LDAP auth with bind or must users be imported first?

Just checking whether my understanding of LDAP support in RC is correct:

I was under the assumption that when enabling LDAP authentication, I can point RC to an LDAP server (like AD) and when users log on, it will try to bind using the given credentials; if a user has not logged on before, the details are copied from the LDAP server and stored in RC.

I see there are a lot of other settings, including a service user and syncing of LDAP users to RC, but I was hoping not to have to use this.

I have configured RC according to my assumption (i.e. only the LDAP server, no service user) but I cannot log on with AD credentials.

In the logs, I see errors like the following:

LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection

rocket chat needs a service account to import the users from ldap.

I don’t like this method, as rocket chat doesn’t delete/remove users that are removed or disabled from ldap. Its a one way import.

I would rather see rocket chat cache the ldap search results (so that the user can be search and displayed in the ui) while updating the cache on a regular interval; then use bind (or some other means) for authentication directly against ldap or each users.

I’m struggling with how RC does with ldap, and its currently preventing my from deploying it within my org.

I have the same opinion.