LDAP Premium Settings

This document describes LDAP premium settings, which are available exclusively to workspaces subscribed to Rocket.Chat's premium plans. These settings offer advanced capabilities for syncing and managing user data and roles.

Advanced sync

Set the following advanced sync settings:

Sync User Active State: Determine if users should be enabled or disabled on Rocket.Chat based on the LDAP status. The options are as follows:
- Do nothing: No changes are made to the user status.
- Disable Users: Disable users not found on sync.
- Enable Users: Re-enable users found on LDAP background sync.
- Enable and Disable Users: Enable and disable users according to the LDAP user status.
  To verify the user status, search for the user from Administration > Workspace > Users. The status will be displayed accordingly.

The pwdAccountLockedTime attribute will be used to determine if the user is disabled. This setting is not yet compatible with all LDAP Servers, so if you don't use the pwdAccountLockedTime attribute, you may want to disable it completely.
The pwdAccountLockedTime attribute is only available on OpenLDAP but not on Windows Server AD. For Windows Server AD, the userAccountControl attribute will be used to determine if the user is disabled or not.

Attributes to Query: Specify which attributes should be returned on LDAP queries, separating them with commas. Defaults to everything. * represents all regular attributes and + represents all operational attributes. Make sure to include every attribute that is used by every Rocket.Chat sync option.

Auto logout deactivated users

Set the user logout behavior with the following fields:

Enable Auto Logout: Set true to log out users automatically.
Auto Logout Interval: This allows you to set the interval for auto-logout. For example, every five minutes.

Background sync

Configure the background sync behavior:

Background Sync: Enable periodic background sync.
Background Sync interval: Select the interval between synchronizations, using the Cron Text format. For example, once every six hours.
Background Sync Import New Users: Import all users (based on your filter criteria) that exist in LDAP and that do not exist in Rocket.Chat.
Background Sync Update Existing Users: This will sync the avatar, fields, username, etc (based on your configuration) of all users already imported from LDAP on every Sync Interval.
Background Sync Merge Existing Users: Merge all users (based on your filter criteria) that exist in LDAP and also exist in Rocket.Chat. To enable this, activate the Merge Existing Users setting in the Data Sync tab.
Automatically disable users that are no longer found on LDAP: This option will deactivate users on Rocket.Chat when their data is not found on LDAP. Any rooms owned by those users will be automatically assigned to new owners, or removed if no other user has access to them. You can verify this by searching for the user from Administration > Workspace > Users. The status will be displayed as Disabled.
Avatar Background Sync: Enable a separate background process to sync user avatars.
Avatar Background Sync Interval: The interval between avatar sync, using the Cron Text format.

Sync channels

You can sync your LDAP groups with the channels in your workspace using the following fields:

Auto Sync LDAP Groups to Channels: Enable this feature to automatically add users to a channel based on their LDAP group.
Channel Admin: When channels that do not exist during a sync are auto-created, this user automatically becomes the channel admin.
LDAP Group BaseDN: The LDAP group base DN.
Group membership validation strategy: This field determines how users' memberships to LDAP groups should be validated. The options are:
- Apply filter for each group: Select this option to apply the User Group Filter for each group (key) defined in the LDAP Group Channel Map field. This is slower but can be useful if you need to use the #{groupName} replacement tag to define membership in the User Group Filter field (such as when using the memberOf field from the Active Directory to define membership).
  The following screenshot shows an example of this option:
- Apply filter once to get all memberships: Select this option to apply the User Group Filter once for each user. A given user will be considered a member of all groups returned by the LDAP search. This is a faster option that can be applied if you are not using the #{groupName} replacement tag in the User Group Filter filter (for example, when filtering by the member field in groups).
  The following screenshot shows an example of this option:

Switching to the faster Apply filter once to get all memberships search strategy may not work with the currently configured LDAP search filter. When switching to this option, make sure to update the User Group Filter field to get all groups at once in a single query (don’t use the #{groupName} replacement tag since it is not supported by this strategy).

User Group Filter: The LDAP search filter checks if a user is in a group. If the search returns any results, the user is considered to be in the group. When performing the search, the following strings, if present in the filter, will be substituted with data from the user and group whose membership status is being checked:
- #{username} - Replaced with the username of the user in Rocket.Chat.
- #{groupName} - Replaced with the name of the group in LDAP.
- #{userdn} - Replaced with the LDAP DN of the user.
LDAP Group Channel Map: Map LDAP groups to Rocket.Chat channels in JSON format. For example, the following objectives will add any user in the LDAP group employee to the general channel on Rocket.Chat.

{
    "employee": "general"
}

Auto Remove Users from Channels: Enabling this will remove any user in a channel that does not have the corresponding LDAP group. This will happen in every login and background sync, so removing a group on LDAP will not instantly remove access to channels on Rocket.Chat.

Sync custom fields

Sync Custom Fields: Enable to activate custom field sync.
Custom Fields Mapping: Map the custom fields to sync.

Sync roles

You can sync the user roles from your LDAP groups to your workspace.

Sync LDAP Groups: Enable this setting to activate role mapping from user groups on your workspace.
Auto Remove User Roles: Enable this setting to automatically remove roles from LDAP users that don't have the corresponding group. This will only automatically remove roles set under the User Data Group Map.
LDAP Group BaseDN: The LDAP BaseDN determines if users are in a group.
Group membership validation strategy: This field determines how users' memberships to LDAP groups should be validated. The options are:
- Apply filter for each group: Select this option to apply the User Group Filter for each group (key) defined in the LDAP Group Channel Map field. This is slower but can be useful if you need to use the #{groupName} replacement tag to define membership in the User Group Filter field (such as when using the memberOf field from the Active Directory to define membership).
- Apply filter once to get all memberships: Select this option to apply the User Group Filter once for each user. A given user will be considered a member of all groups returned by the LDAP search. This is a faster option that can be applied if you are not using the #{groupName} replacement tag in the User Group Filter filter (for example, when filtering by the member field in groups).

Switching to the faster Apply filter once to get all memberships search strategy may not work with the currently configured LDAP search filter. When switching to this option, make sure to update the User Group Filter field to get all groups at once in a single query (don’t use the #{groupName} replacement tag since it is not supported by this strategy).

User Group Filter: The LDAP search filter checks if a user is in a group. If the search returns any results, the user is considered to be in the group. When performing the search, the following strings, if present in the filter, will be substituted with data from the user and group whose membership status is being checked:
- #{username} - Replaced with the username of the user in Rocket.Chat.
- #{groupName} - Replaced with the name of the group in LDAP.
- #{userdn} - Replaced with the LDAP Distinguished Name of the user.
User Data Group Map: The mapping of LDAP groups to Rocket.Chat roles in JSON format. For example, the following object will map the "rocket-admin" LDAP group to Rocket.Chat's "admin" role and the "tech-support" group to the "support" role. It's also possible to map one group to multiple roles ("manager" group to "leader" and "moderator" roles).

{
	"rocket-admin": "admin",
	"tech-support": "support",
	"manager": ["leader", "moderator"]
}

Sync teams

Here you can map and sync LDAP teams to the workspace.

Enable team mapping from LDAP to Rocket.Chat: Enables team mapping from LDAP to Rocket.Chat.
Team mapping from LDAP to Rocket.Chat: Team mapping from LDAP to Rocket.Chat.
Validate mapping for each login: Determine if users' teams should be updated every time they log in to Rocket.Chat. If this is turned off, the team will be loaded only on their first login.
LDAP Teams BaseDN: The LDAP BaseDN is used to look up user teams.
LDAP Team Name Attribute: The LDAP attribute that Rocket.Chat should be used to load the team's name. You can specify multiple attribute names by separating them with a comma.
LDAP query to get user groups: LDAP query to get the LDAP groups that the user is part of

The LDAP premium settings in Rocket.Chat provide a robust framework for advanced user data synchronization and role management, enhancing the administrative capabilities and user experience in premium workspaces. These settings ensure that Rocket.Chat remains in sync with the LDAP directory, reflecting real-time changes and maintaining data integrity.

Next, take a look at some examples of the LDAP settings that you can configure based on your requirements.