LDAP Groups not functional

romah · February 7, 2020, 8:23am

Hi All,
I’ve setup rocketchat and have basic LDAP setup - the next step of my deployment is to have channels based on LDAP user group.

I can successfully login when i have “Sync LDAP groups” Disabled but cannot login with it enabled.

My LDAP server is a Active Directory server running on Server 2016.

Here are my settings -

User Group Filer -
" (&(objectCategory=Person)(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=cn=#{groupName},OU=Protected Groups,OU=Administrative Groups,OU=Gatekeeper,DC=DOMAIN,DC=net)) "

LDAP Group BaseDN -
" dc=DOMAIN,dc=net "

User Data Group Map -
" {“Domain Admins”:“admin”,“Domain Users”:“user” }"

LDAP Group Channel Map -
" {“Domain Users”:“announcements”} "

Server Setup Information

Version of Rocket.Chat Server: 2.4.1
Operating System: rocket.chat docker container installed on CentOS
Deployment Method: Docker
Number of Running Instances: 1
DB Replicaset Oplog: Enabled
NodeJS Version: 8.15.1 - x64
MongoDB Version: 4.0.16
Proxy: NGINX
Firewalls involved: Yes

Any additional Information

Logs taken from Rocketchat server -
“Exception while invoking method ‘login’ TypeError: Cannot read property ‘searchAllSync’ of undefined at isUserInLDAPGroup (app/ldap/server/sync.js:34:22) at mapLdapGroupsToUserRoles (app/ldap/server/sync.js:252:7) at syncUserData (app/ldap/server/sync.js:344:20) at addLdapUser (app/ldap/server/sync.js:458:2) at MethodInvocation. (app/ldap/server/loginHandler.js:150:17) at tryLoginMethod (packages/accounts-base/accounts_server.js:460:31) at tryLoginMethod (packages/accounts-base/accounts_server.js:1294:14) at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:458:22) at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.js:7:35) at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:518:31) at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12) at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19) at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46) at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12) at Promise (packages/ddp-server/livedata_server.js:715:46) at new Promise () at Session.method (packages/ddp-server/livedata_server.js:689:23) at packages/ddp-server/livedata_server.js:559:43”

Any help would be much appreciated.

phatair · February 7, 2020, 9:26am

i have the same problem with AD 2012R2.
Look here

and here

i also wrote some infos on a existing github pull request but dont get any answer.

github.com/RocketChat/Rocket.Chat

Comment by phatair to [NEW] LDAP User Groups, Roles, and Channel Synchronization

RocketChat:develop ← wreiske:ldap-admin-groups

Hello, we are using the following configuration **Server Setup Information**… Version of Rocket.Chat Server: 2.4.2 Operating System: Ubuntu LTS Deployment Method: snap Number of Running Instances: 1 DB Replicaset Oplog: NodeJS Version: v8.17.0 MongoDB Version: 3.6.14 Proxy: caddy Firewalls involved:no If we enable "Auto Sync LDAP Groups to Channels", one user can login. After this login the Channels are created and now no one else can login to rocket chat. They got an error message "wrong user or passwort". If i logout with this user, the user can not login anymore. I have to delete these channels with the rocket chat admin and then the same happens - i can login one time, channels are created and no login is possible after that. If i disable LDAP Group to Channel Sync the AD Authenthication is working fine. The Config looks like this: **Base DN** OU=KTS,DC=my,DC=domain,DC=com **User Group Filter** (&(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=RocketChat,OU=SecurityGroups,OU=KTS,DC=my,DC=domain,DC=com)) **LDAP Group BaseDN** OU=KTS,DC=my,DC=domain,DC=com **User Search filter** (&(objectCategory=person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=RC_Users,OU=RocketChat,OU=SecurityGroup,OU=KTS,DC=my,DC=domain,DC=com)) Any Idea whats going wrong? I was doing my first tests with a earlier version and the Group Sync was working fine.

i had the same error message and some others like User still exists.
Until now i dont get any support.

romah · February 7, 2020, 12:02pm

Thanks for your response, it seems that some people are successfully deploying RocketChat with AD but also some people facing issues.
Unsure how to proceed as i’d like to get RocketChat implemented for our company but cannot implement the groups with AD.

Disappointing as we’d look to buy the enterprise versions once this is deployed.

phatair · February 12, 2020, 6:48am

Yes, we have the same problem. We want to test rocket chat and if it runs smoothly we think about the enterprise version but with this problems we cant implement rocket chat.

Are we the only one who has this problems? I cant image that this is a config problem…?

marianoabdala · February 12, 2020, 11:19am

this my settings… “INTERNAL SERVER ERROR”

Topic		Replies	Views
Login after using LDAP Group Channel Map not possible Community Support	0	1872	February 4, 2020
LDAP + UserData Group Map (AD) Community Support	2	1834	October 19, 2020
Sync LDAP Groups not working Community Support	2	606	September 29, 2023
Unable to Enable: Sync LDAP Groups Option Community Support	1	870	January 17, 2020
Help wich ldap sync & auth Community Support	3	1903	May 24, 2021

[Rocket.Chat v7.0: Join the webinar] Roadmap Reveal: on-prem AI, VoIP, and more! Save your seat ->

LDAP Groups not functional

Server Setup Information

Any additional Information

Related topics