-
Notifications
You must be signed in to change notification settings - Fork 2
Home
We need to evaluate a chat solution to be integrated into the NethServer ecosystem. Three possible options are XMPP (already partially in use), Matrix (modern alternative), and Mattermost (a known, robust alternative). The choice impacts integration with LDAP/AD, multi-tenancy, branding, NethVoice CTI, and long-term maintainability.
Reference: GitHub Issue #7648
We're comparing three possible solutions:
Pros
- Existing XMPP server available.
- Existing (though deprecated) Javascript client: jsxc.org.
Cons
- No support for channels.
- Poor Multi-Tenancy: Not available in ejabberd (LDAP roster incompatible) or Openfire. Prosody supports virtual hosts but lacks push notifications compatibility.
- Complex Networking: Well-known port dependency; multiple instances require non-standard ports and complex DNS SRV records.
- File transfer issues and limited integration with Acrobits.
Extra
- ejabberd has oauth2 support: https://docs.ejabberd.im/developer/ejabberd-api/oauth/
Pros
- Based on HTTP, simple integration.
- Modern and actively maintained ecosystem.
- Centralized Authentication Possible: Authentication can be centralized using Authentik (via OIDC) instead of Dex.
Cons
- New technology.
- More complex architecture than XMPP.
Suggested Stack
- Dex or Authentik → LDAP/OIDC authentication.
- Synapse → Standard Matrix server.
- Element → Official client (element.io) with optional branding.
- Sygnal → Push server (may not be strictly required, push notifications work out of the box).
Pros
- Authentik can act as the sole authenticator for all services (Mattermost, CTI, Nextcloud, etc.), promoting a unified SSO experience.
- Mattermost is already a known quantity/platform (familiarity) with a feature-rich interface.
Cons
- Requires deploying and maintaining Authentik (a new component).
- Mattermost is an extensive application, potentially requiring more resources than Synapse.
Suggested Stack
-
Authentik → OIDC authentication for all services.
- Reference: Authentik Mattermost Integration Guide
- Mattermost → Modern, feature-rich chat server.
- Mattermost Clients → Official mobile and desktop clients.
- Matterbridge → To integrate with Whatsapp
Configuration Note
If Authentik is deployed as auth.gs.nethserver.net, the following argument must be added to the mattermost.service (Mattermost pod service) to ensure the pod can resolve the host:
--add-host auth.gs.nethserver.net:169.254.1.2
If Option 2 (Matrix) is adopted, the following tasks are required, with the recognition that Authentik could replace Dex for identity management.
- Hide registration option.
- Enforce SSO login.
- Disable
matrix.orgas default server, configure local Synapse instead. - Apply branding (logo, colors, etc.).
- Use secure secret keys.
- Apply branding (logo, colors, etc.).
- Export preferred LDAP username to Synapse (currently only email + username).
- Add support for LDAP groups and Active Directory.
- Migrate from SQLite to Postgres.
- UI: configure the connected User Domain.
- UI: add Let’s Encrypt option.
- Test available Matrix integrations: Chatterbox, Cactus, Matrix Javascript SDK.
- Implement authentication:
- OIDC ID token method: CTI middleware authenticates via OAuth2 (Dex or Authentik) and reuses the ID token for Synapse.
- LDAP method: CTI middleware authenticates directly with Synapse using LDAP credentials.
- Enable VoIP and Video calls with Element Call.
- Add bridges (for Matrix): WhatsApp, Telegram.
| Option | Key Features | Centralized Auth | Maintenance Complexity | Alignment |
|---|---|---|---|---|
| XMPP | Legacy, limited features (no channels), poor multi-tenancy. | No | Low (Existing) | Poor |
| Matrix | Modern, extensible, HTTP-based, supports federation/bridges. | Yes (via Authentik) | High (New Tech) | Good |
| Mattermost | Familiar, feature-rich, enterprise-grade team collaboration. | Yes (via Authentik) | Medium/High (New App + Auth) | Excellent |
The choice is between Matrix (modern, open standard, extensible) and Mattermost (familiar, robust, strong centralized authentication). Both provide a better path forward than XMPP.