Description
I want to define different permission role depending on LDAP group membership.
I set appropriate role in Administration > LDAP Sync / Import > User Data Group Map.
Then I removed users role from setting Administration > Accounts > Registration > “Default Roles for Authentication Services” and left this field empty. Or else users got users role in addition to role, defined in User Data Group Map mapping.
When a new user logged in, he got info window with text “REGISTER USERNAME” and “The username is used to allow others to mention you in messages”. If I then hit button [Use this username], then I got error, that a user already exists.
Investigating further I found out that a user has two roles: one
empty role, and the other role, correctly set by “Default Roles for Authentication Services” mapping. When I removed empty role, user can log in normally.
Q1: How can I solve the need to set different roles to different users according to different LDAP group membership?
Q2: Is there some kind of “bug” when assigning empty “Default Roles for Authentication Services” field?
Q3: Setting “Default Roles for Authentication Services” is apparently also used when authenticating over LDAP, not only over external services, like Google, Facebook, etc.
As LDAP and other authentication services can mean different user types it would be also necessary to have separate “Default Roles” settings. Can this be separated, please?
Server Setup Information
- Version of Rocket.Chat Server: 3.2.2
- Operating System: Official docker
- Deployment Method: docker
- Number of Running Instances: 1
- DB Replicaset Oplog: Enabled
- NodeJS Version: v12.16.1
- MongoDB Version: 4.0.18
- Proxy: nginx
- Firewalls involved: Yes