LDAP sync makes all users admins

Community Support
1

Description

New Rocket chat installation. When I run an LDAP sync, every imported account is set as an administrator. Not good. So I followed instructions to drop all my LDAP users from the MongoDB.

I have gone back and set the “User Data Group Map” to map LDAP groups to Rocket’s admin roles, but that’s not working either. Any idea on what I am doing wrong here?

{
“Team01”: “user”,
“Team02”: “user”,
“Team03”: “user”,
“Team04”: “user”,
“Team05”: “user”,
“Team06”: “user”,
“ChatAdmins”: “admin”
}

Server Setup Information

  • Version of Rocket.Chat Server: 3.15.1
  • Operating System: Ubuntu 20
  • Deployment Method: Install guide on rocket.chat
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version: Latest
  • Proxy: None
  • Firewalls involved: None

Any additional Information

2

What errors do you get in your logs?

3

I’m not really seeing any errors that point to an issue during import. I just wonder if it’s a configuration problem.

4

There will almost certainly be an error in your logs somewhere.

Check your log levels and then have a good look as you run the command to sync.

If you are on snaps there is information in the docs on how to check you your logs.

5

See the debug below for one particular user (tm03-usr2). I have verified that in AD this user is only a member of Domain Users and Team03. However, if you look at the debug below, it tells me that it matches for a bunch of other teams (Team01-Team06) and an admin role.

I20210625-09:09:45.818(-5) LDAPSync ➔ info Syncing user data
I20210625-09:09:45.818(-5) LDAPSync ➔ debug user { email: ‘tm03-usr2@atccrl.com’, _id: ‘XsQa8rrN73xFwbAER’ }
I20210625-09:09:45.819(-5) LDAPSync ➔ debug ldapUser undefined
I20210625-09:09:45.820(-5) LDAPSync ➔ debug user.name changed to: tm03-usr2
I20210625-09:09:45.821(-5) LDAPSync ➔ debug User role exists for mapping Team01 → user
I20210625-09:09:45.832(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.832(-5) LDAPSync ➔ debug tm03-usr2 is in Team01 group.
I20210625-09:09:45.833(-5) LDAPSync ➔ debug User role exists for mapping Team02 → user
I20210625-09:09:45.838(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.838(-5) LDAPSync ➔ debug tm03-usr2 is in Team02 group.
I20210625-09:09:45.838(-5) LDAPSync ➔ debug User role exists for mapping Team03 → user
I20210625-09:09:45.844(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.844(-5) LDAPSync ➔ debug tm03-usr2 is in Team03 group.
I20210625-09:09:45.845(-5) LDAPSync ➔ debug User role exists for mapping Team04 → user
I20210625-09:09:45.850(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.850(-5) LDAPSync ➔ debug tm03-usr2 is in Team04 group.
I20210625-09:09:45.850(-5) LDAPSync ➔ debug User role exists for mapping Team05 → user
I20210625-09:09:45.857(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.857(-5) LDAPSync ➔ debug tm03-usr2 is in Team05 group.
I20210625-09:09:45.858(-5) LDAPSync ➔ debug User role exists for mapping Team06 → user
I20210625-09:09:45.863(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.863(-5) LDAPSync ➔ debug tm03-usr2 is in Team06 group.
I20210625-09:09:45.864(-5) LDAPSync ➔ debug User role exists for mapping ChatAdmins → admin
I20210625-09:09:45.870(-5) LDAP ➔ Search.info Search result count 7
I20210625-09:09:45.870(-5) LDAPSync ➔ debug tm03-usr2 is in ChatAdmins group.
I20210625-09:09:45.870(-5) server.js:204 LDAPSync ➔ error Unexpected error : Unexpected string in JSON at position 71
I20210625-09:09:45.871(-5) LDAPSync ➔ debug setting { “name”: “tm03-usr2”, “emails”: [ { “address”: “tm03-usr2@atccrl.com”, “verified”: true } ], “services.ldap.id”: “6881ce36be6ede4a9ab316d05fa92c82”, “services.ldap.idAttribute”: “objectGUID”, “ldap”: true }
I20210625-09:09:45.876(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.878(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.881(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.882(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.885(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.888(-5) LDAPSync ➔ info Synced user group user from LDAP for tm03-usr2
I20210625-09:09:45.890(-5) LDAPSync ➔ info Synced user group admin from LDAP for tm03-usr2

6

@john.crisp - Any ideas here?

7

Please don’t @ - it isn’t necessary. I read everything here…

I have asked a dev about this. I’ll let you know when I hear back.

8

OK, I had a word with a dev on this.

He thing it is a mis-configuration in your group settings.

Can you check those and paste/screen shot anything here.

Also note that 3.16 is just released so it might be worth a quick test is possible.

9

First things first. I upgraded to 3.16 to reduce the possibility of a software bug. Same behavior.

I gathered the following group settings from the LDAP section.

User Group Filter
(&(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=Chat*,DC=wwtvcf,DC=local)(objectCategory=person)(objectClass=user))

LDAP Group BaseDN
DC=wwtvcf,DC=local

User Data Group Map
{“ChatAdmins”:“admin”, “ChatPlayers”:“user”}

LDAP Group Channel Map
{
“ChatPlayers”: [“notifications”,“town-square”,“helpdesk”]
“ChatAdmins”: [“notifications”,“town-square”,“helpdesk”,“range-admins”]
}

Frozen Spider ADMIN “frozenspider” AD Membership

image
image426×561 95.4 KB

Behavior 1
Every user imported is now a user but those in the ChatAdmins group do not get defined asadmins.

Behavior 2
Users are not getting their channel mappings that I defined. They all have just the town-square

Let me know if you want anything else not included. Thanks, John.

Fresh Logging Follows
https://pastebin.com/raw/2T7qXFV0

10

The dev commented:

The logs says there’s an invalid json, and they seem to be missing a comma on the ‘LDAP Group Channel Map’ json

11

How would I fix an invalid JSON? This is a plain vanilla install with no customizations outside of what has been configured in the GUI. I can check on the missing comma in the interim.

12

I believe I fixed the command issue. You didn’t tell me where the comma was missing so I guessed.

image

After making the change, I deleted my users from the database and reimported.

Still have the same issue.

Any suggestion on how to fix the invalid JSON?

13

Regrading your first part we think

The User Group Filter setting is used to validate if the user is in the group, the value they are using is:

(&(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=Chat*,DC=wwtvcf,DC=local)(objectCategory=person)(objectClass=user))

This is probably not what they want, since this query is not using the groupname variable
(#{groupName})

This query is executed for each group in the json.

My guess is that they need to replace Chat* with #{groupName}

14

It looks correct now, do you still get the Invalid JSON error on the logs?

15

Gents, I finally gave up. I decided to just use a single channel/room to avoid all the headaches.

Thanks for the assistance, but I ran out of time to troubleshoot further.