The Great Open Source Debate with Elastic, Gluu and GitHub 🎤 Oct 26

LDAP Sync problem: new users are not sync anymore

Description

For several weeks, RC no longer synchronizes new users. It continue to synchronize existing users but no longer add new ones.
I can’t find any info in the logs about missing users, as if the LDAP request it made didn’t return them.
However, when I go to my LDAP server (OpenLDAP) and do strictly the same requests, the users are returned.
Apparently, the first synchronizations worked, because I have almost all my users, but the last ones, for a few weeks, have not been added anymore.

Server Setup Information

  • Version of Rocket.Chat Server: 3.18.1
  • Operating System: Ubuntu 20.04
  • Deployment Method: tar
  • Number of Running Instances: 7
  • DB Replicaset Oplog: wiredTiger (oplog Activé)
  • NodeJS Version: 12.22.1
  • MongoDB Version: 4.2.15
  • Proxy: haproxy
  • Firewalls involved: no

Any additional Information

I currently have ~ 4300 users in my base dn.
My RC LDAP configuration (the “dc=mycompagny,dc=com” is my anonimized domain) :

  • enabled
  • login fallback on
  • find user after connection on
  • host: fqdn
  • port: 389
  • reconnection on
  • no encrypt
  • base dn: ou=people,dc=mycompagny,dc=com

AUTH:

  • user dn: cn=rocketchat,ou=softwares,dc=mycompagny,dc=com
  • password: $thepass$

SYNC/IMPORT:

  • user name field: uid
  • uniq username: uid
  • default domain: mycompagny.com
  • merge existing users on
  • sync user data on
  • user data fields map: {"displayName":"name", "mail":"email", "o":"customFields.organisation"}
  • sync ldap groups on
  • automatically delete user role on
  • group users filter: (&(|(supannEntiteAffectationPrincipale=#{groupName})(supannEntiteAffectation=#{groupName})(memberOf=cn=#{groupName},ou=groups,dc=mycompagny,dc=com))(uid=#{username}))
  • dn base of ldap group: ou=people,dc=mycompagny,dc=com
  • user data group map:
{
  "rocketchat": "admin",
  "*": "user-compagny"
}
  • sync user with channels on
  • user group channel map: a big json like:
{
    "AC - CGP*": [
        "CGP"
    ],
    "AC - CI*": [
        "CI"
    ]
}
  • automatically delete user from channels on
  • sync avatar on
  • background sync on
  • interval sync: at 4:00 am
  • background sync import new users on
  • background sync update existing users on

TIMEOUT:

no change

USER SEARCH:

  • filter: (&(uid=*)(|(o=COMPAGNY1)(o=COMPAGNY2)(o=COMPAGNY3)))
  • scope: sub
  • search field: uid
  • search page size: 500
  • search size limit: 20000

USER SEARCH GROUP VALIDATION:

no change

Tried

Since it no longer adds new users, I tried:

  • to set the search page size at 0
  • to add them with the REST API (users.create).
    It works, but users don’t have the LDAP link.
    Examples with REST API users.info:
    A synced LDAP user:
{
  "user": {
    "_id": "xxx",
    "createdAt": "2021-06-02T10:20:56.514Z",
    "services": {
      "ldap": {
        "id": "xxx",
        "idAttribute": "uid"
      },
      "cas": {
        "external_id": "xxx"
      }
    },
    "username": "xxx",
    "emails": [
      {
        "address": "xxx@mycompagny.com",
        "verified": false
      }
    ],
    "type": "user",
    "status": "offline",
    "active": true,
    "roles": [
      "admin",
      "user-compagny"
    ],
    "name": "xxx",
    "customFields": {
      "organisation": "COMPAGNY1"
    },
    "lastLogin": "2021-09-23T12:28:02.803Z",
    "statusConnection": "offline",
    "utcOffset": 2,
    "statusText": "",
    "requirePasswordChange": false,
    "canViewAllInfo": true
  },
  "success": true
}

And a manually added user with REST API:

{
  "user": {
    "_id": "xxx",
    "createdAt": "2021-09-24T12:28:07.317Z",
    "services": {},
    "username": "xxx",
    "emails": [
      {
        "address": "xxx@mycompagny.com",
        "verified": true
      }
    ],
    "type": "user",
    "status": "offline",
    "active": true,
    "roles": [
      "user-compagny"
    ],
    "name": "xxx",
    "requirePasswordChange": false,
    "customFields": {
      "organisation": "COMPAGNY2"
    },
    "canViewAllInfo": true
  },
  "success": true
}

See the services part… No LDAP… And i can’t use the REST API for that…

Thanks in advance !

Hi all,

Looks like it doesn’t finish sync: I can’t find the phrase “Import finished. Users imported” in the logs…

root@servername:~# grep -i "Users imported" /var/log/syslog
Sep 27 04:00:00 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 100
Sep 27 04:00:01 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 200
Sep 27 04:00:01 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 300
Sep 27 04:00:02 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 400
Sep 27 04:00:02 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 500
Sep 27 04:00:02 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 600
Sep 27 04:00:03 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 700
Sep 27 04:00:03 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 800
Sep 27 04:00:04 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 900
Sep 27 04:00:04 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1000
Sep 27 04:00:05 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1100
Sep 27 04:00:05 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1200
Sep 27 04:00:06 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1300
Sep 27 04:00:06 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1400
Sep 27 04:00:06 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1500
Sep 27 04:00:07 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1600
Sep 27 04:00:07 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1700
Sep 27 04:00:08 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1800
Sep 27 04:00:08 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 1900
Sep 27 04:00:09 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2000
Sep 27 04:00:09 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2100
Sep 27 04:00:10 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2200
Sep 27 04:00:10 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2300
Sep 27 04:00:10 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2400
Sep 27 04:00:11 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2500
Sep 27 04:00:11 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2600
Sep 27 04:00:12 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2700
Sep 27 04:00:12 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2800
Sep 27 04:00:13 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 2900
Sep 27 04:00:13 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 3000
Sep 27 04:00:13 servername rocketchat[800]: LDAPSync ➔ info Import running. Users imported until now: 3100

Nice comprehensive report!

I don’t have an answer to this - needs someone from Rocket to check.

If you are using groups you ought to be aware of this too - they are being removed from CE :frowning:

I’d do a lot of testing on 4.x before committing to an upgrade.

https://forums.rocket.chat/t/upcoming-changes-to-identity-management-integrations/11994/89

Hi Reetp,

I will wait for a response from the team :slight_smile:

I know for the upcoming 4.x CE version. I’m thinking about what I’m going to do.