I partially got it to work with Active Directory.
I’m running RocketChat version 2.1.0 in CentOS. My AD is Windows Server 2012
These are my settings under Sync / Import section of LDAP configuration:
Username Field: sAMAccountName
Unique Identifier Field: name,sAMAccountName,userPrincipalName,mail
Default Domain: my.domain.com
Merge Existing Users: True
Sync User Data: True
User Data Field Map: {“displayName”:“name”, “mail”:“email”}
Sync LDAP Groups: True
Auto Remove User Roles: True
User Group Filter:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=Groups,OU=My_Dept,DC=my,DC=domain,DC=com))
LDAP Group BaseDN: OU=Users,DC=my,DC=domain,DC=com
User Data Group Map: {“rocket_test”:“user”}
Auto Sync LDAP Groups Channels: True
Channel Admin: rocket.cat
LDAP Group Channel Map: {“rocket_test”:“test_channel”}
Auto Remove Users from Channels: True
Sync User Avatar: False
Background Sync: False
Notes:
#test_channel I set as public
With this configuration, I’m able to login with an AD account and properly assign the role and join a channel. The problem now is that when I login with the AD account for the first time I get a “user not found or incorrect password” message on the login screen. At this point, the user did successfully authenticate and the new user is created in Rocketchat, but the authentication does not complete. If I click the login button a second time, then everything works fine. That’s what I’m troubleshooting now.
Some of the issues I found was that the JSON string in User Data Group Map and LDAP Group Channel Map is very sensitive and triggers errors in the debug log. For example, if you hit enter after { , it caused issues or if I had a comma at the tend of a mapping “something”:“something”,. Sometimes even without the comma it triggered errors.
To figure out exactly what filter to use, I downloaded a tool called: JXplorer. With this tool I connected to my AD and I found the user I was testing. When I found the user, there is a list of groups the user is a member of. Then I took the value of the group’s memberOf and replaced" CN=Group_Name with CN=#{groupName} the full path of the group.
The LDAP Group BaseDN, I used the same BaseDN from the main LDAP configuration section.
Hopefully this will help you or someone. If I find a solution to the “user not found or incorrect password” issue i’m now having, I will post the solution.