Rocket.chat: Room/Channel/Group Membership based on LDAP group membership

Is there any new info about this? This feature is extremely important for us...

_bump_ We also are highly interested in this feature

This would be awesome! +1

+1

+1

+1

+1

+1

+1

+1

+1

+1

Hi all, can you please share with us your use cases so we can start planing how to best design this feature? @mrsimpson @JSzaszvari do you have some use for this feature too?

@TheReal1604 do you also use LDAP on your deployment?

Yes, since yesterday. @engelgabriel

We have a rather big callcenter. When there is new staff or staff gets sent to new teams (which happens quite often) all the permissions are given via LDAP groups. We also have chat groups for every team. Adding / removing staff from the groups would mean much work if we need to do this with every staff member manually...

Yes, it’s a bit manually at the moment. We resolve this with a content / user administrator for the important channels.

XWiki has a decent implementation for this via their plugin called LDAP Authenticator.
An XWiki group (or a rocket chat room in this case) can have an LDAP query associated with it, or simply an AD OU or a Group membership.
When a user logs in, all of these conditions are checked, and groups are allocated. I think the entire AD is also re-checked for all the existing users every user-defines amount of hours, in cases there’s been any changes.
For us, we would like to map departments with approx 100 users each to an announcement room (mapped using OUs), as well as small project groups to open rooms for approx 12 users (mapped using group memberships).
It would also be nice to associate permission groups to allow domain admins (group memberships) to automatically get admin privileges.

Sent from my iPhone

On 7 Jun 2018, at 17:54, mkretzer notifications@github.com wrote:

We have a rather big callcenter. When there is new staff or staff gets sent to new teams (which happens quite often) all the permissions are given via LDAP groups. We also have chat groups for every team. Adding / removing staff from the groups would mean much work if we need to do this with every staff member manually...

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

We use Rocket.Chat at our school. Every class needs a room. It would be wonderful, if we could fill the room automatically from our LDAP-Groups (every student belongs to a ldap-group for his class). If a student has to change class, it would be nice, if he would chage room automatically. That's our use case.

@engelgabriel we’re not using LDAP in RC at all, since the maintenance of groups via the ldap UI is way more complicated. Thus, I cannot provide more ideas or practices here. Still, I believe this was a useful feature for many

_{Sent with GitHawk}

We would also like to use it for schools. every class has a room, plus every school has a room. it should support multiple schools in one instance.

Same here. We would really love to use it for our multiple LDAP instances for school districts. In our use case we have a ou in the LDAP per school and would like to have a room for it. Furthermore we do have groups like all teachers per school or class groups and it would be very handy to have rooms for it as well. Best

+1

+1

+1

+1

I think the following approach would make sense:

• Expose per channel admin UI options, which allow to define the requirements for the LDAP-based channel membership
  
  
  
  • LDAP Group:
  
  
  • simple mode: allows to define the group DN (leaves figuring out the required search filter to RocketChat internally)
  
  
  • advanced mode: allows to define a custom search filter
  
  
  • Mandatory Join: true/false - either forces all users of the defined AD group to join the channel or otherwise allows them to join the channel if they want to
  
  
  • Open Membership: (available when Mandatory Join is true): true/false: allows further users besides just those matched by the LDAP filter to join the channel, to realize setups where the group is used to enforce a mandatory channel membership, but should also allow further users to join this channel on their own
  
  

Regarding the LDAP search filter, there are a few things which should be taken into account:

In case the LDAP is a Microsoft AD, an ExtensibleMatch filter using a forward-lookup memberOf:1.2.840.113556.1.4.1941:=(CN=group-foo,ou=department,dc=company,dc=tld)-style filter should be used which is far more performant in case it is supported.

In case of an LDAP setup not providing those capabilities, a traditional (&(objectClass=posixGroup)(memberUid=%s)) has to be used which doesn't resolve nested groups - this would require additional effort (which would be fantastic to have :smile: ).

Regarding the "LDAP Type" it could be either configured globally or alternatively determined during runtime by attempting an ExtensibleMatch lookup first and fall back to a regular filter in case of failure.

I'm in the edu environment, too. Due the yearly class changes, this feature is a must-have for us, too.
-> +1
:)

Thanks

We need this feature, too. But it would much better, if we could use Atlassian Crowd, which shades our OpenLDAP.

And - as I'm just in "demanding mode* :grinning:
Please think of the leaver-changer-mover issues in general!

If anyone is desperate for this feature and not running in any kind of production environment, i threw together a quick-and-dirty python script to sync LDAP users to channels/rooms using the REST API:
https://github.com/nemhods/rc-ldap-sync

So typically at my business employees are given AD Security groups that dictate their access to some system or file share. Typically a user is a member of corp-SG-Engineering or corp-SG-Sales.
In some cases i'll make custom security groups for an app like corp-SG-RocketChat-Allowed or corp-SG-RocketChat-Engineering, corp-SG-RocketChat-Announce, corp-SG-RocketChat-Office, corp-SG-RocketChat-Shop

I'm likely to nest the Rocket Chat groups into an employee's department security group.

I'd like to force members of specific security groups to specific rooms. I also don't specifically want users to be able to join any of these department level rooms. I however wouldn't mind some free join of other rooms for sub groups like Marketing-Sales....

Is there any news about this feature ? It would be really useful for our company.

Pull request is in: https://github.com/RocketChat/Rocket.Chat/pull/14278