LDAP Premium Settings

Prev Next

Available on Rocket.Chat premium plans, LDAP Premium Settings provide advanced controls for user synchronization, account lifecycle management, and attribute handling within your LDAP integration.

Background Sync

Configure automated synchronization between Rocket.Chat and your LDAP directory.

Setting Name

Description

Background Sync

Enables or disables automatic background synchronization between Rocket.Chat and the LDAP directory.

Background Sync Interval

Defines how often synchronization runs using Cron Text format (for example: 0 */6 * * * for every six hours, 0 0 * * * for once every 24 hours).

Background Sync Import New Users

Imports users that exist in LDAP but not in Rocket.Chat, based on your configured LDAP filters.

Background Sync Update Existing Users

Updates attributes (such as avatar, fields, or username) for users already imported from LDAP.

Background Sync Merge Existing Users

Merges accounts that exist in both LDAP and Rocket.Chat. Requires the Merge Existing Users option in the Data Sync tab to be enabled.

Automatically Disable Users Not Found in LDAP

Deactivates Rocket.Chat users whose LDAP entry no longer exists. Disabled users appear under Administration → Workspace → Users with the status Disabled. Room ownership is reassigned or removed when applicable.

Avatar Background Sync

Enables a separate synchronization process for updating user avatars.

Avatar Background Sync Interval

Defines how often avatar synchronization runs using Cron format.

Sync ABAC Attributes

The Sync ABAC Attributes settings control how Rocket.Chat synchronizes LDAP user attributes used for Attribute-Based Access Control (ABAC).

These settings are available on Premium plans.

Setting

Description

ABAC Attributes Background Sync

Enables a separate background process to synchronize user ABAC attributes from LDAP. When enabled, Rocket.Chat periodically updates mapped ABAC attributes for users.

ABAC Attributes Background Sync Interval

Defines how often ABAC attribute synchronization runs. Uses Cron Text format (for example: 0 0 * * *).

ABAC Attribute Mapping

Defines how LDAP user attributes map to Rocket.Chat ABAC attributes. The value must be a JSON object where: • Each key is an LDAP attribute name. • Each value is the ABAC attribute name stored in Rocket.Chat.

ABAC attribute mapping format

The mapping must be a JSON object.

Example:

{
  "department": "dept",
  "region": "region"
}

See the Configure ABAC user guide for more information.

Sync Teams

The Sync Teams settings allow you to map and synchronize LDAP teams with Rocket.Chat teams.

Setting

Description

Enable team mapping from LDAP to Rocket.Chat

Enables team mapping between LDAP and Rocket.Chat. When enabled, team assignments are synchronized based on the configured mapping and LDAP query.

Team mapping from LDAP to Rocket.Chat

Defines the mapping between LDAP teams and Rocket.Chat teams. The value must be a JSON object that maps LDAP identifiers to Rocket.Chat team names.

Validate mapping for each login

Determines whether users' teams are updated every time they log in. If disabled, team assignments are loaded only during the user’s first login.

LDAP Teams BaseDN

Specifies the LDAP BaseDN used to look up user teams.

LDAP Team Name Attribute

Specifies the LDAP attribute Rocket.Chat should use to load the team's name. Multiple attributes can be provided by separating them with commas (for example: ou,cn).

LDAP query to get user groups

Defines the LDAP query used to identify which groups a user belongs to (for example: (&(ou=*)(uniqueMember=#{userdn}))).

Team mapping from LDAP to Rocket.Chat format

The Team mapping from LDAP to Rocket.Chat field must contain a JSON object.

Example:

{
  "ldap-team-1": "RocketChatTeamA",
  "ldap-team-2": "RocketChatTeamB"
}

  • Each key represents an LDAP team identifier.

  • Each value represents the corresponding Rocket.Chat team name.

Only mappings defined in this object are synchronized.

Auto Logout Deactivated Users

Configure automatic logout for users who have been deactivated.

Setting

Description

Enable Auto Logout

When enabled, Rocket.Chat automatically logs out users who have been deactivated.

Auto Logout Interval

Defines how often Rocket.Chat checks for deactivated users and logs them out. The interval uses the Cron Text format.

Auto Logout interval format

The Auto Logout Interval field uses standard cron syntax.

Example:

*/5 * * * *

This configuration logs out deactivated users every five minutes.

You can adjust the schedule based on your operational or security requirements.

Sync Custom Fields

Configure Rocket.Chat to synchronize custom fields from your LDAP directory.

Setting

Description

Sync Custom Fields

Enables synchronization of custom fields from LDAP to Rocket.Chat. When enabled, Rocket.Chat will process the configured mapping and update user custom fields accordingly.

Custom Fields Mapping

Defines how LDAP attributes map to Rocket.Chat custom fields. The value must be a JSON object that specifies the relationship between LDAP attributes and Rocket.Chat custom field names.

Custom Fields mapping format

The Custom Fields Mapping field must contain a JSON object.

Example:

{
  "departmentNumber": "department",
  "employeeType": "roleType",
  "extensionAttribute1": "region"
}

  • Each key represents an LDAP attribute.

  • Each value represents the corresponding Rocket.Chat custom field name.

Only the attributes defined in this JSON object are considered in the mapping.

Advanced Sync

Configure advanced LDAP synchronization settings to manage user states and query attributes.

Sync User Active State

Controls whether users should be enabled or disabled in Rocket.Chat based on their LDAP status.

Option

Description

Do nothing

No changes are applied.

Disable Users

Disables users not found during sync.

Enable Users

Re-enables users detected in LDAP background sync.

Enable and Disable Users

Enables and disables users according to LDAP user status.

The pwdAccountLockedTime attribute is used to determine whether a user is disabled.

  • This attribute is supported on OpenLDAP.

  • On Windows Server AD, the userAccountControl attribute is used instead.

To verify user status, navigate to: Manage > Workspace > Users

Attributes to Query

Defines which attributes should be returned in LDAP queries. Separate multiple attributes with commas.

  • * = All regular attributes

  • + = All operational attributes

Make sure to include every attribute required for Rocket.Chat sync options.

Sync Channels

Configure how your LDAP groups map to Rocket.Chat channels.

Setting

Description

Auto Sync LDAP Groups to Channels

Automatically add users to channels based on their LDAP group. If you also want to remove users from a channel, see the option Auto Remove Users from Channels.

Channel Admin

When channels are auto-created that do not exist during a sync, this user automatically becomes the admin for the channel.

LDAP Group BaseDN

The BaseDN used for group lookups.

Group membership validation strategy

Determines how users' memberships to LDAP groups are validated.

User Group Filter

The LDAP search filter used to check if a user is in a group.

LDAP Group Channel Map

Map LDAP groups to Rocket.Chat channels using JSON format.

Auto Remove Users from Channels

Remove users from channels if they are no longer in the corresponding LDAP group.

Group membership validation strategy

Apply filter for each group

  • Applies the LDAP user group filter for each group (key) defined in the LDAP Group Channel Map.

  • Slower, since it performs a separate check per group.

  • Useful when using the #{groupName} replacement tag in the User Group Filter.

Apply filter once to get all memberships

  • Applies the LDAP user group filter once per user.

  • A user is considered a member of all groups returned by the LDAP search.

  • Faster option.

  • Do not use the #{groupName} replacement tag with this strategy.

Switching to Apply filter once to get all memberships may not work with your current LDAP search filter. If you use this option, update the User Group Filter so it retrieves all groups in a single query.

User Group Filter

The LDAP search filter used to check if a user is part of a group.

Supported placeholders

  • #{username} → The user’s Rocket.Chat username

  • #{groupName} → The group’s name in LDAP

  • #{userdn} → The user’s LDAP DN

Example:

(&(cn=#{groupName})(memberUid=#{username}))

LDAP Group Channel Map

Map LDAP groups to Rocket.Chat channels using JSON format.

Example:

{
  "employee": "general",
  "techsupport": [
    "helpdesk",
    "support"
  ]
}

  • "employee": "general" → Adds users in the LDAP group employee to the general channel.

  • A group can map to a single channel or to multiple channels using an array.

Auto Remove Users from Channels

When enabled, users are removed from channels if they are no longer members of the corresponding LDAP group.

Sync Roles

You can sync user roles from your LDAP groups to your Rocket.Chat workspace.

Setting

Description

Sync LDAP Groups

Enable this setting to activate role mapping from LDAP groups.

Auto Remove User Roles

Automatically remove roles from users if they are not assigned in LDAP. This only removes roles that are defined in the User Data Group Map.

LDAP Group BaseDN

The LDAP BaseDN used to look up users.

Group membership validation strategy

Determines how users' memberships to LDAP groups are validated.

User Group Filter

The LDAP search filter used to check if a user is in a group.

User Data Group Map

Map LDAP groups to Rocket.Chat user roles using JSON format.

Group membership validation strategy

Apply filter for each group

  • Applies the User Group Filter for each group (key) defined in the User Data Group Map.

  • Slower, since it performs a separate check per group.

  • Useful when using the #{groupName} replacement tag in the User Group Filter.

Apply filter once to get all memberships

  • Applies the User Group Filter once per user.

  • A user is considered a member of all groups returned by the LDAP search.

  • Faster option.

  • Do not use the #{groupName} replacement tag with this strategy.

Switching to Apply filter once to get all memberships may not work with the currently configured LDAP search filter. If you use this option, update the User Group Filter to retrieve all groups in a single query. Do not use the #{groupName} replacement tag with this strategy.

User Group Filter

Defines the LDAP search filter used to check if a user belongs to a group.

If the search returns results, the user is considered a group member.

Supported placeholders

  • #{username} → Replaced with the Rocket.Chat username

  • #{groupName} → Replaced with the LDAP group name

  • #{userdn} → Replaced with the LDAP Distinguished Name (DN) of the user

Example:

(&(cn=#{groupName})(memberUid=#{username}))

User Data Group Map

Maps LDAP groups to Rocket.Chat roles in JSON format.

Example:

{
  "rocket-admin": "admin",
  "tech-support": "support",
  "manager": ["leader", "moderator"]
}

In this example:

  • The rocket-admin LDAP group maps to the admin role.

  • The tech-support LDAP group maps to the support role.

  • The manager LDAP group maps to the leader and moderator roles.

Rocket.Chat versions receive support for six months after release. End-of-life for any version is the last day of the month when support ends.