LDAP Inviter Bot
This is a maubot plugin that invites users to Matrix rooms according to their membership in LDAP groups. It was built in an educational context, where groups of students work on software projects. The bot ensures that participating students are invited to all rooms (general chat, announcement-only, helpdesk & their group chat) and that tutors have correct power levels in the corresponding rooms.
Features:
- Ensure that a room with the configured alias exists and has the correct name
- Invite users from LDAP and from the config and give them the configured power levels
- Set the room visibility
- Room aliases, room names and LDAP DNs are templateable.
- Matrix IDs of LDAP users are generated using the
uid
attribute from LDAP and a configurable homeserver. - The bot does not remove or uninvite users from rooms. This is intentional, to allow students to join with their own Matrix accounts.
Notes
Dependencies
This Bot requires the python-ldap
library. It must be installed manually in the python environment used by your Maubot instance. If you run Maubot via the official Docker image, run apk add py3-pyldap
in the container.
Rate Limiting
The bot will quickly run into rate limits. You can use the Synapse Admin API to remove rate limits for the bot user. See https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users for more details.
Config
# LDAP config
ldap:
uri: 'ldap://foo.bar.tld:389' # URI of your LDAP server
base_dn: 'cn=users,dc=foo,dc=bar,dc=tld' # base-DN of your user objects
connect_dn: 'uid=ldap-bot,cn=users,dc=foo,dc=bar,dc=tld' # DN of the user used to bind
connect_password: 'verySecure' # password of the user used to bind
user_filter: '(objectClass=inetOrgPerson)'
mxid_homeserver: 'matrix.server.tld' # Homeserver used to generate MXIDs from LDAP uids
# Rooms that should be synced
sync_rooms:
- alias: '#event-<1>-group-1:matrix.server.tld' # Aliases can include '<1>' placeholders
# Should the room be visible in the room list?
# Can be 'private' or 'public'
visibility: 'private'
# Names can include '<1>' placeholders
name: 'Foo <1>'
# LDAP members for this room
ldap_members:
- ldap_group: 'cn=event-<1>-group1,cn=groups,dc=foo,dc=bar,dc=tld'
power_level: 0
# Groups can include '<1>' placeholders
- ldap_group: 'cn=event-<1>-tutors1,cn=groups,dc=foo,dc=bar,dc=tld'
power_level: 100
# Hardcoded members for this room
members:
- mxid: '@super.admin:matrix.server.tld'
power_level: 100
# Users that are allowed to run a sync
admin_users:
- '@super.admin:matrix.server.tld'
Usage
To check the connection to your LDAP server, write !ldap-check
in a room with the bot. It will print out the computed members for all configured rooms. If you used the <1>
placeholder in the config file, you will need to provide a value for arg
.
To run the actual invite process, write !ldap-sync
in a room with the bot.