For an overview of the identity management features available across our various plans, please refer to authentication across plans.
What identity management features are exclusive to the Premium plan?
The Premium plan includes advanced identity management features not available in Community workspaces. These exclusive features include:
Extended user attribute sync
Group and team management
Background sync
Basic features like LDAP connection for syncing usernames and unique identifiers are available on Community workspaces as well.
What do LDAP, Active Directory, OAuth, and SAML mean?
These are common protocols and systems used for identity and access management. Here's what they mean:
LDAP (Lightweight Directory Access Protocol)
A protocol used to access and manage directory information services over an IP network. It’s commonly used for user authentication and information lookup.
Active Directory
A shared system used to organize and manage users, devices, files, and other network resources. Examples include: Microsoft Active Directory (AD), NetIQ eDirectory, Apache Directory.
An open standard for granting websites or apps access to user information from other platforms, without sharing passwords. Examples include: Google, Facebook, LinkedIn, Twitter logins.
SAML (Security Assertion Markup Language)
An open standard for exchanging authentication and authorization data between an identity provider and a service provider. Often used in enterprise single sign-on (SSO) systems.
If you want to learn more about authentication options across Rocket.Chat plans, you can see our User Authentication and Identity Management documentation.
Why is Identity Management crucial?
Identity management ensures that user access is kept up to date automatically. When someone joins your organization, a Rocket.Chat account can be created for them instantly. When they leave, their access is promptly revoked. This becomes especially important as your team grows and manual account handling becomes inefficient and error-prone.
What is the impact of single sign-on (SSO) in Rocket.Chat?
Single Sign-On (SSO) allows users to log in once and gain access to multiple connected systems using the same credentials.In Rocket.Chat, this means users can authenticate through a central identity provider (such as LDAP, SAML, or OAuth) and access Rocket.Chat without managing separate login credentials.
Note: This does not apply to workspaces using social login options (e.g., Google, LinkedIn), where users authenticate directly through those services.
Why am I unable to use the code I contributed to building for LDAP/SAML/custom OAuth?
Rocket.Chat is currently rewriting its LDAP feature in TypeScript to improve performance, stability, and long-term maintainability. As part of this refactor, previously contributed code for LDAP, SAML, or custom OAuth integrations may no longer be compatible.
We appreciate all community contributions, and we are taking care to ensure these improvements do not disrupt your operations. If you experience issues, we encourage you to reach out via the appropriate contribution or support channels.
How is my air-gapped environment impacted?
If your Rocket.Chat workspace is air-gapped but connected to an internal LDAP server, you can still enable advanced identity management features.
To do this, subscribe to one of Rocket.Chat’s premium plans to unlock support for LDAP, SAML, and custom OAuth, even in offline environments.
Does the LDAP change affect the security or data privacy in my air-gapped environment?
No, the LDAP rewrite does not introduce any adverse effects on security or data privacy.
What does the “Bind successful but user was not found via search” error mean?
This error means the user’s credentials were accepted (LDAP bind was successful), but Rocket.Chat couldn’t locate the corresponding user entry afterward through an LDAP search.
This typically happens when the “Find user after login” setting is enabled, and the search query does not return the expected user object. To resolve this:
Go to Administration > Workspace > Settings, scroll to LDAP Settings, and open the User Search tab.
Check the Find user after login toggle and disable it.
How can I prevent disabled LDAP users from logging into Rocket.Chat?
To block disabled LDAP users from logging into Rocket.Chat, enable the Sync User Active State setting:
Go to Administration > Workspace > Settings, scroll to LDAP Settings, and open the Premium tab.
In the Advanced Sync section, under the Sync User Active State dropdown, select Disable Users. If the LDAP attribute indicates a user is disabled, Rocket.Chat will deactivate that user.
Note: This feature requires a Premium plan. Compatibility may vary depending on your LDAP server configuration.
Why can't I log in to Rocket.Chat even though the LDAP setup seems correct?
If you're unable to log in and the last log entry is "Attempt to bind" with no clear error message, it's likely due to a username conflict.
Ensure that the LDAP account username does not match an existing local user on your Rocket.Chat workspace.
For example, if a local user named joe already exists, attempting to log in to Rocket.Chat via LDAP using the same username (joe) will silently fail. In this case, Rocket.Chat won't return an error, and login using either the LDAP or local password will not work.
Tip: Always use unique LDAP usernames to avoid conflicts with local accounts.
Why are users not created even though the LDAP setup seems correct?
Every Rocket.Chat user must have an email address. If LDAP users do not have one, their accounts won’t be created during sync.
To resolve this, either:
Ensure your LDAP directory includes email addresses for all users, or
Set a fallback domain using the Default Domain setting under LDAP data sync settings.