Can't enable LDAP Group Validation

[joside]

Description:

I want to use the LDAP Group Validation feature to make sure that only users in a specific group are able to login to rocketchat.

Steps to reproduce:

1. Enable LDAP User Group Filter: True
2. Group ObjectClass: posixGroup
3. Group ID Attribute: cn
4. Group Member Attribute: memberUid
5. Group Member Format: #{username}
6. Group Name: rocketchat
7. Login to rocketchat as a User with memberUid in this Group

Expected behavior:

That User is able to login

Actual behavior:

User can't login

Server Setup Information:

• Version of Rocket.Chat Server: 1.2.1
• Operating System: Linux
• Deployment Method: Docker (rocket.chat:latest)
• Number of Running Instances: 1
• NodeJS Version: v8.11.4
• MongoDB Version: 4.0.10

Additional context

ldapsearch on ldapserver (&(objectclass=posixGroup)(memberUid=m.muster)(cn=rocketchat)) successful

Relevant logs:

LDAP ➔ Auth.info Authenticating cn=MaxMuster,ou=users,dc=ldap,dc=muster,dc=de
LDAP ➔ Search.info Search result count 1
LDAP ➔ Auth.info Authenticated cn=MaxMuster,ou=users,dc=ldap,dc=muster,dc=de
LDAP ➔ Search.debug Group filter LDAP: (&(objectclass=posixGroup)(memberUid=m.muster)(cn=rocketchat))
server.js:207 LDAP ➔ Search.error { NoSuchObjectError: No Such Object
    at messageCallback (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1419:45)
    at Parser.onMessage (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1089:14)
    at emitOne (events.js:116:13)
    at Parser.emit (events.js:211:7)
    at Parser.write (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/messages/parser.js:111:8)
    at TLSSocket.onData (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1076:22)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)
    at TLSSocket.Readable.push (_stream_readable.js:208:10)
    at TLSWrap.onread (net.js:597:20) lde_message: 'No Such Object', lde_dn: null }
server.js:207 LDAPHandler ➔ error { NoSuchObjectError: No Such Object
    at messageCallback (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1419:45)
    at Parser.onMessage (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1089:14)
    at emitOne (events.js:116:13)
    at Parser.emit (events.js:211:7)
    at Parser.write (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/messages/parser.js:111:8)
    at TLSSocket.onData (/app/bundle/programs/server/npm/node_modules/ldapjs/lib/client/client.js:1076:22)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at addChunk (_stream_readable.js:263:12)
    at readableAddChunk (_stream_readable.js:250:11)
    at TLSSocket.Readable.push (_stream_readable.js:208:10)
    at TLSWrap.onread (net.js:597:20) lde_message: 'No Such Object', lde_dn: null }
LDAPHandler ➔ info Fallback to default account system { username: 'm.muster' }

[tntho]

Hi @joside I have got similar issue, it was because the group filter was called after ldap user has authenticated already.

I your case, the group filter was called by using dn cn=MaxMuster,ou=users,dc=ldap,dc=muster,dc=de but not LDAP user that performs user lookups you configured in admin setting, e.g cn=Administrator,cn=Users,dc=Example,dc=com.

I have no experiment with LDAP server stuffs. I think we should config something in LDAP server which gives user cn=MaxMuster,ou=users,dc=ldap,dc=muster,dc=de ability to query group. Or we have to change ldap login handler by using cn=Administrator,cn=Users,dc=Example,dc=com to query group instead.

I hope this will help

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dusatvoj]

There's no activity because nobody cares about debugging or trying to solve :)

[battosai30]

I have the same kind of error but with group search disable ...