feat: Add setting to automatically disable users missing from LDAP se…

…arch (#32084)

Co-authored-by: Matheus Barbosa Silva <[email protected]>

.changeset/nervous-elephants-jam.md

@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+Added a new setting to automatically disable users from LDAP that can no longer be found by the background sync

apps/meteor/app/importer/server/classes/ImportDataConverter.ts

@@ -502,6 +502,7 @@ export class ImportDataConverter {
 					}
 
 					const userId = await this.insertUser(data);
+					data._id = userId;
 					insertedIds.add(userId);
 
 					if (!this._options.skipDefaultChannels) {

apps/meteor/ee/server/lib/ldap/Manager.ts

@@ -10,6 +10,7 @@ import type {
 import { addUserToRoom } from '../../../../app/lib/server/functions/addUserToRoom';
 import { createRoom } from '../../../../app/lib/server/functions/createRoom';
 import { removeUserFromRoom } from '../../../../app/lib/server/functions/removeUserFromRoom';
+import { setUserActiveStatus } from '../../../../app/lib/server/functions/setUserActiveStatus';
 import { settings } from '../../../../app/settings/server';
 import { getValidRoomName } from '../../../../app/utils/server/lib/getValidRoomName';
 import { ensureArray } from '../../../../lib/utils/arrayUtils';
@@ -28,6 +29,7 @@ export class LDAPEEManager extends LDAPManager {
 
 		const createNewUsers = settings.get<boolean>('LDAP_Background_Sync_Import_New_Users') ?? true;
 		const updateExistingUsers = settings.get<boolean>('LDAP_Background_Sync_Keep_Existant_Users_Updated') ?? true;
+		let disableMissingUsers = updateExistingUsers && (settings.get<boolean>('LDAP_Background_Sync_Disable_Missing_Users') ?? false);
 		const mergeExistingUsers = settings.get<boolean>('LDAP_Background_Sync_Merge_Existent_Users') ?? false;
 
 		const options = this.getConverterOptions();
@@ -36,14 +38,17 @@ export class LDAPEEManager extends LDAPManager {
 
 		const ldap = new LDAPConnection();
 		const converter = new LDAPDataConverter(true, options);
+		const touchedUsers = new Set<IUser['_id']>();
 
 		try {
 			await ldap.connect();
 
 			if (createNewUsers || mergeExistingUsers) {
 				await this.importNewUsers(ldap, converter);
 			} else if (updateExistingUsers) {
-				await this.updateExistingUsers(ldap, converter);
+				await this.updateExistingUsers(ldap, converter, disableMissingUsers);
+				// Missing users will have been disabled automatically by the update operation, so no need to do a separate query for them
+				disableMissingUsers = false;
 			}
 
 			const membersOfGroupFilter = await ldap.searchMembersOfGroupFilter();
@@ -60,9 +65,17 @@ export class LDAPEEManager extends LDAPManager {
 
 					return membersOfGroupFilter.includes(memberFormat);
 				}) as ImporterBeforeImportCallback,
-				afterImportFn: (async ({ data }, isNewRecord: boolean): Promise<void> =>
-					this.advancedSync(ldap, data as IImportUser, converter, isNewRecord)) as ImporterAfterImportCallback,
+				afterImportFn: (async ({ data }, isNewRecord: boolean): Promise<void> => {
+					if (data._id) {
+						touchedUsers.add(data._id);
+					}
+					await this.advancedSync(ldap, data as IImportUser, converter, isNewRecord);
+				}) as ImporterAfterImportCallback,
 			});
+
+			if (disableMissingUsers) {
+				await this.disableMissingUsers([...touchedUsers]);
+			}
 		} catch (error) {
 			logger.error(error);
 		}
@@ -579,18 +592,26 @@ export class LDAPEEManager extends LDAPManager {
 		});
 	}
 
-	private static async updateExistingUsers(ldap: LDAPConnection, converter: LDAPDataConverter): Promise<void> {
+	private static async updateExistingUsers(ldap: LDAPConnection, converter: LDAPDataConverter, disableMissingUsers = false): Promise<void> {
 		const users = await Users.findLDAPUsers().toArray();
 		for await (const user of users) {
 			const ldapUser = await this.findLDAPUser(ldap, user);
 
 			if (ldapUser) {
 				const userData = this.mapUserData(ldapUser, user.username);
 				converter.addUserSync(userData, { dn: ldapUser.dn, username: this.getLdapUsername(ldapUser) });
+			} else if (disableMissingUsers) {
+				await setUserActiveStatus(user._id, false, true);
 			}
 		}
 	}
 
+	private static async disableMissingUsers(foundUsers: IUser['_id'][]): Promise<void> {
+		const userIds = (await Users.findLDAPUsersExceptIds(foundUsers, { projection: { _id: 1 } }).toArray()).map(({ _id }) => _id);
+
+		await Promise.allSettled(userIds.map((id) => setUserActiveStatus(id, false, true)));
+	}
+
 	private static async updateUserAvatars(ldap: LDAPConnection): Promise<void> {
 		const users = await Users.findLDAPUsers().toArray();
 		for await (const user of users) {

apps/meteor/ee/server/settings/ldap.ts

@@ -27,6 +27,7 @@ export function addSettings(): Promise<void> {
 					});
 
 					const backgroundSyncQuery = [enableQuery, { _id: 'LDAP_Background_Sync', value: true }];
+					const backgroundUpdateQuery = [...backgroundSyncQuery, { _id: 'LDAP_Background_Sync_Keep_Existant_Users_Updated', value: true }];
 
 					await this.add('LDAP_Background_Sync_Interval', 'every_24_hours', {
 						type: 'select',
@@ -70,11 +71,13 @@ export function addSettings(): Promise<void> {
 
 					await this.add('LDAP_Background_Sync_Merge_Existent_Users', false, {
 						type: 'boolean',
-						enableQuery: [
-							...backgroundSyncQuery,
-							{ _id: 'LDAP_Background_Sync_Keep_Existant_Users_Updated', value: true },
-							{ _id: 'LDAP_Merge_Existing_Users', value: true },
-						],
+						enableQuery: [...backgroundUpdateQuery, { _id: 'LDAP_Merge_Existing_Users', value: true }],
+						invalidValue: false,
+					});
+
+					await this.add('LDAP_Background_Sync_Disable_Missing_Users', false, {
+						type: 'boolean',
+						enableQuery: backgroundUpdateQuery,
 						invalidValue: false,
 					});
 

apps/meteor/server/models/raw/Users.js

@@ -432,6 +432,17 @@ export class UsersRaw extends BaseRaw {
 		return this.find(query, options);
 	}
 
+	findLDAPUsersExceptIds(userIds, options = {}) {
+		const query = {
+			ldap: true,
+			_id: {
+				$nin: userIds,
+			},
+		};
+
+		return this.find(query, options);
+	}
+
 	findConnectedLDAPUsers(options) {
 		const query = {
 			'ldap': true,

packages/i18n/src/locales/en.i18n.json

@@ -2989,6 +2989,8 @@
   "LDAP_Background_Sync_Avatars": "Avatar Background Sync",
   "LDAP_Background_Sync_Avatars_Description": "Enable a separate background process to sync user avatars.",
   "LDAP_Background_Sync_Avatars_Interval": "Avatar Background Sync Interval",
+  "LDAP_Background_Sync_Disable_Missing_Users": "Automatically disable users that are no longer found on LDAP",
+  "LDAP_Background_Sync_Disable_Missing_Users_Description": "This option will deactivate users on Rocket.Chat when their data is not found on LDAP. Any rooms owned by those users will be automatically assigned to new owners, or removed if no other user has access to them.",
   "LDAP_Background_Sync_Import_New_Users": "Background Sync Import New Users",
   "LDAP_Background_Sync_Import_New_Users_Description": "Will import all users (based on your filter criteria) that exists in LDAP and does not exists in Rocket.Chat",
   "LDAP_Background_Sync_Interval": "Background Sync Interval",

packages/model-typings/src/models/IUsersModel.ts

@@ -77,6 +77,8 @@ export interface IUsersModel extends IBaseModel<IUser> {
 
 	findLDAPUsers<T = IUser>(options?: any): FindCursor<T>;
 
+	findLDAPUsersExceptIds<T = IUser>(userIds: IUser['_id'][], options?: FindOptions<IUser>): FindCursor<T>;
+
 	findConnectedLDAPUsers<T = IUser>(options?: any): FindCursor<T>;
 
 	isUserInRole(userId: IUser['_id'], roleId: IRole['_id']): Promise<boolean>;