Active directory Group integration V2.0.0

Community Support
1

Description

Hello all,

i want to use the new Sync LDAP Grous function and i can’t figure out how to set it up.
The system is currently configured to let map all users of a group using the old search user tab with the filter:
(memberOf=cn=Rocket_Chat,ou=Group,ou=base,ou=rocket,dc=test,dc=net)
scope: sub
search: sAMAccountName

i tried to set up the new Sync option like this:

User Group Filter: (&(cn=#{groupName})(description=#{username}))
LDAP GROUP BaseDN ou=Group,ou=base,ou=rocket,dc=test,dc=net

User Data Group Map
{
“rockettest”: “Moderator”,
“Rocket_Admin”: “admin”
“Rocket_crm”: “livechat-agent”
}

It does not work with this configuration and i can’t figure out the problem.
If someone could please help me with this problem it would be super nice :smiley:

Thanks a lot and Best Regards

Server Setup Information

  • Version of Rocket.Chat Server: 2.0.0
  • Operating System: linux
  • Deployment Method: tar
  • Number of Running Instances: 1
  • DB Replicaset Oplog: active
  • NodeJS Version: v8.11.3
  • MongoDB Version: 4.0.12

Any additional Information

Members of the ldap groups seem to be identified by an attribute with the name “member” and a value that looks like the distinguishedName of the user
(CN=Max Mustermann,ou=Group,ou=base,ou=rocket,dc=test,dc=net ).
All Groups are global security group and i’m using active directory on a WindowsServer 2016.

2

I partially got it to work with Active Directory.

I’m running RocketChat version 2.1.0 in CentOS. My AD is Windows Server 2012

These are my settings under Sync / Import section of LDAP configuration:

Username Field: sAMAccountName

Unique Identifier Field: name,sAMAccountName,userPrincipalName,mail

Default Domain: my.domain.com

Merge Existing Users: True

Sync User Data: True

User Data Field Map: {“displayName”:“name”, “mail”:“email”}

Sync LDAP Groups: True

Auto Remove User Roles: True

User Group Filter:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=Groups,OU=My_Dept,DC=my,DC=domain,DC=com))

LDAP Group BaseDN: OU=Users,DC=my,DC=domain,DC=com

User Data Group Map: {“rocket_test”:“user”}

Auto Sync LDAP Groups Channels: True

Channel Admin: rocket.cat

LDAP Group Channel Map: {“rocket_test”:“test_channel”}

Auto Remove Users from Channels: True

Sync User Avatar: False

Background Sync: False

Notes:

#test_channel I set as public

With this configuration, I’m able to login with an AD account and properly assign the role and join a channel. The problem now is that when I login with the AD account for the first time I get a “user not found or incorrect password” message on the login screen. At this point, the user did successfully authenticate and the new user is created in Rocketchat, but the authentication does not complete. If I click the login button a second time, then everything works fine. That’s what I’m troubleshooting now.

Some of the issues I found was that the JSON string in User Data Group Map and LDAP Group Channel Map is very sensitive and triggers errors in the debug log. For example, if you hit enter after { , it caused issues or if I had a comma at the tend of a mapping “something”:“something”,. Sometimes even without the comma it triggered errors.

To figure out exactly what filter to use, I downloaded a tool called: JXplorer. With this tool I connected to my AD and I found the user I was testing. When I found the user, there is a list of groups the user is a member of. Then I took the value of the group’s memberOf and replaced" CN=Group_Name with CN=#{groupName} the full path of the group.

The LDAP Group BaseDN, I used the same BaseDN from the main LDAP configuration section.

Hopefully this will help you or someone. If I find a solution to the “user not found or incorrect password” issue i’m now having, I will post the solution.

3

the Problem has been solved. The key in this case was the inclusion of the nesting Filter to get nested Groups working.

The format looks like this:
(&(sAMAccountName=#{username})(memberof:1.2.840.113556.1.4.1941:=CN=#{groupName},DC=your domain (objectCategory=person)(objectClass=user))

We included the category and class filter to rule out false positives like the nested security groups.

4

Hi,
i have the same problem but with rocket chat version 2.4.2

The Group Mapping was working a few week ago and now i have a lot of problems.
If i use the LDAP Group Channel Map the channels are created but i can not login anymore. I got for existing users that the password is wroing or the user does not exists.

If i delete the LDAP Group Channel Map i can login again with my users.
If i only delete the channels that are created through the LDAP Group Channel Map i can login one time with a user, then the channels are created and after that i can not login anymore.
That is really strange.
If someone can help me with this, it would be great.

My ldap config looks like this:

Username Field: sAMAccountName

Unique Identifier Field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber

Merge Existing Users: No

Sync User Data: Yes

User Data Field Map: {“cn”:“name”, “mail”:“email”}

Sync LDAP Groups: Yes

Auto Remove User Roles: Yes

User Group Filter: (&(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=RocketChat,DC=my,DC=domain,DC=com))

LDAP Group BaseDN: OU=RocketChat,DC=my,DC=domain,DC=com

User Data Group Map:
{
“RC_Admins”:“admin”
}

Auto Sync LDAP Groups to Channels: Yes
Channel Admin: admin
LDAP Group Channel Map:
{
“RC_IT”: “IT”,
“RC_Test”: “Test”
}

Auto Remove Users from Channels: Yes
Sync User Avatar: No
Background Sync: Yes
Background Sync Intervall: 24 hours
Background Sync Import New Users: yes
Background Sync Update Existing Users: yes

5

Hi @phatair

I have the exactly the same problem.

I already use nested groups rules to search for users inside groups.

My RocketChat is version 3.0.0.

any help…???

1 Like