I want to define different permission role depending on LDAP group membership.
I set appropriate role in Administration > LDAP Sync / Import > User Data Group Map.
Then I removed
users role from setting Administration > Accounts > Registration > “Default Roles for Authentication Services” and left this field empty. Or else users got
users role in addition to role, defined in User Data Group Map mapping.
When a new user logged in, he got info window with text “REGISTER USERNAME” and “The username is used to allow others to mention you in messages”. If I then hit button
[Use this username], then I got error, that a user already exists.
Investigating further I found out that a user has two roles: one
emptyrole, and the other role, correctly set by “Default Roles for Authentication Services” mapping. When I removed
emptyrole, user can log in normally.
Q1: How can I solve the need to set different roles to different users according to different LDAP group membership?
Q2: Is there some kind of “bug” when assigning empty “Default Roles for Authentication Services” field?
Q3: Setting “Default Roles for Authentication Services” is apparently also used when authenticating over LDAP, not only over external services, like Google, Facebook, etc.
As LDAP and other authentication services can mean different user types it would be also necessary to have separate “Default Roles” settings. Can this be separated, please?
Server Setup Information
- Version of Rocket.Chat Server: 3.2.2
- Operating System: Official docker
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: Enabled
- NodeJS Version: v12.16.1
- MongoDB Version: 4.0.18
- Proxy: nginx
- Firewalls involved: Yes