LDAP Group Import doesn't work

Community Support
1

Hi there,

Description

The Import/Sync of my LDAP Groups doen’t work, so the channel and right creation ether.
Ther User Import/Sync works great.

Here is my Config:
LDAP Usergroup Filter:
(&(sAMAccountName=#{username})(memberof:1.2.840.113556.1.4.1941:=CN=#{groupName},DC=XXXXXXXXX,DC=de (objectCategory=person)(objectClass=user))

LDPA Group BaseDN:
DC=XXXXXXXXX,DC=de

Here is a Snipped of the logs:
I20200525-15:03:24.055(2) LDAP ➔ Search.info Searching by id 3b14c50eefe91544a91afefbcbd7c18b
I20200525-15:03:24.055(2) LDAP ➔ Search.debug search filter (objectGUID=;���D�������)
I20200525-15:03:24.056(2) LDAP ➔ Search.debug BaseDN DC=stadtnortheim,DC=de
I20200525-15:03:24.059(2) LDAP ➔ Search.info Search result count 1
I20200525-15:03:24.060(2) LDAPSync ➔ info Syncing user data
I20200525-15:03:24.060(2) LDAPSync ➔ debug user { email: undefined, _id: ‘L86cw6xiZAkz2Q2QJ’ }
I20200525-15:03:24.061(2) LDAPSync ➔ debug ldapUser undefined
I20200525-15:03:24.063(2) LDAPSync ➔ debug User role exists for mapping Systemadministratoren -> admin
I20200525-15:03:24.065(2) LDAP ➔ Search.info Search result count 0
I20200525-15:03:24.071(2) LDAPSync ➔ debug XXXXXXXX is not in Systemadministratoren group!!!
I20200525-15:03:24.073(2) LDAPSync ➔ debug User role exists for mapping Alle Benutzer -> user
I20200525-15:03:24.076(2) LDAP ➔ Search.info Search result count 0
I20200525-15:03:24.077(2) LDAPSync ➔ debug XXXXXXXX is not in Alle Benutzer group!!!
I20200525-15:03:24.083(2) server.js:204 LDAPSync ➔ error Unexpected error : Unexpected token in JSON at position 1492

and my Active Directory Structure:

Anmerkung 2020-05-25 150606
Anmerkung 2020-05-25 150606476×590 7.14 KB

Server Setup Information

  • Version of Rocket.Chat Server: 3.2.1
  • Operating System: Ubuntu Server 18.04.4 LTS
  • Deployment Method: tar
  • Number of Running Instances: 1
  • DB Replicaset Oplog: ??
  • NodeJS Version: v12.16.3
  • MongoDB Version: 4.0.18
  • Proxy: no
  • Firewalls involved: no
2

No help? No one use LDAP?!

3

A lot of users use LDAP as far as I know.
But not every user has answer for your question.
In my environment LDAP Group sync works perfect both for Roles and Channels.
Here is my LDAP User group filter

(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=RocketChat,OU=Applications,OU=Groups,DC=company,DC=local))

And all groups are located in OU
OU=RocketChat,OU=Applications,OU=Groups,DC=company,DC=local

1 Like
4

Thanks!
So my Groups are in different OUs.
So my Filter would be:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},DC=company,DC=local))

right?!
But this doesn’t work… Same Problem.

5

Just move all needed groups to right place.
But boot of AD LDAP hierarchy not best place for that.
Make separate OU for Rocket Chat groups and move all groups to that OU.

6

Interesting.
My Filter is now:
(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=Abteilungen,OU=00-Gruppen,DC=COMPANY,DC=de))
and all my Groups are in this OU. The user sync with groups and permissions works now.
Thanks!

But the Channelmapping doesn’t work. I can’t find any logs for that.
My Mapping looks like this:
{
“Alle Benutzer”:“Allgemein”,
“B1 - Gleichstellungsbeauftragte”:“B1_Gleichstellungsbeauftragte”,
“B1 - Gleichstellungsbeauftragte - Sonstige”:“B1_Gleichstellungsbeauftragte”,
“B2 - Datenschutzbeauftragte/r”:“B2_Datenschutz”,
“B2 - Datenschutzbeauftragte/r - Sonstige”:“B2_Datenschutz”,
“B3 - Betriebliche/r Suchthelfer/in”:“B3_Suchthilfe”,
“B3 - Betriebliche/r Suchthelfer/in - Sonstige”:“B3_Suchthilfe”,
“B4 - Betriebliches Eingliederungsmanagement”:“B4_BEM”,
“B4 - Betriebliches Eingliederungsmanagement - Sonstige”:“B4_BEM”,
“Büro des Bürgermeisters”:“BdB”,
“Büro des Bürgermeisters - Sonstige”:“BdB”,
“Geschäftsbereich 1”:“GB1”,
“Geschäftsbereich 1 - Sonstige”:“GB1”,
“1.1 - Finanzmanagement, Kasse”:“1.1_Finanzen”,
“1.1 - Finanzmanagement, Kasse - Sonstige”:“1.1_Finanzen”,
“1.2 - Personal, Organisation”:“1.2_POrg”,
“1.2 - Personal, Organisation - Sonstige”:“1.2_POrg”,
“1.3 - Bürgerdienste”:“1.3_Buergerdienste”,
“1.3 - Bürgerdienste - Sonstige”:“1.3_Buergerdienste”,
“1.4 - Kultur, Bildung, Sport”:“1.4_KBS”,
“1.4 - Kultur, Bildung, Sport - Sonstige”:“1.4_Schulen”,
“1.5 - Informations- und Kommunikationsmanagement”:“1.5_IuK”,
“1.5 - Informations- und Kommunikationsmanagement - Sonstige”:“1.5_IuK”,
“Geschäftsbereich 2”:“GB2”,
“Geschäftsbereich 2 - Sonstige”:“GB2”,
“2.1 - Stadtplanung, Bauaufsicht”:“2.1_Planung”,
“2.1 - Stadtplanung, Bauaufsicht - Sonstige”:"2.1_Planung,
“2.2 - Hochbau”:“2.2_Hochbau”,
“2.2 - Hochbau Sonstige”:“2.2_Hochbau”,
“2.3 - Tiefbau”:“2.3_Tiefbau”,
“2.3 - Tiefbau - Sonstige”:“2.3_Tiefbau”,
“2.4 - Technische Dienste”:“2.4_TD”,
“2.4 - Technische Dienste - Sonstige”:“2.4_TD”,
“Fachwerk5Eck”:“Fachwerk5Eck”,
“Fachwerk5Eck - Sonstige”:“Fachwerk5Eck”,
“RPA - Rechnungsprüfungsamt”:“RPA”,
“RPA - Rechnungsprüfungsamt - Sonstige”:“RPA”,
“S1 - Stabstelle Recht”:“S1_Recht”,
“S1 - Stabstelle Recht - Sonstige”:“S1_Recht”,
“S2 - Stabstelle Städtebauförderung”:“S2_Staedtebau”,
“S2 - Stabstelle Städtebauförderung - Sonstige”:“S2_Staedtebau”,
“V1 - Personalvertretung”:“V1_Personalvertretung”,
“V1 - Personalvertretung - Sonstige”:“V1_Personalvertretung”,
“V2 - Schwerbehindertenvertretung”:“V2_Schwerbehindertenvertretung”,
“V2 - Schwerbehindertenvertretung - Sonstige”:“V2_Schwerbehindertenvertretung”,
“Eigenbetrieb Abwasserbeseitigung”:“EBA”,
“Eigenbetrieb Abwasserbeseitigung - Sonstige”:“EBA”,
“V3 - Personalrat EBA”:“V3_Personalvertretung_EBA”,
“V3 - Personalrat EBA - Sonstige”:“V3_Personalvertretung_EBA”
}

EDIT: The only error:
server.js:204 LDAPSync ➔ error Unexpected error : Unexpected token in JSON at position 1492

7

I think you have error somewhere in your AD group - Channel mapping.
Try with only 1 group to understand, that function works fine.
Then add all groups-channels mapping with checking line-by-line for errors (syntax I think)

8

Syntax Error. You’re right!
Thanks. All works now!