RocketChat + LDAP

Server Setup Information

Rocket.Chat Version: 3.0.10
NodeJS Version: 12.11.0 - x64
MongoDB Version: 4.0.17
MongoDB Engine: mmapv1
Platform: linux
Process Port: 3000
ReplicaSet OpLog: Enabled
AD: WindowsServer 2012

Hello All,
I struggle with connect AD to RocketChat,
I tried a lot of combinations like from:
-https://rocket.chat/docs/administrator-guides/authentication/ldap/
-rocketchat forums
-google search
but nothing works:

My problem is:
I abble to collect whole users from AD, but I can’t implement filters.
I tried:
“(&(objectClass=inetOrgPerson)(memberof=cn=#{groupName},ou=xx,dc=xxx,dc=xxx,dc=xxx)(uid=#{username}))”
“{“filter”: “(&(objectCategory=person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=rocketchat,CN=xxx,DC=xxx,DC=xxx,Dc=xxx)(sAMAccountName=#{username}))”, “scope”: “sub”, “userDN”: “user”, “password”: “pass”}”
“(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=xxx,DC=xxx,DC=xxx,DC=xxx))” —> this works the best, I can assign users to roles

But how I can prevent to acquire whole users,
I want to get only users from specific group,

My settings:

UserName Field : sAMAccountName
Unique Identifier Field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber
Default Domain: xxx.com
Merge Existing Users : ON
Sync User Data: ON
User Data Field Map:{“displayName”:“name”, “mail”:“email”}
Sync LDAP Groups: ON
Auto Remove User Roles: ON
User Group Filter: (&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=xxx,DC=xxx,DC=xxx,DC=xxx))
LDAP Group BaseDN: dc=xxx,dc=xxx,dc=xxx

{
“rocketchat” : “user”,
“rocketadmin”: “admin”,
“tech-support”: “support”
}

With this configuration I can get all users from whole AD and users from specific OU (rocketchat --> two groups rocketchat, rocketadmin) got roles.
How I can to prevent to download all users, I only want to get users from OU=rocket and two inside in OU groups rocketchat and rocketadmins.

Thank you for your help.
Regards

Administration > LDAP > Sync / Import > User Group Filter:

(&(sAMAccountName=#{username})(memberOf=CN=#{groupName}<path_to_group>))

  • This will check if user is member of group

& LDAP > User Search > Filter:

(memberOf=cn=<full_path_to_group_with_allowed_users>)

  • This will add only members of this group to RC

Hope this helps. I also struggled to make it work. Good luck!

P.S. If you already added all AD users, you will need to delete them.

Hi Brian,

Thanks for answer,
It works, but I can’t assign roles to users in nested groups
I have OU=meet, inside OU I have two SecGroups rocketusers, rocketadmin and it seems that can’t work.
I see users from main group from LDAP > User Search > Filter:
But rocket doesn’t assign any roles.

Regards

I don’t think R.C read members of nested AD groups. We tried with no success. Maybe someone more experienced can correct me.

Regards