Rocket Chat LDAP User Search Configuration

After configuring the LDAP connection, go to LDAP → User Search. This section allows Rocket.Chat to locate users and groups in your directory that are permitted to log in.

Find user after login

When enabled, Rocket.Chat performs an additional search for the user’s Distinguished Name (DN) after a successful bind. This confirms that the bind operation completed correctly.

This setting helps prevent logins with empty passwords when such behavior is permitted by the Active Directory configuration.

Search Filter

Configure how Rocket.Chat searches for users in your LDAP directory.

Field	Description
Base DN	The fully qualified Distinguished Name (DN) of the LDAP subtree to search for users and groups. Example: `ou=Users+ou=Projects,dc=Example,dc=com` You can add multiple groups, but each must be defined within the same domain base as the users that belong to it. We recommend specifying the top level of your LDAP directory tree as the domain base and then using a filter to control access. If you specify restricted user groups, only users in those groups will be able to log in.
Filter	Defines which users are allowed to log in. If no filter is specified, all users within the defined domain base can sign in. Active Directory example: `memberOf=cn=ROCKET_CHAT,ou=General Groups` openLDAP example (extensible match): `ou:dn:=ROCKET_CHAT`
Scope	Specifies the portion of the subtree to search. Valid LDAP scope values: `base` – Search only the Base DN entry. `one` – Search one level below the Base DN. `sub` – Search the entire subtree under the Base DN (most common). Default: `sub`
Search Field	The LDAP attribute used to identify the user during authentication. Common options include: `sAMAccountName` (most Active Directory installations) `uid` (OpenLDAP) `mail` (email-based login) You can use multiple values separated by commas to allow users to log in using different identifiers (for example, username or email).
Search Page Size	The maximum number of entries returned per page. Example: `250`. Increasing this value may improve performance in large directories but can increase memory usage.
Search Size Limit	The maximum total number of entries to return. Example: `1000`. This value must be greater than Search Page Size.

Group Filter

Use group filters to restrict user access based on groups defined in your LDAP directory. This is especially useful for OpenLDAP servers that do not support the memberOf filter.

Field	Description
Enable LDAP User Group Filter	Turn on to limit access to users in specific LDAP groups.
Group ObjectClass	Specifies the LDAP `objectClass` used to identify group entries. Common values (depending on directory implementation): `groupOfUniqueNames` (OpenLDAP default) `groupOfNames` `posixGroup` `group` (Active Directory) The correct value depends on your LDAP schema.
Group ID Attribute	The LDAP attribute used as the group identifier. Common values: `cn` (most common) `gid` `name` This must match how groups are defined in your directory.
Group Member Attribute	Specifies the LDAP attribute that defines group membership. Common values: `member` `uniqueMember` `memberUid` The correct value depends on how membership is stored in your LDAP server.
Group Member Format	Defines the format used to match group members. Example: `uid=#{username},ou=users,o=Company,c=com.` The placeholder `#{username}` is dynamically replaced with the authenticating user’s identifier. The format must match how user DNs are stored within group membership entries in your directory.
Group Name	The specific LDAP group that users must belong to in order to access Rocket.Chat.

After configuring these fields, click Save changes, then run Test LDAP Search to validate your group filter setup.