RocketChat + LDAP

mkw · April 7, 2020, 12:08pm

Server Setup Information

Rocket.Chat Version: 3.0.10
NodeJS Version: 12.11.0 - x64
MongoDB Version: 4.0.17
MongoDB Engine: mmapv1
Platform: linux
Process Port: 3000
ReplicaSet OpLog: Enabled
AD: WindowsServer 2012

Hello All,
I struggle with connect AD to RocketChat,
I tried a lot of combinations like from:
-https://rocket.chat/docs/administrator-guides/authentication/ldap/
-rocketchat forums
-google search
but nothing works:

My problem is:
I abble to collect whole users from AD, but I can’t implement filters.
I tried:
“(&(objectClass=inetOrgPerson)(memberof=cn=#{groupName},ou=xx,dc=xxx,dc=xxx,dc=xxx)(uid=#{username}))”
“{“filter”: “(&(objectCategory=person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=rocketchat,CN=xxx,DC=xxx,DC=xxx,Dc=xxx)(sAMAccountName=#{username}))”, “scope”: “sub”, “userDN”: “user”, “password”: “pass”}”
“(&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=xxx,DC=xxx,DC=xxx,DC=xxx))” —> this works the best, I can assign users to roles

But how I can prevent to acquire whole users,
I want to get only users from specific group,

My settings:

UserName Field : sAMAccountName
Unique Identifier Field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber
Default Domain: xxx.com
Merge Existing Users : ON
Sync User Data: ON
User Data Field Map:{“displayName”:“name”, “mail”:“email”}
Sync LDAP Groups: ON
Auto Remove User Roles: ON
User Group Filter: (&(sAMAccountName=#{username})(memberOf=CN=#{groupName},OU=xxx,DC=xxx,DC=xxx,DC=xxx))
LDAP Group BaseDN: dc=xxx,dc=xxx,dc=xxx

{
“rocketchat” : “user”,
“rocketadmin”: “admin”,
“tech-support”: “support”
}

With this configuration I can get all users from whole AD and users from specific OU (rocketchat --> two groups rocketchat, rocketadmin) got roles.
How I can to prevent to download all users, I only want to get users from OU=rocket and two inside in OU groups rocketchat and rocketadmins.

Thank you for your help.
Regards

BrianMax · April 9, 2020, 7:16am

Administration > LDAP > Sync / Import > User Group Filter:

(&(sAMAccountName=#{username})(memberOf=CN=#{groupName}<path_to_group>))

This will check if user is member of group

& LDAP > User Search > Filter:

(memberOf=cn=<full_path_to_group_with_allowed_users>)

This will add only members of this group to RC

Hope this helps. I also struggled to make it work. Good luck!

P.S. If you already added all AD users, you will need to delete them.

mkw · April 9, 2020, 10:08am

Hi Brian,

Thanks for answer,
It works, but I can’t assign roles to users in nested groups
I have OU=meet, inside OU I have two SecGroups rocketusers, rocketadmin and it seems that can’t work.
I see users from main group from LDAP > User Search > Filter:
But rocket doesn’t assign any roles.

Regards

BrianMax · April 10, 2020, 5:57am

I don’t think R.C read members of nested AD groups. We tried with no success. Maybe someone more experienced can correct me.

Regards

theoprata · July 5, 2021, 11:23pm

Hi @mkw

Would it be possible if you can share us your LDAP setup?

I have been on this for the last a month now, but I still could not make it work.

Thanks,
Theo

Topic		Replies	Views
LDAP + UserData Group Map (AD) Community Support	2	1753	October 19, 2020
Active directory Group integration V2.0.0 Community Support	4	8819	February 28, 2020
Active Directory Filter Rocket Chat 0.74.3 snap install Community Support	3	1305	March 5, 2020
So how should the User Search filter look right? Community Support	0	1122	June 15, 2018
Import users from LDAP Community Support	2	665	January 24, 2023

Join our Community Open Call tomorrow where we'll share more details regarding recent changes and answer questions about updating your workspace to the latest Rocket.Chat

RocketChat + LDAP

Server Setup Information

Related Topics