Rocket.chat: LDAP Sync should automatically disable users when account disabled LDAP attribute is set

Created on 13 Jun 2017 · 12Comments · Source: RocketChat/Rocket.Chat

Rocket.Chat Version: 0.56.0
Running Instances: 1
DB Replicaset OpLog: Enabled
Node Version: 4.8.1

When syncing LDAP database, RocketChat should disable user accounts with the proper LDAP attribute set. For example, in our LDAP environment the attribute is: nsAccountLock=true

In a typical AD environment it is userAccountControl = 514 or 66050.

This will make sure that even if a users session hasn't expired yet, they will not be able to continue to use RocketChat if their account is disabled by an administrator (for example if they leave the company)

There's another feature request for disabling deleted LDAP users instead of deleting them from RC: remove non existent LDAP users automatically #6174

Triaged Auth - LDAP improvement

Source

gregs007

👍11

Most helpful comment

Just one more comment--- This is a fairly big deal from a security standpoint because on the one hand, enterprises don't want to make people authenticate every day, but they also don't want people to be able to log in after their account is disabled. Scheduling an LDAP sync that behaves as above solves this issue.

gregs007 on 13 Jun 2017

👍2

All 12 comments

gregs007 on 13 Jun 2017

👍2

Also related to #4554

gregs007 on 13 Jun 2017

Anything new?

monspid on 29 Sep 2017

Hi guys, i'm fixing a lot of our LDAP issues as you can see on this PR https://github.com/RocketChat/Rocket.Chat/pull/8372

I did a local setup using OpenLDAP importing 500k users from one ldif file using this docker container https://github.com/jenkins-infra/mock-ldap/.

I'm accessing the LDAP container using Apache Directory Studio.

I want to know how to disable one user in my environment, then I'll be able to implement this and test.

Can someone help me?

Thanks

rodrigok on 2 Oct 2017

Hi rodrigok,

Thanks for giving this issue your time, I can't assist directly with your question as we use Microsoft active directory for ldap and that will be somewhat different in execution.

One thing that I've noticed come up when implementing this is the difference between: deleted, expired, and disabled accounts.

Let me give an example:
A contractor hired to work on a project will be created with an 'accountexpires' timestamp. After this time, the user should be assumed to be refused log-in. Our company policy is to never delete (or disable) those users. If they are required to work longer, the expire date will be extended.

Permanent staff will not have an expiry date set, but when they leave, will be set to disabled when they hand in their key cards etc. This is an account flag (bit mask on UserAccountControl attribute). Again we will never delete these users.

Hope that helps a little...

khobbits on 3 Oct 2017

@rodrigok This one is very important to me so will help any way I can. If you're using OpenLDAP you should be able to:

Disable: using the password-policy overlay, set pwdAccountLockedTime == Now
Enable: clear or remove the above attribute.

Please let me know if you'd like to discuss more. I'm not a developer but understand well the implications of authentication.

Password policy overlay man page

gregs007 on 3 Oct 2017

@rodrigok Also keep in mind that different LDAP servers reference different attributes in their schema to signify account lockout. The feature will need a way to take this into account (maybe by allowing admin to use a boolean expression with javascript function: ex: nsAccountLock == 1; or pwdAccountLocketTime <= Date.Now();

gregs007 on 3 Oct 2017

👍1

The password-policy is something I need to install?

rodrigok on 3 Oct 2017

@rodrigok Depends on the version-- you just have to load the module

gregs007 on 3 Oct 2017

Our enterprise version 3.0.2 covers this feature now.

rodrigok on 27 Feb 2020

Rocketeers, after consideration, we will merge the code to fix these LDAP issues into the main repository. I am reopening a few of the LDAP issues to be resolved this week.