LDAP Premium Settings

Prev Next

This section covers LDAP Premium Settings, available exclusively to workspaces subscribed to Rocket.Chat’s premium plans. These settings provide advanced options for syncing and managing user data, groups, channels, and roles, offering greater flexibility and control over your LDAP integration.

Background Sync

Configure periodic background synchronization between your Rocket.Chat workspace and the LDAP directory:

  • Background Sync: Enable or disable automatic background synchronization.

  • Background Sync Interval: Define how often synchronization should run, using Cron Text format. For example:

    • 0 */6 * * * → every six hours

    • 0 0 * * * → once every 24 hours

  • Background Sync Import New Users: Import all users (based on your filter criteria) that exist in LDAP but not in Rocket.Chat.

  • Background Sync Update Existing Users: Sync existing users already imported from LDAP, updating attributes such as avatar, fields, or username based on your configuration at each interval.

  • Background Sync Merge Existing Users: Merge accounts for users that exist in both LDAP and Rocket.Chat. Requires the Merge Existing Users option in the Data Sync tab to be enabled.

  • Automatically Disable Users Not Found in LDAP: Deactivate users in Rocket.Chat if their LDAP entry is missing. Rooms owned by these users are reassigned to new owners or removed if no other users are assigned. Disabled users appear under Administration > Workspace > Users with the status Disabled.

  • Avatar Background Sync: Enable a separate synchronization process to update user avatars.

  • Avatar Background Sync Interval: Define how often avatar synchronization occurs, using Cron Text format.

Sync Teams

The Sync Teams settings allow you to map and synchronize LDAP teams with Rocket.Chat.

  • Enable team mapping from LDAP to Rocket.Chat: Toggle this option to activate team mapping between LDAP and Rocket.Chat.

  • Team mapping from LDAP to Rocket.Chat: Define mappings between LDAP teams and Rocket.Chat teams.

  • Validate mapping for each login: Choose whether user teams should be updated on every login. If disabled, team assignments are only loaded during the user’s first login.

  • LDAP Teams BaseDN: The BaseDN used by LDAP to look up user teams.

  • LDAP Team Name Attribute: Specify the LDAP attribute(s) used to load the team’s name. You can provide multiple attributes by separating them with commas (e.g., ou,cn).

  • LDAP query to get user groups: The LDAP query used to identify which groups a user belongs to (e.g., (&(ou=*)(uniqueMember=#{userdn}))).

Auto Logout Deactivated Users

Configure automatic logout for deactivated users with the following options:

  • Enable Auto Logout: Turn on to automatically log out users who have been deactivated.

  • Auto Logout Interval: Define the interval for checking and logging out deactivated users. The interval uses the Cron Text format.
    Example: */5 * * * * logs out deactivated users every five minutes.

Sync Custom Fields

Configure Rocket.Chat to synchronize custom fields from your LDAP directory.

  • Sync Custom Fields: Enable to activate custom field synchronization.

  • Custom Fields Mapping: Define how LDAP attributes map to custom fields in Rocket.Chat. Use JSON mapping to specify field relationships.

Advanced Sync

Configure advanced LDAP synchronization settings to manage user states and query attributes.

  • Sync User Active State: Controls whether users should be enabled or disabled in Rocket.Chat based on their LDAP status. Options include:

    • Do nothing: No changes are applied.

    • Disable Users: Disables users not found during sync.

    • Enable Users: Re-enables users detected in LDAP background sync.

    • Enable and Disable Users: Both enables and disables users according to LDAP user status.

    The pwdAccountLockedTime attribute is used to check whether a user is disabled. This attribute is supported on OpenLDAP, but not on Windows Server AD. For Windows Server AD, the userAccountControl attribute is used instead.

    To verify user status, navigate to Administration > Workspace > Users.

  • Attributes to Query: Defines which attributes should be returned in LDAP queries. Use commas to separate multiple attributes.

    • * = All regular attributes.

    • + = All operational attributes.
      Ensure that every attribute required for Rocket.Chat sync options is included.

Sync Channels

Configure how your LDAP groups map to Rocket.Chat channels:

  • Auto Sync LDAP Groups to Channels: Automatically add users to channels based on their LDAP group.

  • Channel Admin: The user who becomes channel admin when a channel is auto-created during sync.

  • LDAP Group BaseDN: The BaseDN used for group lookups.

  • Group Membership Validation Strategy: Defines how group memberships are validated. Options:

    • Apply filter for each group: Runs the User Group Filter once for every group (key) defined in the LDAP Group Channel Map field.

      • Slower, since it performs a separate check per group.

      • Useful when you need to use the #{groupName} replacement tag in the User Group Filter, for example, when using the memberOf field in Active Directory to define membership. The following screenshot shows an example of this option:

    • Apply filter once to get all memberships: Runs the User Group Filter only once per user.

      • Faster, since a single query returns all the user’s group memberships.

      • Best used when you are not using the #{groupName} replacement tag in the User Group Filter (for example, when filtering by the member field in groups). The following screenshot shows an example of this option:

    Switching to the faster Apply filter once to get all memberships option may not work with your current LDAP search filter. If you use this option, update the User Group Filter field so it can retrieve all groups in a single query. Do not use the #{groupName} replacement tag, since it is not supported by this strategy.

  • User Group Filter: The LDAP search filter used to check if a user is part of a group. Placeholders supported:

    • #{username} → The user’s Rocket.Chat username.

    • #{groupName} → The group’s name in LDAP.

    • #{userdn} → The user’s LDAP DN.

  • LDAP Group Channel Map: Map LDAP groups to Rocket.Chat channels using JSON format. Example:

    {
        "employee": "general"
    }

  • Auto Remove Users from Channels: Remove users from channels if they are no longer in the corresponding LDAP group. Happens at every login and during background sync.

Sync Roles

You can sync the user roles from your LDAP groups to your Rocket.Chat workspace.

  • Sync LDAP Groups: Enable this setting to activate role mapping from user groups on your workspace.

  • Auto Remove User Roles: Enable this setting to automatically remove roles from LDAP users that don’t belong to the corresponding group. This option only removes roles that are explicitly set under the User Data Group Map.

  • LDAP Group BaseDN: The LDAP BaseDN used to look up user groups.

  • Group membership validation strategy: Choose how user memberships to LDAP groups should be validated.

    • Apply filter for each group: Applies the User Group Filter for each group (key) defined in the User Data Group Map field. This method is slower but useful if you need to use the #{groupName} replacement tag to define membership in the User Group Filter (for example, when using the memberOf field in Active Directory).

    • Apply filter once to get all memberships: Applies the User Group Filter once per user. A user is considered a member of all groups returned by the LDAP search. This faster option can be applied if you are not using the #{groupName} replacement tag in the User Group Filter (such as when filtering by the member field in groups).

      Switching to the faster Apply filter once to get all memberships strategy may not work with the currently configured LDAP search filter. If you use this option, update the User Group Filter to retrieve all groups in a single query.

      Do not use the #{groupName} replacement tag, since it is not supported by this strategy.

  • User Group Filter: Defines the LDAP search filter used to check if a user belongs to a group. If the search returns results, the user is considered a group member. During evaluation, the following replacement strings can be used:

    • #{username} → Replaced with the Rocket.Chat username.

    • #{groupName} → Replaced with the LDAP group name.

    • #{userdn} → Replaced with the LDAP Distinguished Name (DN) of the user.

  • User Data Group Map: Maps LDAP groups to Rocket.Chat roles in JSON format. Example:

    {
    	"rocket-admin": "admin",
    	"tech-support": "support",
    	"manager": ["leader", "moderator"]
    }

In this example:

  • The rocket-admin LDAP group maps to the admin role in Rocket.Chat.

  • The tech-support LDAP group maps to the support role.

  • The manager LDAP group maps to two roles: leader and moderator.

LDAP premium settings in Rocket.Chat deliver powerful options for advanced user data synchronization and role management. They give administrators greater control while ensuring a seamless and consistent user experience in premium workspaces.

With these settings enabled, Rocket.Chat continuously stays in sync with your LDAP directory, applying changes in real time and preserving data integrity across your workspace.

Next, explore configuration examples that demonstrate how to tailor these LDAP settings to your organization’s needs.