I need help with group filter

Hello

Description

I just start with Rocket and I don’t know how to properly configure my filter to sync it with AD.

I have been using Spark until now. I had a group containing dozens of other groups from different containers, and my “Group Mapping” filter looked like this:
(memberOf=CN=Spark_groups,OU=Spark_Groups,DC=domain,DC=com)
Worked perfectly. Spark mapped all that groups with members. I could share them for users.

But now it doesn’t work. With this filter Rocket import all users and puts everyone in every mapped room. You know what I mean? Excample:
CN=department_group,OU=technicians,OU=city1,DC=domain,DC=com < 4 users as members
CN=seller_group,OU=distribution,OU=city2,DC=domain,DC=com < 5 members
CN=testers_group,OU=implementation,OU=city3,DC=domain,DC=com < 1 member
All three groups are members of the group Spark_groups. I map all three LDAP groups in Rocket Channel map. And what did I get?
Channel Testers with 10 users,
Channel Seller with 10 users,
Channel Department with 10 users.
In Spark:
Channel Testers with 4 users,
Channel Seller with 5 users,
Channel Department with 1 users.

It works OK with:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=technicians,OU=city1,DC=domain,DC=com))
But only for this one group.

Is it possible to set some sensible filter that will catch all containers?
Or do I have to copy group members to new groups in the same container and this is the only method? Example:
CN=CopyDepartment_group,OU=RocketChat,DC=domain,DC=com < 4 users as members
CN=CopySeller_group,OU=RocketChat,DC=domain,DC=com < 5 members
CN=CopyTesters_group,OU=RocketChat,DC=domain,DC=com < 1 member
With filter:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=RocketChat,DC=domain,DC=com))

Server Setup Information

  • Version of Rocket.Chat Server: 3.3.3
  • Operating System: Ubuntu 20 LTS
  • Number of Running Instances: 1
  • NodeJS Version: v12.14.0
  • MongoDB Version: 4.0.19

What I did is:

  1. (Rocket.Chat) Base DN: OU=Users,DC=company,DC=com

  2. Then I created groups for Rocket.Chat in AD (or you can use other existing groups, if applicable):
    OU=Chat,OU=Aplications,OU=Groups,DC=company,DC=com

  3. (Rocket.Chat) User Group Filter: (&(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=Chat,OU=Aplications,OU=Groups,DC=company,DC=com)(objectCategory=person)(objectClass=user))

  4. (Rocket.Chat) LDAP Group BaseDN: OU=Users,DC=company,DC=com

  5. (Rocket.Chat) LDAP Group Channel Map:
    {
    “Chat channel - employees”: “Company channel”,
    “Chat channel - Department 1”: “Department 1”,
    “Chat channel - Department 2”: “Department 2”
    “Chat channel - Department 3”: [“Department 3”,“Department 2”]
    }

  6. (Rocket.Chat) User Search

  • Filter: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Chat vsi,OU=Chat,OU=Aplikacije,OU=Skupine,DC=triglavre,DC=si)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    Note: !(userAccountControl:1.2.840.113556.1.4.803:=2) ignores disabled users in AD. Or else disabled users from AD will appear too.

  • Search Field: sAMAccountName,mail
    Note: You can ignore “mail” if you do not want that user can login with email address too.