LDAP User Search

Prev Next

After configuring your LDAP connection, the next step is to set up user search. This allows Rocket.Chat to find the users and groups from your directory that are permitted access.

Go to LDAP > User Search and configure the following options:

Find user after login

When enabled, Rocket.Chat searches the user’s DN after binding to confirm that the bind was successful. This prevents logins with empty passwords if allowed by the Active Directory configuration.

Search filter

Define the scope and context for LDAP searches:

  • Base DN: The Distinguished Name (DN) of the LDAP subtree to search for users and groups. Example: ou=Users+ou=Projects,dc=Example,dc=com.You can add multiple groups, but they must be in the same domain base. We recommend setting the top level of your LDAP directory tree as your domain base and then using a filter to control access.

    If you specify restricted groups, only users in those groups will be able to log in.

  • Filter: Defines which users are allowed to log in. If no filter is applied, all users within the defined domain base can sign in.

    • Active Directory example:

      memberOf=cn=ROCKET_CHAT,ou=General Groups

    • OpenLDAP example (extensible match):

      ou:dn:=ROCKET_CHAT

  • Scope: Specifies the portion of the subtree to search. Example: sub.

  • Search Field: The LDAP attribute used to identify users during authentication.

    • Common options: sAMAccountName (for most Active Directory installations), uid (OpenLDAP), or mail for email-based login.

    • You can use multiple values, separated by commas, to allow login by different identifiers (e.g., username or email).

  • Search Page Size: The maximum number of entries returned per page.

  • Search Size Limit: The maximum total number of entries to return. This value must be larger than the Search Page Size.

Group filter

Use group filters to restrict user access based on groups defined in your LDAP directory. This is especially useful for OpenLDAP servers that do not support the memberOf filter.

  • Enable LDAP User Group Filter: Turn on to limit access to users in specific LDAP groups.

  • Group ObjectClass: The objectClass that identifies groups. Example: groupOfUniqueNames.

  • Group ID Attribute: The LDAP attribute used as the group identifier. Example: cn.

  • Group Member Attribute: The attribute that defines group membership. Example: uniqueMember.

  • Group Member Format: The format used to match group members. Example: uid=#{username},ou=users,o=Company,c=com.

  • Group Name: The specific LDAP group that users must belong to in order to access Rocket.Chat.

After configuring these fields, click Save changes, then run Test LDAP Search to validate your group filter setup.

With the LDAP User Search and Group Filter configured, Rocket.Chat can now accurately locate and authenticate users from your LDAP directory. Next, proceed to configure LDAP Data Sync and user mapping.