search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.57k stars 10.58k forks source link

LDAP user group filter not working? #5900

Open phlegx opened 7 years ago

phlegx commented 7 years ago

Hi there,

I'm trying out to set the LDAP user group filter with rocketchat. However this does not seem to work. I can login without the filter just fine via LDAP, but with Groups it is not possible, at least for me.

Here are my settings that I made in the Admin Frontend:

Group ObjectClass:  groupOfUniqueNames
Group ID Attribute: cn
Group Member Attribute: uniqueMember
Group Member Format: uid=#{uid},ou=People,dc=example,dc=com
Group name: Administrators,ou=Groups,dc=example,dc=com

The log on my ldap server then however shows me the following filter:

filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=#{uid},ou=People,dc=example,dc=com)(cn=Administrators,ou=Groups,dc=example,dc=com))"

And this does not seem to work to get an user back that belongs to a Group. I heard that this group membership check needs something like an ldapcompare method or so. Im using 389 LDAP server, but should be the same as in openldap

Can someone give me a hint what I'm doing wrong, or if this is really a bug and done the wrong way by rocketchat?

Rocket.Chat Version: 0.50.1 Running Instances: 1 DB Replicaset OpLog: Node Version: 4.7.1

Coros commented 7 years ago

If you are using Active Directory or certain other LDAP servers you may need to use a different filter. I don't know the specifics but there's a way to specify in your filter to return "users" instead of "persons". It's a weird distiction in LDAP. Here's our LDAP filter and it works perfectly. `memberOf:1.2.840.113556.1.4.1941:=cn=Technology Staff,OU=Groups,DC=DOMAIN,DC=TLD'

phlegx commented 7 years ago

Thanks Coros!

Hmm I can try out your suggestion and play with the parameters. What in all worlds is this number about? 1.2.840.113556.1.4.1941 :-)

I can only say that, according to the #openldap guys in IRC this filter this rocketchat generates, even though I'm on 389, would also not work for filtering out people from ah group with an openvpn server. One would need to do that via ldapcompare they said.

Coros commented 7 years ago

It's an objectclass filter. See https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx#Examples

The one I provided returns all members of the group including nested sources

engelgabriel commented 7 years ago

@MartinSchoeler can you add this to the documentation?

MartinSchoeler commented 7 years ago

@Coros Would you mind contributing to our docs to so that it will make it easier on other users that need this solution? You can contribute in here https://github.com/RocketChat/Rocket.Chat.Docs/tree/master/5.%20Administrator%20Guides/Authentication/LDAP Thanks!

Coros commented 7 years ago

@MartinSchoeler The LDAP objectclass filter for nested groups/users already appears to be documented there.

localguru commented 7 years ago

This works fine for me with AD, even nested security groups. Domain Search Filter: memberOf:1.2.840.113556.1.4.1941:=cn=teamchat,ou=Groups,ou=MyDepartment,ou=Company,dc=ad,dc=mydomain,dc=tld

phlegx commented 7 years ago

In the examples it says for openldap one should use this notation: 

E.g. for OpenLDAP (extensible match search) `ou:dn:=ROCKET_CHAT`

I'm not exactly sure now. How does this filter need to look like for a DN/Group like this in my Openldap?

DN: cn=RocketchatUsers,ou=Rocketchat,ou=Applications,dc=example,dc=com

I tried, among other variations, for example this one:

ou:dn:=cn=RocketchatUsers,ou=Rocketchat,ou=Applications,dc=example,dc=com

But no luck. I cannot sign in with the user assigned to that group. Maybe someone can give me a hint. Thank you in advance!

iesit commented 5 years ago

I'm using MS Active Directory, and when I run Powershell with Active Directory Module using the following query:

([ADSISearcher]"(&(&(&(&(objectCategory=person)(objectClass=user)(mail=*)(memberOf:1.2.840.113556.1.4.1941:=cn=User Group,OU=Security Groups,OU=Business,DC=Domain-Name,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(mail=postmaster@Domain-Name.com))(!(mail=anotheruser@Domain-Name.com))))))").FindAll() | Select Path

I get 234 results, yet when I use the query:

([ADSISearcher]"(&(&(&(&(objectCategory=person)(objectClass=user)(mail=*)(memberOf:1.2.840.113556.1.4.1941:=cn=User Group,OU=Security Groups,OU=Business,DC=Domain-Name,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(mail=postmaster@Domain-Name.com))(!(mail=anotheruser@Domain-Name.com))))))

In Admin -> LDAP -> User Search -> Filter, I get the following log:

[34mI20190228-15:25:44.789(0) LDAP ➔ Connection.info Init setup [34mI20190228-15:25:44.795(0) LDAP ➔ Connection.info Connecting ldaps://10.1.1.43:636 [34mI20190228-15:25:44.911(0) LDAP ➔ Connection.info LDAP connected [34mI20190228-15:25:44.918(0) LDAP ➔ Bind.info Binding UserDN ldap [34mI20190228-15:25:44.948(0) LDAP ➔ Search.info Searching user * [34mI20190228-15:25:47.445(0) LDAP ➔ Search.info Final Page [34mI20190228-15:25:47.450(0) LDAP ➔ Search.info Final Page [34mI20190228-15:25:47.487(0) LDAPSync ➔ info Import finished. Users imported: 34 [34mI20190228-15:25:47.493(0) LDAPSync ➔ info Import finished. Users imported: 34 [34mI20190228-15:25:48.495(0) LDAP ➔ Search.info Idle [34mI20190228-15:25:48.498(0) LDAP ➔ Connection.info Disconecting [34mI20190228-15:25:48.503(0) LDAP ➔ Search.info Closed

But in reality, only 17 users are imported.

Seems like the memberOf:1.2.840.113556.1.4.1941:=cn= section is not being handled properly, as I can remove this section, and the query "works".

kokotko1337 commented 5 years ago

If you are using Active Directory or certain other LDAP servers you may need to use a different filter. I don't know the specifics but there's a way to specify in your filter to return "users" instead of "persons". It's a weird distiction in LDAP. Here's our LDAP filter and it works perfectly. `memberOf:1.2.840.113556.1.4.1941:=cn=Technology Staff,OU=Groups,DC=DOMAIN,DC=TLD'

you saved my day! after 2 weeks of searching and testing...

janis-veinbergs commented 4 years ago

Unfortunately, #{username} and #{groupName} is insufficient to effectively search Group membership within Windows Active Directory environment. https://github.com/RocketChat/Rocket.Chat/blob/2c756207bd8a99b8e7ee4fc4fd5b384aa8ceb351/app/ldap/server/sync.js#L30

As a workaround, I can specify which OU's to use when searching group membership - but this is ineffective and must manually type all organization units within which group membership should be checked:

(&(objectCategory=Person)(sAMAccountName=#{username})(|(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=orgunit1,dc=example,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupName},OU=Org groups,OU=suborgunit,OU=orgunit1,dc=example,dc=com)))

Ideally this should be possible: (&(objectCategory=Person)(sAMAccountName=#{username})(memberOf:1.2.840.113556.1.4.1941:=CN=#{groupDistinguishedName}))

Ajedi32 commented 3 years ago

FYI, looking at the code it looks like they added #{userdn} as an (undocumented) possible substitution:

https://github.com/RocketChat/Rocket.Chat/blob/0b789f790fabc38888c3eaaf4207c9d77c2cc0e2/app/ldap/server/sync.js#L31

So you can now set the User Group Filter to:

(&(cn=#{groupName})(objectClass=group)(member:1.2.840.113556.1.4.1941:=#{userdn}))

In my tests syncing with Active Directory, that worked as desired, letting RocketChat properly sync group membership for all groups in the Active Directory tree.