[NEW] LDAP User Groups, Roles, and Channel Synchronization #14278
Conversation
…nto ldap-admin-groups * 'develop' of https://github.com/RocketChat/Rocket.Chat: (21 commits) Regression: Active room was not being marked (RocketChat#14276) Rename Cloud to Connectivity Services & split Apps in Apps and Marketplace (RocketChat#14211) LingoHub based on develop (RocketChat#14178) [IMPROVE] Replace livechat inquiry dialog with preview room (RocketChat#13986) Bump version to 0.74.3 Room loading improvements (RocketChat#13471) [FIX] Invalid condition on getting next livechat agent over REST API endpoint (RocketChat#13360) [IMPROVE] Open rooms quicker (RocketChat#13417) [FIX] "Test Desktop Notifications" not triggering a notification (RocketChat#13457) [FIX] Translated and incorrect i18n variables (RocketChat#13463) Regression: Remove console.log on email translations (RocketChat#13456) [FIX] Properly escape custom emoji names for pattern matching (RocketChat#13408) [FIX] Not translated emails (RocketChat#13452) Added missing package dependency (RocketChat#13437) Update Russian localization (RocketChat#13244) [IMPROVE] Allow configure Prometheus port per process via Env Var (RocketChat#13436) [IMPROVE] Add API option "permissionsRequired" (RocketChat#13430) [FIX] Several Problems on HipChat Importer (RocketChat#13336) Add the missing uniqueId to the push notifications (RocketChat#13423) [FIX] Notify private settings changes even on public settings changed (RocketChat#13369) ...
|
Oh! This is so great! :))) |
|
This is super cool! :). |
|
I think I'm going to also add automatic adding to channels... If you're in the "devops" group, you should also join the "devops" channel if it exists. |
|
OK, Added Automatic Join / Leave channels based on LDAP group. Example LDAP Group Channel MapAuto Join Channel(s) based on LDAP Group
Auto Remove From Channel(s) if not in LDAP GroupNOTE: This requires the "Auto Remove Users from Channels" setting to be enabled. This is disabled by default because it will remove anyone in a channel that isn't part of the LDAP group. This can be useful for enforcing/locking down a channel to ONLY users in a specific LDAP group.
|
wreiske
changed the title
|
Looks great! |
|
This looks awesome! This would make the user management so much better! At the moment we are using a script which give us a CSV-file that we import after. |
ghost
mentioned this pull request
|
Thanks for the great job. I waited for this so long. A question: Is there a way to automatically create a new channel when a new ldap group is recognized? |
|
So it does work with active directory! I'm glad to hear you got it working! |
|
Still not working for me. Filter:
Group Base DN:
User Base DN:
|
|
For me, it works fine.
But I can't understand how to create private groups instead public channels. The only way - change them by hands after automatic creation. After change of group type from public to private it falls down to the end of a rooms list at Administration page. I see this private group after all "Direct Messages" strings. Long-time scrolling is needed or I can set checkbox "Private Groups" if needed. |
|
@wreiske First of all, thanks for the contribution, I got it working with Active Directory, but it seems to try and create the channel everytime a user logs in, and then I get an error on the mobile App: If I remove the channel, the user logs in and goes to the channel, but next log in, same error again. The user wont log in due to the channel creation attempt. I20190926-15:41:23.446(-3) LDAPSync ➔ debug User role exists for mapping testeni -> nucleo edit: I removed the picture, it was too large. And the error occurs because inside the "LDAP Group Channel Map" fields, you cannot create channels with special characters, space, etc. So when user tries to log in, rocket chat tries to create a channel using invalid characters and is stuck there. Channel doesnt create, user doesnt log in. "Fixed it" by creating channels like "accounting-public","accounting-private", instead of "Accounting - Public" |
|
@Doordonot please open a new issue about this problem. I'll see if I can replicate it here. |
We got it working too with Active Directory. Comparing to your setting, in the Also of note is that the implementation does not seem to create channels or populate them during the scheduled LDAP synchronization or generally automatically, but only when users log in manually. So to actually see whether the LDAP setup is working or not, you have to logout and then log back in. |
|
We also got it working with Active Directory but have noticed the same behavior of not creating/populating channels with LDAP sync, only after login of a user. |
|
I'm running version 1.2.1, Merge pull request #14898 from RocketChat/release-1.2.1. How do I install this update? Do I have to re-install from scratch? I want to keep all my other settings. My setup is in CentOS 7. I'm new at git / github, so pardon the question if it's obvious. |
|
@buso you should not be following up on a PR unless your comment is strictly relevant to the PR in question. Github is for issues (things that are broken), not support. Please read all of the documentation. https://rocketchat.github.io/docs/getting-support/ |
|
@reetp noted. thank you |
|
I cannot get it working..my AD is a bit more structured so instead having users on Built-in users and groups are placed on I want to sync the groups, and what is more important, map users to their group. My settings are: Auto Sync LDAP Groups to Channels Logs when syncing is a single line: Any tip? |
Try checking "Merge Existing users"... |
|
Is already checked... |
I got my environment to work by setting the LDAP Group Base DN to my Base DN. In your case: OU=Users,OU=IT Department,OU=company,DC=mydomain,DC=com Try that. I also noticed that if the user has not been previously imported from AD, on first log-in you get a wrong password error, but clicking on the login button a second time allows login successfully and the auto-join to the room happens. |
|
Well, I must say I'm with RocketChat since almost a year and LDAP is working just fine ( I mean user and password import), user doesn't need to login twice or whatsoever. I cannot use |
|
My setup has been working fine authenticating against AD before as well. The double-login started with the channel synchronization update. If I set Sync LDAP Groups to false, then login works fine. |
|
Well, it seems is working. This afternoon I created a test user, and despite on the manual sync, didn't work, this night at 00am when the scheduled sync runs, the user has appeared on the channels I've mapped and with the roles I assigned. \o/ The "Merge existing users" seems to be not working, by the way. Tomorrow I will do more tests with it. This test user, @buso had no problems logging in my scenario. |
|
I am running Rocket.Chat:2.1.0 (in a docker, using docker-compose, on a CentOS). I managed to integrate the authentication with Active Directory server to fetch members of one group to be. But I lack the option to Map LDAP groups to Rocket.Chat user roles. My admin console does not have the window for mapping roles to group, it looks like this (all the same on different browsers and in the client app): If this is not the proper place to report this as a bug - feel free to redirect me, I am still trying to find my way around GitHub. Thanks |
Adding to a merge request is not a great place to do this. People will generally ignore it. You also need to work out if it is a real bug or not. For help/support please see: https://rocket.chat/docs/getting-support FWIW I would make sure you have at least 2.1.2 and then check any browser caching. I can see the fields on both 2.1.2 and 2.2.0 even though I do not have it enabled. |
|
I am still unsure whether this is supposed to work in both open and private channels. It certainly closes issues hat mention both but we haven‘t managed to create private groups yet. |
It works for open and private Channels. However the first time it creates a Channel it will be public. You have to set it as Private manually, then all other users mapped to join that channel will do so. I have it se up like two channels for each department. One Private and one Public. Every AD user maped on each department auto join the Private and the Public Channel for his/her department. |
|
Hello, we are using the following configuration If we enable "Auto Sync LDAP Groups to Channels", one user can login. After this login the Channels are created and now no one else can login to rocket chat. They got an error message "wrong user or passwort". If i logout with this user, the user can not login anymore. I have to delete these channels with the rocket chat admin and then the same happens - i can login one time, channels are created and no login is possible after that. If i disable LDAP Group to Channel Sync the AD Authenthication is working fine. The Config looks like this: Any Idea whats going wrong? I was doing my first tests with a earlier version and the Group Sync was working fine. |
|
Is it possible to use the email address in the group filter? and I tried to change it to I thought this might work since the email address is synced from LDAP but it looks like it is not available as variable. I also tried changing the regex in Admin > General > UTF8 to allow umlauts in usernames, which works for manually added users, but all LDAP users get their names messed up, so the email address would be a chance to work around #3451. We're running Rocket.Chat 3.3.0 on docker and our LDAP is an Active Directory. |
Closes: #1196
Closes: #5085
Closes: #2759
Closes: #11710
Closes: #5252
Closes: #4735
Closes: #5086
This commit allows servers admins to set which LDAP groups they want to synchronize with Rocket user roles.
Automatically Assign LDAP Groups to Rocket.Chat Roles
Admins can choose to automatically remove users from a role if their LDAP group is removed.
Role Automatically Added
Role Automatically Removed
Example
Setting the new "User Data Group Map" to the following will allow users in LDAP under the group "rocket-admins" to be assigned the rocket.chat "admin" role.
Here's what the group looks like:
Automatically Add / Remove users in Channels based on LDAP Groups
For a preview, see: #14278 (comment)
Tested and working with OpenLDAP.