Open dieug opened 4 years ago
still the same in 3.6.3.
i did:
(&(samaccountname=#{username})(memberof=CN=iw-office-wifi,ou=groups,dc=company,dc=com))
:
with result:
окт 07 11:29:43 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in rocket-admin group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in iw-office-wifi group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in IW IT Team group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in employee group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in techsupport group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in techsupport group.
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user group admin from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel cXJ2ccxJdE2hhzynG from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser',
окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel K8v8qvQQ85rsfbSzF from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser',
окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel GENERAL from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser',
окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel c5yfCY8b54HtrQmAB from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser',
окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',
окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel Lk3z5bQ8qnXKjBGAA from LDAP for testuser
окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser',
окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',
all users from this group had been added in all roles and predefined channels.
then i did:
(&(samaccountname=#{username})(memberof=CN=#{groupname},ou=groups,dc=company,dc=com))
:
and:
окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in rocket-admin group!!! окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in iw-office-wifi group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in IW IT Team group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in employee group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:19 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in techsupport group!!! окт 07 12:22:19 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:19 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:19 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in techsupport group!!! окт 07 12:22:19 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:19 wbr rocketchat[13780]: name: 'test user',
all users from this group had been removed from all roles and predefined channels.
and i found (badly formed) issue with the same effect:
author (@Ramhm) said:
All FREIPA users are in the rocket-admin group.
@dieug You can send ldap config?!
@Ramhm how can i easily dump config from server? i see, pupil get it with all options, but may be they write it by hand ?
@dieug Take a photo of the entire configuration or write it manually
@Ramhm , i rewrite your config with my settings (i use Active Directory LDAP):
BaseDN: dc=company,dc=com Username field: sAMAccountName Unique identifier field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber (it's default) Default domain: company.com Sync user data: on User data field map: {"cn":"name", "mail":"email"} Sync LDAP groups: on (i have to turn OFF it, it can't work in my 2 setups.) User group filter: (&(samaccountname=#{username})(memberof=CN=#{groupname},ou=groups,dc=company,dc=com)) LDAP group basedn: dc=company,dc=com User Data Group Map:{"rocket-admin": "admin","tech-support": "support"} Sync user avatar: Off (normally on) (3.51-3.62:off , 3.5.0(and less),3.63:on) Background sync: on Background sync interval: every 5 minutes Background Sync Import New Users: on Background Sync Update Existing Users: on User Search Filter: (&(objectClass=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=cn=Cool group,ou=groups,dc=company,dc=com)) scope: sub search field: sAMAccountName UserSearch(CheckGroup): off (it not an option for Active Directory, as i understood).
@dieug AD Or FreeIPA?
I wrote config for AD. I have no freeipa.
-- Простите за краткость, создано в K-9 Mail.
@dieug :-1:
Description:
i do mapping roles and channels for users. for testing purposes i do simple filter for check against one group "iw-office-wifi".
(&(samaccountname=#{username})(memberof=CN=iw-office-wifi,ou=groups,dc=company,dc=com))
i do mapping for roles and groups: (i have no default RC groups in LDAP)
roles map:
{ "rocket-admin": "admin", "tech-support": "support" }
channel map:{ "iw-office-wifi": "iwifi", "IW IT Team": "iwit", "employee": "general", "techsupport": [ "helpdesk", "support" ] }
turn on "sync ldap users with channels"i do sync, and i have all users of "iw-office-wifi" in all channels from mapping and all users has role "admin" in their profiles.
log from RC: ` сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in rocket-admin group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in iw-office-wifi group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in IW IT Team group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in employee group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in techsupport group. сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in techsupport group. сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user group admin from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel cXJ2ccxJdE2hhzynG from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel K8v8qvQQ85rsfbSzF from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel GENERAL from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel c5yfCY8b54HtrQmAB from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel Lk3z5bQ8qnXKjBGAA from LDAP for tstuser
`
Steps to reproduce:
Expected behavior:
each user has assigned role. each channel has assigned users.
Actual behavior:
all users with one match in group filter has all roles and joins in all channels.
Server Setup Information:
Version of Rocket.Chat Server: all i used: 3.3.3 3.4.3 3.5.0 3.5.1 3.5.2 3.5.3 3.5.4 3.6.0 3.6.1 3.6.2
Operating System: debian linux 10
Deployment Method: tar
Number of Running Instances: 2 (i have two servers: testing and production. confirmed on both).
DB Replicaset Oplog:
NodeJS Version: Node v12.14.0
MongoDB Version: Mongo 4.0.19
RocketChat Current used: 3.6.2
Client Setup Information
Desktop App or Browser Version: all
Operating System: all