you with this.
My 2 cents
Andy
You’ll find the system console in the menu on the top left side:
It’s possible to import users from AD, see Team chat (Mattermost) — NethServer 7 Final
Thanks - I was expecting to see something like this, but these options aren’t available to me. How do I make myself an admin on this system so I can see this menu?
Following command assigns the system_admin role to a user:
/opt/mattermost/bin/mmctl roles system_admin <USERNAME> --local
Awesome. Thank you for the help!
Good news! Mattermost does support SSO with GitLab. Using docker-compose to run GitLab on your server and joining the container to aqua will let you auth like: LDAP → GitLab → Mattermost. If you’re doing any sort of development on your server, this might solve two problems. If you’re not doing any development, this is a pretty resource intensive fix.
I reached out to Mattermost to try to buy a server license just to get the LDAP feature, but they don’t offer that, and I don’t want to get in the habit of paying licenses per user per month.
Here’s my compose configuration (copied from their docs):
version: '3.6'
services:
web:
image: 'gitlab/gitlab-ce:latest'
restart: always
hostname: 'gitlab.mydomain.com'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://gitlab.mydomain.com:MYPORT'
nginx['redirect_http_to_https'] = false
nginx['listen_port'] = MYPORT
nginx['listen_https'] = false
gitlab_rails['gitlab_shell_ssh_port'] = OTHERPORT
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'LDAP',
'host' => '172.28.0.1',
'port' => 636,
'uid' => 'uid',
'encryption' => 'simple_tls',
'verify_certificates' => false,
'base' => 'dc=directory,dc=nh',
'bind_dn' => 'cn=ldapservice,dc=directory,dc=nh',
'password' => 'PASSWORD_HERE',
'active_directory' => false,
}
}
ports:
- 'MYPORT:MYPORT'
- 'OTHERPORT:22'
volumes:
- '/opt/gitlab/config:/etc/gitlab'
- '/opt/gitlab/logs:/var/log/gitlab'
- '/opt/gitlab/data:/var/opt/gitlab'
shm_size: '256m'
And then you can join the container to aqua with:
docker network connect aqua gitlab-web-1
Set up a service for gitlab to allow access to your local green network using MYPORT and OTHERPORT above.
Ensure the network was joined correctly:
docker inspect gitlab-web-1 -f "{{json .NetworkSettings.Networks }}" | jq .
Then run an ldap check:
docker exec -it gitlab-web-1 gitlab-rake "gitlab:ldap:check"
Then set up a reverse proxy using the web server app to redirect gitlab.mydomain.com to http://127.0.0.1:MYPORT and turn on SSL.
Follow the Mattermost’s instructions for enabling GitLab and then…
BOOM, you can now let people use Mattermost with their Nethserver username and password.
( There’s currently an issue with the Mattermost configuration for Neth, but I’ve submitted a PR for it: Set X-Forwarded headers for GitLab Auth by DerekJarvis · Pull Request #122 · NethServer/nethserver-mattermost · GitHub )
The package is ready for testing with an update to 7.9.1.
Thank you @djx!
@djx running an entire instance of Github, just to implement Ldap on Mattermost is an overkill kind of situation, for anyone. i would suggest going with this one here to achive AD functions:
its a vey actively maintained module that impelmend AD and Ldap for mattermost
I hope that won’t bother Mattermost inc that much for ban or create issues (aka killing free version) for circumventing features.
I looked into this first but the documentation for setting it up was a bit lacking. If you’re going to use their compose file with everything all set up, it’s probably OK. But I’m using the Mattermost application on NethServer already.
I do plan to run some sort of Git repository anyway, so it’s not a total waste for me. I usually prefer a lighter one like Gitea, but I’m going to give this one a try.
Also, even though it’s actively maintained I doubt it has gone through as many security audits as GitLab. For granting access to my network, it’s pretty important that it’s secure.
it is basically using the gitlab implementation to achieve its goal.
i think someone here in the community from the dev team had set it up successfully on their end, maybe they could share their learning.
Well, I did reach out to them to ask for a server license just for LDAP functionality. They answered that they only sell it as a subscription. I do my best to support alternative or open source applications, like Mattermost instead of Slack. But if the cost is going to be the exact same (per user, per month, forever) I just can’t justify putting the time AND money in to supporting it.
I would rather spend a few hundred dollars on a permanent LDAP plugin than monthly fees forever. With my user count, it would take a year or two for this to pay for itself, but I still prefer it over monthly fees.
I hope more people start to push for a more server-oriented licensing. I guess Mattermost isn’t hurting for money if they’re willing to pass up a request from someone who wants to buy something slightly different from them.
If Mattermost took a more aggressive stance against this, I would probably just move to a different chat software.
I can understand that. But I can also figure that as a corporation, they would rather have monthly fees forever because they want to thrive longer.
However…
The team version provided by Mattermost is a really important tool for many persons that can stand to import time to time users and manage it. I hope that the corporation won’t be hassled that much from this kind of circumventions about feature limitations. But these are strange times…
You can’t buy software anymore, only rent it. And the situation is going to “award” a bully-approach from companies rather than “good buddies” one. Take the recent litigation between Adobe and Pantone… or the end of “Cent OS” releases by RedHat (with Armonk award, obviously).
I hope that the “marketing” result for the open source/publicly available version will last a lot, with a good enough conversion rate from team to corporate. When (not if) the conversion rate will fall to low… we’ll all learn something new.