Authentication and Identity Management FAQ

The Premium plan includes advanced identity management features not available in Community workspaces, such as:

• Extended user attribute sync

• Group and team management

• Background sync

Basic features like LDAP connection (for syncing usernames and unique identifiers) are also available in Community workspaces.

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory services.

In Rocket.Chat, LDAP is commonly used to:

• Authenticate users against an external directory

• Sync user information (such as usernames and attributes)

For detailed information, see the LDAP user guide.

Active Directory is a directory service (commonly provided by Microsoft) used to manage users, devices, and access within an organization.

It typically uses LDAP as its underlying protocol for authentication and directory access.

OAuth is an authentication standard that allows users to sign in using external providers (such as Google, Facebook, or GitHub) without sharing their passwords.

In Rocket.Chat, OAuth enables social or third-party login options.

SAML (Security Assertion Markup Language) is a standard used for single sign-on (SSO).

It allows users to log in once through an identity provider (such as Okta or Azure AD) and access Rocket.Chat without entering credentials again.

SAML is commonly used in enterprise environments.

For more details about authentication options across Rocket.Chat plans, see the User Authentication and Identity Management user guide.

Identity management helps you control user access automatically as your organization grows.

With identity management:

• New users can be created automatically when they join your organization

• Access is removed promptly when users leave

• User data stays synchronized with your identity provider

This reduces manual work, prevents access issues, and improves security.

Single sign-on (SSO) allows users to log in once through a central identity provider and access Rocket.Chat without managing separate credentials.

In Rocket.Chat, SSO enables authentication through providers such as LDAP, SAML, or OAuth.

SSO is different from social login (such as Google or LinkedIn). With social login, users authenticate directly with those services rather than through a centralized identity provider.

Rocket.Chat is updating its identity management features, including LDAP and related integrations. As part of these changes, previously implemented or custom integrations may no longer be compatible.

If you're using a custom or older integration:

• It may need to be updated to match the latest implementation

• Some previously supported approaches may no longer work

If you experience issues, contact support or refer to the latest integration documentation for updated guidance.

Yes. If your Rocket.Chat workspace is deployed in an air-gapped (offline) environment and connected to an internal LDAP server, you can still use identity management features.

Advanced features such as LDAP, SAML, and custom OAuth are available with Premium plans, even in offline environments.

No. Updates to LDAP integration do not introduce changes that affect security or data privacy.

In air-gapped environments:

• All authentication and data exchange remain within your internal network

• No external communication is required for LDAP-based authentication

Your existing security boundaries and data privacy controls remain unchanged.

This error means the user's credentials were accepted (LDAP bind succeeded), but Rocket.Chat could not find the user in the directory during the search step.

This usually happens when:

• The Find user after login setting is enabled

• The LDAP search query does not return the expected user

To fix it:

1. Go to Manage → Workspace → Settings → LDAP → User Search

2. Either:

   • Disable Find user after login, or

   • Review and correct your LDAP search filter to ensure the user can be found

For more details, see the Microsoft LDAP Search Filter Syntax guide.

Enable the Sync User Active State setting to automatically block users marked as disabled in your LDAP directory.

Steps:

1. Go to Manage → Workspace → Settings → LDAP

2. In Advanced Sync, set Sync User Active State to Disable Users

When enabled, Rocket.Chat will automatically deactivate users whose LDAP status is marked as disabled.

This feature requires a Premium plan and depends on your LDAP server correctly exposing a user “active” or “disabled” attribute.

One possible cause is a username conflict between LDAP and local users. If a local user already exists with the same username as an LDAP user, authentication may fail without a clear error.

Example:

If a local user named joe already exists, and an LDAP user also tries to log in as joe, the login may silently fail—even if the LDAP credentials are correct.

To fix it:

• Ensure LDAP usernames do not match existing local usernames

• Rename or remove conflicting local users, or adjust your LDAP username mapping

Tip: Use unique usernames for LDAP users to avoid conflicts with local accounts.

LDAP users will not be created if they do not have an email address.

Rocket.Chat requires every user account to include an email address. If this field is missing in your LDAP directory, user creation will fail during synchronization.

To fix it:

• Ensure your LDAP directory provides an email address for all users, or

• Configure a fallback domain using the Default Domain setting in  LDAP data sync settings