Rocket.chat: remove non existent LDAP users automatically

This would have to be done with caution - we have some users in Rocket.Chat that were created by Google OAuth and they are not in LDAP.
But it would be nice to have all users that are connected with LDAP accounts disabled (not removed) when they are deleted from LDAP.

Disabled would be good too, yes. I found out, that all posts of a removed user are deleted (#6186)

I agree with Danpospisil and Localguru. Automatically disabling an account that has been removed from LDAP would be a huge help. This seems like a bit security issue in a business environment.

Actually, there needs to be one more step to consider here. In addition to automatically disabling a user with "ldap:true" that no longer exists in the LDAP database, you also need to disable users that have been locked/disabled in the LDAP database. The LDAP attribute for this is nsAccountLock=true.

The attribute/mechanism for disabling an account depends on the ldap server implementation. nsAccountLock is used by oracle directory server. For example active directory uses userAccountControl: https://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx

I totally agree with the previous commenters - this is relevant for our LDAP-based user environment as well.

For us (Active Directory) the flag is called userAccountControl as mentioned by @bbrauns.

Yes. Turns out that with AD userAccountControl = 514 or 66050 indicates a disabled account. So the attribute would need to be configurable, as well as a boolean for what we're searching for-- userAccountControl=(514|66050) or nsAccountLock=true. This should also be coupled with the ability for us to schedule LDAP sync on regular intervals, which from what I can tell, is only done when you click on the "Sync Users" button in the LDAP admin page.

I dont know all ldap implementations, but with active directory and novell edirectory a disabled user is unable to execute a successful bind(), so perhaps the crazy bit checking with userAccountControl dont need to be done

@bbrauns When you authenticate with LDAP in RC, your session remains active until you log out or it expires. If the LDAP account is disabled or deleted in the meantime, you can still fire up your client and be active on the server. There is an exposure for administrators that don't want their users having to re-authenticate every day or multiple times a day (something which makes a chat client painful and somewhat ineffective to use). Administrators need a way to be able to close out long sessions and disable RC accounts automatically on users in a more immediate fashion when an LDAP/AD administrator disables the account. If you have a better suggestion, please let us know.

+1

+1

+1 for this. Our organization would like to utilize the directory in Rocket to allow employees to see other employee information (ie: email/title/cell phone). This is only good if the list is kept up to date.

+1. Would be very important for us

I do have a similar problem related to this. When changing the username id of a user I would expect the old user to be deleted and a new one created by rocketchat. However I only get a ton of errors instead.

I would love to have an option, like:

If user is disabled in LDAP: disable or delete in rocketchat
If user does not appear in LDAP (aka deleted from LDAP): disable or delete in rocketchat

The query for finding out if someone is enabled OR still existing could be modified as well.

Our enterprise version 3.0.2 covers this feature now.

Rocketeers, after consideration, we will merge the code to fix these LDAP issues into the main repository. I am reopening a few of the LDAP issues to be resolved this week.

Has this functionality been implemented? I just upgraded RC to 3.5.1 and after sync I still see previously deleted (in AD) users in the RC usersbase...

This will be a important feature for us too. Have you plan this for next release?
Thanx