LDAP group channel mapping

Community Support
1

Description

I am able to get users synced in fine, but running into issues getting the group channel mapping setup.
AD is what is being referenced for LDAP.

This is what I currently have in the sync/import section:

Username Field sAMAccountName
Unique Identifier Field objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber
Default Domain This does work
Merge Existing Users TRUE
Sync User Data TRUE
User Data Field Map {“cn”:“displayName”, “mail”:“email”}
Sync LDAP Groups TRUE
Auto Remove User Roles TRUE
User Group Filter (&(cn=#{groupName})(memberUid=#{username}))
LDAP Group BaseDN This does work
User Data Group Map

“{
““rc_hs_kci_rep””: ““users””,
““tech-support””: ““support””
}”

Auto Sync LDAP Groups to Channels TRUE
Channel Admin rocket.cat
LDAP Group Channel Map

“{
““Rocketchat-sysadmin””: ““sysadmins””,
““rc_hs_kci_rep””: ““hs_kci””,
““techsupport””: [
““helpdesk””,
““support””
]
}”

Auto Remove Users from Channels FALSE
Sync User Avatar FALSE
Background Sync FALSE
Background Sync Interval Every 24 hours
Background Sync Import New Users TRUE
Background Sync Update Existing Users TRUE

What my understanding is that you can use the group channel map to add/remove users in a group, but can it create groups automatically?

So the group filter pulls in any ad groups and their members that translates it into the variable(s) for Rocket Chat #groupname and #username for later data and channel mapping?

And under the ldap group channel map, you list just the samaccountname of the group that the filter pulls in and it matches the channel in Rocket Chat after the colon.

I think what my first problem is, is that the user group filter does not work.

Can anyone help with that? All of my groups will be in one OU.

Server Setup Information

  • Version of Rocket.Chat Server: 2.1.0
  • Operating System: Linux
  • Number of Running Instances: 1
2

[quote=“dan.westby, post:1, topic:5067”]
User Group Filter (&(cn=#{groupName})(memberUid=#{username}))
[/quote]your problem is here.
You need something like this:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=RocketChat,OU=Groups,DC=domain,DC=local))

3

Thank you, I added that but it still will not sync groups or users of groups at all.
Is there something I’m missing why the users are not populating in the channels that are members of the groups? The group channel map is setup like the instructions say and I can’t get the data group map to work either. It’s almost like the user group filter is not correct still.

4

After enabling all logging options, I see where it is searching for and adding users, but I don’t see anything having to do with groups in the log.

5

I have it partially working. When I say partially I mean that most users are added to groups, but sometimes a user is missed. I haven’t been able to figure out why.

In my group filter I have this (which handles nested AD groups)

(&(sAMAccountName=#{username})(|(memberof:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=Projects,OU=Groups,OU=Users & Groups,OU=Resources,DC=ad,DC=company,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=General,OU=Groups,OU=Users & Groups,OU=Resources,DC=ad,DC=company,DC=com))(objectCategory=person)(objectClass=user))

In my base DN I have

OU=Users & Groups,OU=Resources,DC=ad,DC=company,DC=com

When I sync with information level logging enabled I see messages like

LDAPSync ➔ info Synced user channel 8SK6RNLG2CyixhD6c from LDAP for usera

Where the cryptic string is the internal ID of the room.

2 Likes
6

Thanks a lot! Nested AD groups works great with your filter.