LDAP multiple OUs in BaseDN - only one lot of OU users can login


Hi everybody :slight_smile:

We are wanting all users to be able to be log in and use Rocket.Chat, as such we don’t have any real limitations in importing users from AD into Rocket.Chat - except for not importing a heap of Service Accounts in - which is all segregated with OU’s.

Our structure of where our users are that we want in Rocket.Chat is:
Domain >
- OU: Domain Users
-OU: Sub Group1…etc
-OU: System Administrators

I’ve configured Rocket.Chat to connect to our AD, with the Base DN as:
OU=“System Administrators”+OU=“Domain Users”,dc=domain, dc=com

I haven’t configured to ‘Sync LDAP Groups’ - at this stage we aren’t using groups for Rocket.Chat.

When I Execute the Sync all the Domain Users are imported and can log in, Awesome!..except…none of the System Administrators are imported.
If I change the Base DN to:
OU=“Domain Users”+OU=“System Administrators”,dc=domain, dc=com
The System Administrators are then imported and can login…except…now none of the Domain Users can login again (even though they could before changing the Base DN), and they are still listed under “Users” in Rocket.Chat.

Server Setup Information

  • Version of Rocket.Chat Server: 3.9.3
  • Operating System: CentOS 8
  • Deployment Method:
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version: 4.4.2
  • Proxy:
  • Firewalls involved:

Any additional Information

Hello, same error here, were you able to fix that problem?

No not yet.
We are looking at moving the ‘System Administrators’ OU under Domain Users - but currently assessing the GPs that are applied.

The other option (which really isn’t an option), is to have ‘Login Fallback’ enabled in RocketChat, have the System Administrators OU as the one that is being read by RC, get all the Sys Admins to login - this then saves their passwords in Mongo. Then change the LDAP so it now reads Domain Users. As the Sys Admins have all logged in, LDAP query fails for them but because ‘Login Fallback’ is enabled it authenticates with the Password in mongo…not sure what happens when the Sys Admins change their AD passwords…

Okay, when you enable Login Fallback, all users can log into RC, it doesn’t matter if they update password or users are disabled in AD. They can always log in.

We only need to have a user filter at the DN level, so that we could import only objects compatible with users, with that the problem would be solved. I guess one option is to work with the RC APIs, to create a filtered import.