Help wich ldap sync & auth

Description

it is impossible to log into users who are created by the LDAP. after changing the password in the chat admin panel, enters.
deployed a test chat, of the same version, without users. everything is working. on the production server does not want. the LDAP settings are the same. I attach the login logs by e-mail:

May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ info Extracting crowd_username
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug Could not find a user by email test2@smartoworld.team
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug Could not find a user by username
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug Could not find a user with by crowd_username test2@smartoworld.team
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug New user. User is not synced yet.
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug Going to crowd: test2@smartoworld.team
May 21 11:22:22 rocket-enc rocketchat[820738]: Error sending request: connect ECONNREFUSED 127.0.0.1:80
May 21 11:22:22 rocket-enc rocketchat[820738]: CROWD ➔ debug Error: connect ECONNREFUSED 127.0.0.1:80
May 21 11:22:22 rocket-enc rocketchat[820738]:     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
May 21 11:22:22 rocket-enc rocketchat[820738]:     at TCPConnectWrap.callbackTrampoline (internal/async_hooks.js:126:14) {
May 21 11:22:22 rocket-enc rocketchat[820738]:   errno: 'ECONNREFUSED',
May 21 11:22:22 rocket-enc rocketchat[820738]:   code: 'ECONNREFUSED',
May 21 11:22:22 rocket-enc rocketchat[820738]:   syscall: 'connect',
May 21 11:22:22 rocket-enc rocketchat[820738]:   address: '127.0.0.1',
May 21 11:22:22 rocket-enc rocketchat[820738]:   port: 80
May 21 11:22:22 rocket-enc rocketchat[820738]: }
May 21 11:22:22 rocket-enc rocketchat[820738]: server.js:204 CROWD ➔ error Crowd user not authenticated due to an error```


by login:

```May 21 11:45:59 rocket-enc rocketchat[820738]: CROWD ➔ info Init CROWD login ivanov_ivan
May 21 11:45:59 rocket-enc rocketchat[820738]: CROWD ➔ info Extracting crowd_username
May 21 11:45:59 rocket-enc rocketchat[820738]: CROWD ➔ debug Local user found, redirecting to fallback login
May 21 11:45:59 rocket-enc rocketchat[820738]: CROWD ➔ debug User ivanov_ivan is not a valid crowd user, falling back
May 21 11:45:59 rocket-enc rocketchat[820738]: CROWD ➔ info Fallback to default account system { username: 'ivanov_ivan' }
May 21 11:46:00 rocket-enc rocketchat[820738]: API ➔ debug GET: /api/v1/users.list?offset=0&count=100```


server log, when manually starting synchronization:

```Meteor ➔ method UserPresence:away -> userId: uSoJ9uLwYMNKQ2TTf, arguments: [{}]
Meteor ➔ method ldap_sync_now -> userId: uGQXRn3BRwjyzQQKq, arguments: []
LDAP ➔ Connection.info Init setup
LDAP ➔ Connection.info Connecting ldap://srv-dc1.iternal(masked).local:389
LDAP ➔ Connection.debug connectionOptions {
  url: 'ldap://srv-dc1.iternal(masked).local:389',
  timeout: 60000,
  connectTimeout: 1000,
  idleTimeout: 1000,
  reconnect: true
}
Meteor ➔ method UserPresence:online -> userId: Tbhbntu9LgcCZ8zb7, arguments: [{}]
LDAP ➔ Connection.info LDAP connected
LDAP ➔ Bind.info Binding UserDN ldap_agent
LDAP ➔ Search.info Searching user *
LDAP ➔ Search.debug searchOptions {
  filter: '(&(memberOf=cn=RocketUsers, ou=group, ou=iternal(masked), dc=iternal(masked), dc=local)(|(mail=*)(sAMAccountName=*)))',
  scope: 'sub',
  sizeLimit: 1000,
  paged: { pageSize: 250, pagePause: true }
}
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Searching by id 706d64
LDAP ➔ Search.debug search filter (sAMAccountName=pmd)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Final Page
LDAPSync ➔ debug userQuery { 'services.ldap.id': '746573743240736d617274776f726c642e7465616d' }
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'NHXuzKcx7mnhTtyJ6' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Максим
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Пудалов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Директор по развитию
LDAPSync ➔ debug userQuery merge { username: 'test2' }
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'g5MukXr9o5F7AA9Yw' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Тест
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Тестов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: test change title
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug pmd is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "706d644074686567656f732e7275",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAP ➔ Search.info Searching by id 7465737432
LDAP ➔ Search.debug search filter (sAMAccountName=test2)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug test2 is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "746573743240736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'g5MukXr9o5F7AA9Yw' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Тест
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Тестов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: test change title
LDAPSync ➔ debug userQuery { 'services.ldap.id': '626f7440736d617274776f726c642e7465616d' }
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ debug userQuery merge { username: 'bot' }
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug test2 is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "746573743240736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: blackbot
TemplateVarHandler ➔ debug user does not have attribute: sn
LDAPSync ➔ debug New user data { username: 'bot', email: 'bot@my.external.domain' }
LDAP ➔ Search.info Searching by id 6976616e6f765f6976616e
LDAP ➔ Search.debug search filter (sAMAccountName=ivanov_ivan)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'tGvvsX7RJQHKhjfqX' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Иван
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Иванов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Должность
server.js:204 LDAPSync ➔ error Error creating user errorClass [Error]: Email already exists. [403]
    at handleError (packages/accounts-password/password_server.js:110:17)
    at checkForCaseInsensitiveDuplicates (packages/accounts-password/password_server.js:257:7)
    at createUser (packages/accounts-password/password_server.js:1130:3)
    at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1218:10)
    at addLdapUser (app/ldap/server/sync.js:477:29)
    at app/ldap/server/sync.js:543:5
    at Array.forEach (<anonymous>)
    at app/ldap/server/sync.js:510:13
    at runWithEnvironment (packages/meteor.js:1286:24) {
  isClientSafe: true,
  error: 403,
  reason: 'Email already exists.',
  details: undefined,
  errorType: 'Meteor.Error'
}
LDAPSync ➔ debug userQuery {
  'services.ldap.id': '6976616e6f765f6976616e40736d617274776f726c642e7465616d'
}
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ debug userQuery merge { username: 'ivanov_ivan' }
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug ivanov_ivan is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "6976616e6f765f6976616e40736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'tGvvsX7RJQHKhjfqX' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Иван
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Иванов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Должность
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug ivanov_ivan is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "6976616e6f765f6976616e40736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ info Import finished. Users imported: 3
API ➔ debug GET: /api/v1/users.list?offset=0&count=100

API ➔ debug GET: /api/v1/users.list?offset=100&count=100

LDAP ➔ Search.info Idle
LDAP ➔ Connection.info Disconecting
LDAP ➔ Search.info Closed
API ➔ debug GET: /api/v1/users.list?offset=0&count=100


Meteor ➔ method UserPresence:away -> userId: uSoJ9uLwYMNKQ2TTf, arguments: [{}]
Meteor ➔ method ldap_sync_now -> userId: uGQXRn3BRwjyzQQKq, arguments: []
LDAP ➔ Connection.info Init setup
LDAP ➔ Connection.info Connecting ldap://srv-dc1.iternal(masked).local:389
LDAP ➔ Connection.debug connectionOptions {
  url: 'ldap://srv-dc1.iternal(masked).local:389',
  timeout: 60000,
  connectTimeout: 1000,
  idleTimeout: 1000,
  reconnect: true
}
Meteor ➔ method UserPresence:online -> userId: Tbhbntu9LgcCZ8zb7, arguments: [{}]
LDAP ➔ Connection.info LDAP connected
LDAP ➔ Bind.info Binding UserDN ldap_agent
LDAP ➔ Search.info Searching user *
LDAP ➔ Search.debug searchOptions {
  filter: '(&(memberOf=cn=RocketUsers, ou=group, ou=iternal(masked), dc=iternal(masked), dc=local)(|(mail=*)(sAMAccountName=*)))',
  scope: 'sub',
  sizeLimit: 1000,
  paged: { pageSize: 250, pagePause: true }
}
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Searching by id 706d64
LDAP ➔ Search.debug search filter (sAMAccountName=pmd)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Final Page
LDAPSync ➔ debug userQuery { 'services.ldap.id': '746573743240736d617274776f726c642e7465616d' }
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'NHXuzKcx7mnhTtyJ6' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Максим
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Пудалов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Директор по развитию
LDAPSync ➔ debug userQuery merge { username: 'test2' }
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'g5MukXr9o5F7AA9Yw' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Тест
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Тестов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: test change title
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug pmd is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "706d644074686567656f732e7275",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAP ➔ Search.info Searching by id 7465737432
LDAP ➔ Search.debug search filter (sAMAccountName=test2)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug test2 is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "746573743240736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'g5MukXr9o5F7AA9Yw' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Тест
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Тестов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: test change title
LDAPSync ➔ debug userQuery { 'services.ldap.id': '626f7440736d617274776f726c642e7465616d' }
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ debug userQuery merge { username: 'bot' }
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug test2 is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "746573743240736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: blackbot
TemplateVarHandler ➔ debug user does not have attribute: sn
LDAPSync ➔ debug New user data { username: 'bot', email: 'bot@my.external.domain' }
LDAP ➔ Search.info Searching by id 6976616e6f765f6976616e
LDAP ➔ Search.debug search filter (sAMAccountName=ivanov_ivan)
LDAP ➔ Search.debug BaseDN OU=users,OU=iternal(masked),DC=iternal(masked),DC=LOCAL
LDAP ➔ Search.info Search result count 1
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'tGvvsX7RJQHKhjfqX' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Иван
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Иванов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Должность
server.js:204 LDAPSync ➔ error Error creating user errorClass [Error]: Email already exists. [403]
    at handleError (packages/accounts-password/password_server.js:110:17)
    at checkForCaseInsensitiveDuplicates (packages/accounts-password/password_server.js:257:7)
    at createUser (packages/accounts-password/password_server.js:1130:3)
    at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1218:10)
    at addLdapUser (app/ldap/server/sync.js:477:29)
    at app/ldap/server/sync.js:543:5
    at Array.forEach (<anonymous>)
    at app/ldap/server/sync.js:510:13
    at runWithEnvironment (packages/meteor.js:1286:24) {
  isClientSafe: true,
  error: 403,
  reason: 'Email already exists.',
  details: undefined,
  errorType: 'Meteor.Error'
}
LDAPSync ➔ debug userQuery {
  'services.ldap.id': '6976616e6f765f6976616e40736d617274776f726c642e7465616d'
}
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAPSync ➔ debug userQuery merge { username: 'ivanov_ivan' }
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug ivanov_ivan is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "6976616e6f765f6976616e40736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ info Syncing user data
LDAPSync ➔ debug user { email: undefined, _id: 'tGvvsX7RJQHKhjfqX' }
LDAPSync ➔ debug ldapUser undefined
TemplateVarHandler ➔ debug template found. replacing values
TemplateVarHandler ➔ debug replacing template var: #{givenName} with value: Иван
TemplateVarHandler ➔ debug replacing template var: #{sn} with value: Иванов
TemplateVarHandler ➔ debug replacing template var: #{title} with value: Должность
LDAPSync ➔ debug User role exists for mapping rocket-admin -> admin
LDAP ➔ Search.info Search result count 0
LDAPSync ➔ debug ivanov_ivan is not in rocket-admin group!!!
LDAPSync ➔ debug User Role doesn't exist: support
LDAPSync ➔ debug not syncing groups to channels
LDAPSync ➔ debug setting {
  "services.ldap.id": "6976616e6f765f6976616e40736d617274776f726c642e7465616d",
  "services.ldap.idAttribute": "mail"
}
LDAPSync ➔ info Import finished. Users imported: 3
API ➔ debug GET: /api/v1/users.list?offset=0&count=100

API ➔ debug GET: /api/v1/users.list?offset=100&count=100

LDAP ➔ Search.info Idle
LDAP ➔ Connection.info Disconecting
LDAP ➔ Search.info Closed
API ➔ debug GET: /api/v1/users.list?offset=0&count=100```

and ldap settings:

https://ibb.co/s2Rnwtr

Can you please tell me what I'm doing wrong?

### Server Setup Information

- Version of Rocket.Chat Server: 3.14.1
- Operating System: ubuntu 20.04
- Deployment Method: tar
- Number of Running Instances: iZ9gQo5te2fSsMhRu
- DB Replicaset Oplog: 
- NodeJS Version: v12.21.0
- MongoDB Version: 4.0.23 / mmapv1 (oplog Включено)
- Proxy: nginx (4443 oublic port, 3000 internal, from nginx to Node)
- Firewalls involved: - 

### Any additional Information
<!-- logs, additional setup information, anything extra you did in the setup or variables not included in any guide you followed -->

Hi.

First it looks like you are using Crowd?

But you also have an LDAP server too?

Can you explain this a little bit more?

For reference I also note you issue here.

Please stay in the forums unless we can prove it really is a bug. Thanks.

it was not in vain that you drew my attention to CROWD
it was an old, unused connection. after turning it off, everything worked right away
there is still a small problem with the fact that it is not possible to issue the administrator role in ldap
using microsoft hell
ldap settings are in the screenshot ldap-setting — ImgBB
I suspect I am wrong in the parameters
User Group Filter
(& (objectClass = user) (memberOf = cn = RocketUsers, ou = group, ou = iternal, dc = external, dc = domain))
LDAP Group BaseDN
CN = RocketUsers, OU = group, OU = iternal, DC = external, DC = domain
User Data Group Map

"RocketAdmin": "Admin"
}

RocketUsers - my OU with all users RocketChat
RocketAdmin - my OU with admin RocketChat
Thanks