LDAPs-Synch doesnt work

Community Support
1

### Description
Hello RC-Experts,

we use an on-premise server of Rocketchat for our company and want to have our Windows-Users being able to sign into our Rocketchat-Server.

While trying to import Windows-Users via LDAPs (Port 636) we can establish a LDAP-Connection from the RC-Server to our Windows-DCs. Our Rocketchat-Server synchronizes only one Windows-User and gives them the “User” role. The next LDAP-Users that will be import dont get a role assigned - the field “Role” (which can be found in the RC-GUI under “Users”) is just empty.
Oddly not every Windows-User gets imported to the RC-Server. Many Windows-users are missing even if we try to synch the whole domain (without OU-filtering).

I will post a few logs from the RC-GUI below and hope that someone can provide help.

### Server Setup Information

  • Version of Rocket.Chat Server: 3.6.0
  • Operating System: Ubuntu 20.04 Server-Edition
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version: v12.16.1
  • MongoDB Version: 4.0.19
  • Proxy: Nginx Reverse-Proxy for SSL-Encryption
  • Firewalls involved: Yes - Fortigate 100E

### Any additional Information
Here are my logs that I copied from the Rocketchat-GUI (Menu “Logs”):

I20200902-12:18:24.968(0) server.js:204 LDAPSync ➔ error Error creating user errorClass [Error]: [error-invalid-domain] at app/authentication/server/startup/index.js:384:10 at packages/accounts-base/accounts_server.js:1091:13 at Array.forEach () at AccountsServer.insertUserDoc (packages/accounts-base/accounts_server.js:1090:32) at AccountsServer. (app/authentication/server/startup/index.js:238:28) at executeBound (/app/bundle/programs/server/npm/node_modules/underscore/underscore.js:758:67) at AccountsServer.bound [as insertUserDoc] (/app/bundle/programs/server/npm/node_modules/underscore/underscore.js:789:14) at createUser (packages/accounts-password/password_server.js:1128:27) at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1197:10) at addLdapUser (app/ldap/server/sync.js:463:29) at app/ldap/server/sync.js:529:5 at Array.forEach () at app/ldap/server/sync.js:496:13 at runWithEnvironment (packages/meteor.js:1286:24) { isClientSafe: true, error: ‘error-invalid-domain’, reason: undefined, details: undefined, message: ‘[error-invalid-domain]’, errorType: ‘Meteor.Error’ }

2

Hi @zmwrc,

RC and LDAP seem to have quite a complicated relationship. :wink: At least from my PoV.

Could you please provide more details on your AD setup (OU structure, groups involved, etc) and your exact entries under RC/admin/LDAP?

Do all your LDAP users have the mail attribut set? Otherwise you will have to set “Default domain” in the RC LDAP settings, I think.

3

Hey @klepptor

we are currently trying to synchronize one OU. In the future we want to synchronize three of them, but first we want to get LDAP-Synch working for this one specific OU (as you can see in the screenshots below).
Each OU has their own subset of OUs. Primarily being organized after the departments of our company.

ad-overview
ad-overview314×676 59.6 KB

These are our Rocketchat-Server-Configurations regarding LDAP:

1
1429×958 14.6 KB

7
7407×689 7.93 KB
6
6412×946 12.5 KB
5
5412×908 14.3 KB
4
4407×987 13.5 KB
![3|227x500]
7
7407×689 7.93 KB
6
6412×946 12.5 KB

And these are the users that got synchronized by LDAP. There should be many more users synchronized though. A lot of users are missing. Only one user has the role “user” assigned, the others didnt get one.

RC-Users
RC-Users1393×780 110 KB

I also manually deleted the LDAP-users from our MongoDB several times by following the suggestion of @alogicking

The users seen in the screenshot above are somehow not recognized as LDAP-users and cant be deleted…

4

Hm, I’m using a quite similar setup, all my users are in one OU.

Hi @zmwrc

Could you please check your BaseDN? Should be DC=ads,DC=zwm,DC=de

And maybe you should think about a special group for your RC Users (e.g. “chat”) that then can be used for the User Search filter: memberOf=CN=chat,OU=Gruppen,DC=ads,DC=zwm,DC=de

(maybe there’s an existing group you can use, but that’s how I do it and it works just fine).

5

I faced similar kind of issue, I am searching for some proper solution.

6

I faced a similar problem. There were some users not tagged as LDAP users. You may delete them with another searchfilter.
This worked for me:
db.users.remove({“status”:“offline”});
I was logged in as Admin and the Bots are online all the time and i wanted to get rid of everything else.
You can play with this command until you get your filter right:
db.users.find({“status”:“offline”});

About your LDAP problem. We had this problem too. But i don’t know exactly how we fixed it. It’s been a while. Besides a correct BaseDN, we disabled “Login Fallback” and “Find user after login”.

7

Facing the exact same issue as @zmwrc, it worked in 3.5.x, ldap authentication broke on update to 3.6.0

BaseDN and Search filter are used
Enabling/Disabling “Login Fallback” or “Find after Login” had no effect.

I would think BaseDN/Search Filter are correct since they worked properly before updating to 3.6.0. Users are listed with Role “User”, not sure what is ment with “LDAP user”, however RocketChat does talk to LDAP/AD when attempting to login, so i assume it correctly tries to use ldap.

A working solution would be most welcome, currently i am trying to get meaningfull logs with trace but not usefull results so far. Have not yet tried deleting users, this is the next step i guess but they seem correct now.

Edit: to clarify, users also cannot login (the “pre-existing” login with the rocketchat client works) but if i would do a private browser session and attempt to login -> user not known/password incorrect

Edit2: after deleting the users and attempting to re-import i am getting the following errors:
error: ‘file-too-small’,
reason: ‘File size (size = 0) is too small (min = 1)’,
details: undefined,
errorType: 'Meteor.Error

Edit3: https://github.com/RocketChat/Rocket.Chat/issues/18737
-> after disabling the “synchronize Login Images” is a workaround for me

Sep 10 15:00:32 hostname rocketchat: ➔ ±--------------------------------------------------------+
Sep 10 15:00:32 hostname rocketchat: ➔ | SERVER RUNNING |
Sep 10 15:00:32 hostname rocketchat: ➔ ±--------------------------------------------------------+
Sep 10 15:00:32 hostname rocketchat: ➔ | |
Sep 10 15:00:32 hostname rocketchat: ➔ | Rocket.Chat Version: 3.6.0 |
Sep 10 15:00:32 hostname rocketchat: ➔ | NodeJS Version: 12.18.2 - x64 |
Sep 10 15:00:32 hostname rocketchat: ➔ | MongoDB Version: 4.0.20 |
Sep 10 15:00:32 hostname rocketchat: ➔ | MongoDB Engine: wiredTiger |
Sep 10 15:00:32 hostname rocketchat: ➔ | Platform: linux |
Sep 10 15:00:32 hostname rocketchat: ➔ | Process Port: 3000 |
Sep 10 15:00:32 hostname rocketchat: ➔ | Site URL: https://some.domain.tld |
Sep 10 15:00:32 hostname rocketchat: ➔ | ReplicaSet OpLog: Enabled |
Sep 10 15:00:32 hostname rocketchat: ➔ | Commit Hash: 071d72ebdc |
Sep 10 15:00:32 hostname rocketchat: ➔ | Commit Branch: HEAD |
Sep 10 15:00:32 hostname rocketchat: ➔ | |
Sep 10 15:00:32 hostname rocketchat: ➔ ±--------------------------------------------------------+
Sep 10 15:01:20 hostname rocketchat: (node:1796) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Sep 10 15:01:20 hostname rocketchat: server.js:204 LDAPSync ➔ error errorClass [Error]: File size (size = 0) is too small (min = 1) [file-too-small]
Sep 10 15:01:20 hostname rocketchat: at Object.fileTooSmallError (packages/jalik:ufs/ufs-filter.js:43:53)
Sep 10 15:01:20 hostname rocketchat: at Filter.check (packages/jalik:ufs/ufs-filter.js:89:28)
Sep 10 15:01:20 hostname rocketchat: at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:586:11)
Sep 10 15:01:20 hostname rocketchat: at DDPCommon.MethodInvocation. (app/ldap/server/sync.js:418:15)
Sep 10 15:01:20 hostname rocketchat: at packages/dispatch_run-as-user.js:211:14
Sep 10 15:01:20 hostname rocketchat: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
Sep 10 15:01:20 hostname rocketchat: at Object.Meteor.runAsUser (packages/dispatch_run-as-user.js:210:33)
Sep 10 15:01:20 hostname rocketchat: at syncUserData (app/ldap/server/sync.js:417:11)
Sep 10 15:01:20 hostname rocketchat: at app/ldap/server/sync.js:575:6
Sep 10 15:01:20 hostname rocketchat: at SynchronousCursor.forEach (packages/mongo/mongo_driver.js:1138:16)
Sep 10 15:01:20 hostname rocketchat: at Cursor. [as forEach] (packages/mongo/mongo_driver.js:918:44)
Sep 10 15:01:20 hostname rocketchat: at sync (app/ldap/server/sync.js:565:10)
Sep 10 15:01:20 hostname rocketchat: at MethodInvocation.ldap_sync_now (app/ldap/server/syncUsers.js:24:3)
Sep 10 15:01:20 hostname rocketchat: at MethodInvocation.methodsMap. (app/lib/server/lib/debug.js:67:34)
Sep 10 15:01:20 hostname rocketchat: at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)
Sep 10 15:01:20 hostname rocketchat: at packages/ddp-server/livedata_server.js:719:19
Sep 10 15:01:20 hostname rocketchat: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
Sep 10 15:01:20 hostname rocketchat: at packages/ddp-server/livedata_server.js:717:46
Sep 10 15:01:20 hostname rocketchat: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
Sep 10 15:01:20 hostname rocketchat: at packages/ddp-server/livedata_server.js:715:46
Sep 10 15:01:20 hostname rocketchat: at new Promise ()
Sep 10 15:01:20 hostname rocketchat: at Session.method (packages/ddp-server/livedata_server.js:689:23)
Sep 10 15:01:20 hostname rocketchat: at packages/ddp-server/livedata_server.js:559:43 {
Sep 10 15:01:20 hostname rocketchat: isClientSafe: true,
Sep 10 15:01:20 hostname rocketchat: error: ‘file-too-small’,
Sep 10 15:01:20 hostname rocketchat: reason: ‘File size (size = 0) is too small (min = 1)’,
Sep 10 15:01:20 hostname rocketchat: details: undefined,
Sep 10 15:01:20 hostname rocketchat: errorType: ‘Meteor.Error’
Sep 10 15:01:20 hostname rocketchat: }
Sep 10 15:01:25 hostname rocketchat: Exception in callback of async function: errorClass [Error]: File size (size = 0) is too small (min = 1) [file-too-small]
Sep 10 15:01:25 hostname rocketchat: at Object.fileTooSmallError (packages/jalik:ufs/ufs-filter.js:43:53)
Sep 10 15:01:25 hostname rocketchat: at Filter.check (packages/jalik:ufs/ufs-filter.js:89:28)
Sep 10 15:01:25 hostname rocketchat: at FileUploadClass.insert (app/file-upload/server/lib/FileUpload.js:586:11)
Sep 10 15:01:25 hostname rocketchat: at DDPCommon.MethodInvocation. (app/ldap/server/sync.js:418:15)
Sep 10 15:01:25 hostname rocketchat: at packages/dispatch_run-as-user.js:211:14
Sep 10 15:01:25 hostname rocketchat: at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
Sep 10 15:01:25 hostname rocketchat: at Object.Meteor.runAsUser (packages/dispatch_run-as-user.js:210:33)
Sep 10 15:01:25 hostname rocketchat: at syncUserData (app/ldap/server/sync.js:417:11)
Sep 10 15:01:25 hostname rocketchat: at addLdapUser (app/ldap/server/sync.js:469:2)
Sep 10 15:01:25 hostname rocketchat: at app/ldap/server/sync.js:529:5
Sep 10 15:01:25 hostname rocketchat: at Array.forEach ()
Sep 10 15:01:25 hostname rocketchat: at app/ldap/server/sync.js:496:13
Sep 10 15:01:25 hostname rocketchat: at runWithEnvironment (packages/meteor.js:1286:24) {
Sep 10 15:01:25 hostname rocketchat: isClientSafe: true,
Sep 10 15:01:25 hostname rocketchat: error: ‘file-too-small’,
Sep 10 15:01:25 hostname rocketchat: reason: ‘File size (size = 0) is too small (min = 1)’,
Sep 10 15:01:25 hostname rocketchat: details: undefined,
Sep 10 15:01:25 hostname rocketchat: errorType: ‘Meteor.Error’
Sep 10 15:01:25 hostname rocketchat: }

8

I’m getting same issue on RC 3.6. I’m filtering by a security group. It will work for one user than fail on the rest. I have to go into Mondodb to delete the failed users out as they show up in RC but with no user role and cannot be deleted from RC. Has anyone else fixed this yet?

9

Did anyone find a solution as until now?

10

only the: disabling the “synchronize Login Images” is a workaround for me

11

Hi,

Its been a long time since my last post, but the problem I described above is still appearing.

Now Ive found that LDAP does not synchronize an AD-User as long as the AD-User-Attribute “mail” is set (and not empty) in Active Directory.

If I set the Rocketchat synchronization settings to {“cn”:“name”} instead of {“cn”:“name”, “mail”:“email”} it doesnt synchronize any users whatsoever. Not even those who havent set a mail address (attribute “mail”) in the active directory.

Does anyone know how I could import all of my AD-Users by ignoring the AD-Attribute “mail”?

image