support for user group syncing with groupOfUniqueNames using openLDAP

[ClundXIII]

Hello,

it seems like there is no (obvious) support for using groupOfUniqueNames (with openLDAP) to sync groups and stream membership. Apparently the filter at the bottom (for only allowing certain user to log in I guess?) does indeed support it.

I am using the ou containing all group as the content of "group base dn" and tried
(&(cn=#{groupName})(uniqueMember=#{userdn})) and
(&(cn=#{groupName})(uniqueMember=#{username},ou=<full ou / dc path>))
for the filter itself.

Any idea what the correct syntax would be?

[spanchy]

Hello. I am using ldap group sync with AD, and have there there is a small problem, and it is described here #15673

But.. this is works and i'am using default settings:
//Filter Group Users
(&(cn=#{groupName})(memberUid=#{username}))

//Ldap Group BaseDN is OU, which includes user groups
OU=ChatGroups,DC=%unknown%,DC=%unknown%

//Mapping users roles, example here
{
"rocket-admin": "admin",
"allthepeople": "user"
}

//Mapping groups, example here
{
"techoffice": [
"techoffice",
"general"
],
"allthepeople": "general"
}

//Setiing are "Auto remove user roles" and "Auto remove user from channel" - set to true

and... powershell script, which parsing user groups and writing memberUid.

[ClundXIII]

But.. this is works and i'am using default settings:
//Filter Group Users
(&(cn=#{groupName})(memberUid=#{username}))

You are using a different way to handle groups. I am using uniqueMember which contains the whole dn. Also I run Linux ;)

I could in theory auto-generate a second way of handling groups using memberUid but that would be the last thing I am willing to try.

[spanchy]

You are using a different way to handle groups. I am using uniqueMember which contains the whole dn. Also I run Linux ;)

I could in theory auto-generate a second way of handling groups using memberUid but that would be the last thing I am willing to try.

I've tried different ways, but this method (with the powershell script and default settings for FilterGroupUsers) are works more than 4 months :) Are you using OpenLDAP? if so, add the topic information about it :)

[ClundXIII]

Apparently userdn is not being used according to the sources:

https://github.com/RocketChat/Rocket.Chat/blob/develop/app/ldap/server/sync.js

Other than that I have confirmed my filter are working in theory (trying it in phpldapadmin). However I do not see any reason why it doesn't work in rocketchat. Is there any sanitation or string filtering going on which might break the ldap filter string?

[ClundXIII]

Okay after some more debugging. I found out that the request for user group membership does not appear in the logs at all for some reason. I set the logging level to trace, still I cannot seem to catch any request to filter groups. I only found one from 2 days ago.

Are the user groups only synced the first time someone logs in? I click on the "sync now" button but nothing happens according to the logs.

[ClundXIII]

Okay it works.

The issue was that the button for synchronizing data did not actually synchronize the ldap group to channel mapping. Only the cron job did this.

You can close this now.

[bbreijer]

@ClundXIII Did you also solve the initial problem?
I'am experiencing the same issue and would like to have the userDn available for use in the User Group Filter.

[ClundXIII]

@bbreijer
In my case the username in rocketchat equals cn in ldap. So I could easily use the username variable for my User Group Filter.

(&(objectclass=groupOfUniqueNames)(cn=#{groupName})(uniqueMember=cn=#{username},ou=my_ou,dc=the_whole_dc_path))