[LDAP] user with one match in group filter becomes all mapping channels member and has all mapping roles (not assigned to him).

[dieug]

Description:

i do mapping roles and channels for users. for testing purposes i do simple filter for check against one group "iw-office-wifi". (&(samaccountname=#{username})(memberof=CN=iw-office-wifi,ou=groups,dc=company,dc=com))

i do mapping for roles and groups: (i have no default RC groups in LDAP)

roles map: { "rocket-admin": "admin", "tech-support": "support" } channel map: { "iw-office-wifi": "iwifi", "IW IT Team": "iwit", "employee": "general", "techsupport": [ "helpdesk", "support" ] } turn on "sync ldap users with channels"

i do sync, and i have all users of "iw-office-wifi" in all channels from mapping and all users has role "admin" in their profiles.

log from RC: ` сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in rocket-admin group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in iw-office-wifi group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in IW IT Team group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in employee group. сен 26 01:21:44 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in techsupport group. сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ debug tstuser is in techsupport group. сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user group admin from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel cXJ2ccxJdE2hhzynG from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel K8v8qvQQ85rsfbSzF from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel GENERAL from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel c5yfCY8b54HtrQmAB from LDAP for tstuser сен 26 01:21:45 wbr rocketchat[28922]: LDAPSync ➔ info Synced user channel Lk3z5bQ8qnXKjBGAA from LDAP for tstuser

`

Steps to reproduce:

1. install rocket chat
2. do ldap sync
3. do group sync
4. do mapping
5. run synchronization.
6. see a result.

Expected behavior:

each user has assigned role. each channel has assigned users.

Actual behavior:

all users with one match in group filter has all roles and joins in all channels.

Server Setup Information:

• Version of Rocket.Chat Server: all i used: 3.3.3 3.4.3 3.5.0 3.5.1 3.5.2 3.5.3 3.5.4 3.6.0 3.6.1 3.6.2

• Operating System: debian linux 10

• Deployment Method: tar

• Number of Running Instances: 2 (i have two servers: testing and production. confirmed on both).

• DB Replicaset Oplog:

• NodeJS Version: Node v12.14.0

• MongoDB Version: Mongo 4.0.19

• RocketChat Current used: 3.6.2

Client Setup Information

• Desktop App or Browser Version: all

• Operating System: all

[dieug]

still the same in 3.6.3.

i did: (&(samaccountname=#{username})(memberof=CN=iw-office-wifi,ou=groups,dc=company,dc=com)): with result: окт 07 11:29:43 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in rocket-admin group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in iw-office-wifi group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in IW IT Team group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in employee group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in techsupport group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is in techsupport group. окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user group admin from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel cXJ2ccxJdE2hhzynG from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser', окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user', окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel K8v8qvQQ85rsfbSzF from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser', окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user', окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel GENERAL from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser', окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user', окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel c5yfCY8b54HtrQmAB from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser', окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user', окт 07 11:29:44 wbr rocketchat[13780]: LDAPSync ➔ info Synced user channel Lk3z5bQ8qnXKjBGAA from LDAP for testuser окт 07 11:29:44 wbr rocketchat[13780]: username: 'testuser', окт 07 11:29:44 wbr rocketchat[13780]: name: 'test user',

all users from this group had been added in all roles and predefined channels.

then i did: (&(samaccountname=#{username})(memberof=CN=#{groupname},ou=groups,dc=company,dc=com)): and:

окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in rocket-admin group!!! окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in iw-office-wifi group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in IW IT Team group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:18 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in employee group!!! окт 07 12:22:18 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:18 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:19 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in techsupport group!!! окт 07 12:22:19 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:19 wbr rocketchat[13780]: name: 'test user', окт 07 12:22:19 wbr rocketchat[13780]: LDAPSync ➔ debug testuser is not in techsupport group!!! окт 07 12:22:19 wbr rocketchat[13780]: username: 'testuser', окт 07 12:22:19 wbr rocketchat[13780]: name: 'test user',

all users from this group had been removed from all roles and predefined channels.

[dieug]

and i found (badly formed) issue with the same effect:

19116

author (@Ramhm) said:

All FREIPA users are in the rocket-admin group.

[Ramhm]

@dieug You can send ldap config?!

[dieug]

@Ramhm how can i easily dump config from server? i see, pupil get it with all options, but may be they write it by hand ?

[Ramhm]

@dieug Take a photo of the entire configuration or write it manually

[dieug]

@Ramhm , i rewrite your config with my settings (i use Active Directory LDAP):

BaseDN: dc=company,dc=com Username field: sAMAccountName Unique identifier field: objectGUID,ibm-entryUUID,GUID,dominoUNID,nsuniqueId,uidNumber (it's default) Default domain: company.com Sync user data: on User data field map: {"cn":"name", "mail":"email"} Sync LDAP groups: on (i have to turn OFF it, it can't work in my 2 setups.) User group filter: (&(samaccountname=#{username})(memberof=CN=#{groupname},ou=groups,dc=company,dc=com)) LDAP group basedn: dc=company,dc=com User Data Group Map:{"rocket-admin": "admin","tech-support": "support"} Sync user avatar: Off (normally on) (3.51-3.62:off , 3.5.0(and less),3.63:on) Background sync: on Background sync interval: every 5 minutes Background Sync Import New Users: on Background Sync Update Existing Users: on User Search Filter: (&(objectClass=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=cn=Cool group,ou=groups,dc=company,dc=com)) scope: sub search field: sAMAccountName UserSearch(CheckGroup): off (it not an option for Active Directory, as i understood).

[Ramhm]

@dieug AD Or FreeIPA?

[dieug]

I wrote config for AD. I have no freeipa.

-- Простите за краткость, создано в K-9 Mail.

[Ramhm]

@dieug :-1: