For those, like me, who come here to find a way to disable Rocket.Chat users which are not existing within openLDAP, I have written a ruby script to sync that correctly, just install the rubygems net-ldap
and rocketchat
and put this script into some executeable path:
#!/usr/bin/env ruby
require 'net-ldap'
require 'rocketchat'
options = {
ldap: {
host: ENV.fetch('LDAP_HOST', 'ldap.example.com'),
port: ENV.fetch('LDAP_PORT', '636').to_i,
base: ENV.fetch('LDAP_BASE', 'ou=People,dc=example,dc=com'),
username: ENV.fetch('LDAP_USERNAME', 'uid=rocketchat,ou=People,dc=example,dc=com'),
password: ENV.fetch('LDAP_PASSWORD', 'p455w0rd'),
},
chat: {
url: ENV.fetch('CHAT_URL', 'https://rocketchat.example.com'),
username: ENV.fetch('CHAT_USERNAME', 'username'),
password: ENV.fetch('CHAT_PASSWORD', 'p455w0rd'),
delete: ENV.fetch('CHAT_DELETE', 'false') == 'true'
}
}
available = []
begin
Net::LDAP.new(
host: options[:ldap][:host],
port: options[:ldap][:port],
encryption: :simple_tls,
base: options[:ldap][:base],
auth: {
method: :simple,
username: options[:ldap][:username],
password: options[:ldap][:password]
}
).tap do |ldap|
filter = Net::LDAP::Filter.eq(
'objectClass',
'posixAccount'
)
ldap.search(
base: options[:ldap][:base],
filter: filter,
attributes: ['cn'],
return_result: false
) do |entry|
available.push entry.cn.first
end
end
rescue
puts "failed to connect to ldap"
exit 1
end
if available.empty?
puts "failed to fetch ldap users"
exit 1
end
RocketChat::Server.new(options[:chat][:url]).tap do |server|
session = begin
server.login(
options[:chat][:username],
options[:chat][:password]
)
rescue
puts "failed to auth rocketchat"
exit 1
end
begin
offset = 0
loop do
users = session.users.list(offset: offset, count: 50, query: { ldap: true })
break if users.empty?
users.each do |user|
next if available.include? user.username
if options[:chat][:delete]
record = session.users.delete(
user.id,
)
puts "deleted inactive user #{user.username} with id #{user.id}"
else
next unless user.active?
record = session.users.update(
user.id,
active: false
)
puts "disabled inactive user #{user.username} with id #{user.id}"
end
end
offset += users.length
end
ensure
session.logout
end
end