Update LDAP Settings page to make it clearer for users - Also mask BIND Password from view and logs.

[Megatronic79]

We should update the Settings page to capture this information to make it clearer for users:

LDAP Settings Page:

BaseDN: (Root of the domain)
Bind UserDN: (User with search permissions on LDAP \ AD)
Bind UserPW: (Users password)
LDAP port: (LDAP Port - if not set default to 389)
Ldap URL: (ldap://ldapservername)
Ldap Group Filter: (LDAP query in the form (&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_GROUP,CN=Groups,DC=domain,DC=com)
Logon Attribute: (Example mail or sAMAccountNAME)
Ldap Enable: (True false)

Then LDAP Filter is passed in the background as

{"filter": "Ldap Group Filter" (Logon Attribute=#{username})), "scope": "sub", "userDN": "Bind UserDN", "password": "Bind UserPW"}

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[mottersen]

This would be great. Last time I checked, the LDAP settings only allowed for anonymous binds, is that still true? Also, are logins only allowed with LDAP accounts once LDAP is enabled? If you mess up your LDAP config, how do you recover?

[rodrigok]

@mottersen you can login via browser's console:
Meteor.loginWithPassword({username: 'username'}, 'password')

[Megatronic79]

This is not annon bind any more it uses a proxyuser account, grabs the user's dn and then autheniticates with the UI user. Tested on a couple of AD LDAP and Group filter.

[mottersen]

Thanks for the info guys, didn't mean to hijack. I like the suggestions @Megatronic79

[mottersen]

I'm still looking for the area where I can input my bind id information. I can't add my LDAP until I find some variation of these fields.

Bind UserDN: (User with search permissions on LDAP \ AD)
Bind UserPW: (Users password)
Are these available in any of the current public releases, or just planned for a future version?

[Megatronic79]

Assumptions:
You want to logon a user using the SamAccountName in the domain.com AD site that also belongs to a Group called ROCKET_ACCESS that resides in CN=Users,DC=domain,DC=com.

So

Domain = domain.com
Group = CN=ROCKET_ACCESS,CN=Users,DC=domain,DC=com
Proxy User = [email protected]
Proxy User password = urpass

For now (until we add more input fields to LDAP) set it like this: (This is based on the above assumptions, replace with your environment)

LDAP_Enable = True
LDAP_Dn = dc=domain,dc=com
LDAP_Url = ldap://ldapserver
LDAP_Port = 389
LDAP_Bind_Search =
{"filter": "(&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_ACCESS,CN=Users,DC=domain,DC=com)(sAMAccountName=#{username}))", "scope": "sub", "userDN": "[email protected]", "password": "urpass"}

[mottersen]

Thanks @Megatronic79. After a little fiddling around, those instructions worked for me. This should be clear due to the context, but in the case of [email protected]: domain.com would be the FQDN for your domain. For some people their FQDN is different from their email domain e.g. corp.domain.com. I'm also used to defining the bind ID with it's DN, not the user Principal Name (user@FQDN), but perhaps that's because I use AD, not LDAP.

I have two other minor requests related to LDAP.

1. I have users who commonly use their email address to login to services, so it would be nice if users could user either their sAMAccountName or mail attribute when logging in. I believe this can be done a few different ways, so I'll let you guys decide how, or if you would like to do this.
2. It would be nice if more attributes could be pulled and populated from LDAP. Being able to search or invite with a users Display Name in addition to their sAMAccountName would be great.

I hope those requests are more or less clear, and thanks again.

[Megatronic79]

Glad you got it working.

In the case of [email protected] (which is the userPrincipalName - which is also fine in AD windows) but if its easier it can be substituited with the DN of said proxy user:

In this example:
CN=rocket chat,CN=Users,DC=domain,DC=com

Making the filter

{"filter": "(&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_USER,CN=Users,DC=domain,DC=com)(sAMAccountName=#{username}))", "scope": "sub", "userDN": "CN=rocket chat,CN=Users,DC=domain,DC=com", "password": "urpass"}

with Question 1:

If you want to use a different attribute to login then you can edit the filter again:

such that

username = sAMAccountName
Email Addres = mail (or userPrincipalName if your AD doamin is the same as your SMTP namespace)

Example (To logon with mail attribute = email)

{"filter": "(&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_USER,CN=Users,DC=domain,DC=com)(mail=#{username}))", "scope": "sub", "userDN": "CN=rocket chat,CN=Users,DC=domain,DC=com", "password": "urpass"}

With Question 2

Agree it would ne nice to populate the users profile based on AD and to be able to search on any criteria.

I'll amend the Wiki with the DN instead of userPrincipalName to make it easier and add the comment for logon attribute.

[Megatronic79]

@mottersen

Reread your question 1 - if you want it to either sign in with email or username then use the filter example like this

{"filter": "(&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_ACCESS,CN=Users,DC=domain,DC=com)(|(mail=#{username})(sAMAccountName=#{username})))", "scope": "sub", "userDN": "CN=rocket chat,CN=Users,DC=domain,DC=com", "password": "urpass"}

This is saying check to see if user is in ROCKET_ACCESS Group and UI logon = mail or sAMAccountName.

That should sort your out for now.