Attributes not used when search is anonymous

[mvalois]

We have configured our LDAP module of our Matrix server like this :

modules:
  - module: "ldap_auth_provider.LdapAuthProviderModule"
    config:
      enabled: true
      mode: simple
      uri: 
         - "ldaps://xxx:636"
      validate_cert: true
      base: "ou=users,dc=xxx.internal,dc=local"
      attributes:
        uid: "uid"
        mail: "mail"
        name: "cn"
        
      filter: "(&(|(objectclass=xxx))(|(memberof=cn=user,ou=groups,dc=xxx.internal,dc=local)))"
      group_filter: "(&(|(objectclass=xxx)))"
      allow_empty_password: false

However we observe that uid, mail and cn are not retrieved from the LDAP server, while they are retrieved when we set bind_dn and bind_password.

Is it expected?
Is it possible to do anonymous requests and still retrieve attributes for mapping?

Thank you,

[anoadragon453]

After some digging:

• User attributes are only set when registering, not upon every login:

  matrix-synapse-ldap3/ldap_auth_provider.py

  Lines 188 to 233 in 1b27412

  	# check if user with user_id exists
  	canonical_user_id = await self.account_handler.check_user_exists(user_id)
  	if canonical_user_id:
  	# exists, authentication complete
  	if hasattr(conn, "unbind"):
  	await threads.deferToThread(conn.unbind)
  	return canonical_user_id
  	else:
  	# does not exist, register
  	if self.ldap_mode == LDAPMode.SEARCH:
  	# search enabled, fetch metadata for account creation from
  	# existing ldap connection
  	filters = [(self.ldap_attributes["uid"], uid_value)]
  	result, conn, response = await self._ldap_authenticated_search(
  	server=server,
  	password=password,
  	filters=filters,
  	)
  	# These results will always return an array
  	display_name = response["attributes"].get(
  	self.ldap_attributes["name"], [localpart]
  	)
  	display_name = (
  	display_name[0]
  	if len(display_name) == 1
  	else default_display_name
  	)
  	mail = response["attributes"].get(
  	self.ldap_attributes["mail"], [None]
  	)
  	mail = mail[0] if len(mail) == 1 else None
  	else:
  	# search disabled, register account with basic information
  	display_name = default_display_name
  	mail = None
  	# Register the user
  	user_id = await self.register_user(
  	localpart.lower(), display_name, mail
  	)
  	return user_id

• In "simple" mode, user attributes are not available, and thus name / mail are not added to the user:

  matrix-synapse-ldap3/ldap_auth_provider.py

  Lines 223 to 226 in 1b27412

  	else:
  	# search disabled, register account with basic information
  	display_name = default_display_name
  	mail = None

You can still do attribute mapping without a service account: You'll need to set mode: "search" but omit bind_dn/bind_password. In that case _ldap_authenticated_search performs an anonymous bind (auth_type=ldap3.ANONYMOUS) before issuing the attribute search.

This will only work if your LDAP server allows anonymous searches to read those attributes; otherwise you must provide credentials.

I'll file a PR to explain the above in the README.