Prioritize LDAP support

[rockneverdies55]

It would make adopting or checking out Rocket.Chat much easier for organizations if LDAP (and Kerberos too possibly) was supported.

In Readme it's listed as a planned feature however it's not in any of the current milestones.

Is it possible to prioritize LDAP support?

[shahar3012]

👍 It sure be nice to have it and it is really important if you want to get organizations into this product. They are key to the success of this project.

[mrkarthick1409]

Hi all,

I am karthick. I have just started looking through Meteor,node and all
those cool stuffs.

Could someone please suggest me some simple task to kick start my
contribution ?

On Mon, Jun 8, 2015 at 5:10 PM, shahar3012 notifications@github.com wrote:

[image: 👍] It sure be nice to have it and it is really important if
you want to get organizations into this product. They are key to the
success of this project.

—
Reply to this email directly or view it on GitHub
#172 (comment)
.

Thanks,
Karthick

DISCLAIMER:

This e-mail and any files transmitted with it are for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient(s), please reply to
the sender and destroy all copies of the original message. Any review,
use, disclosure, dissemination, forwarding, printing or copying of
this email, and/or any action taken in reliance on the contents of
this e-mail is strictly prohibited and may be unlawful. Opinions,
conclusions and other information in this message that do not related
to official business of the company shall be understood to be neither
given nor endorsed by Ideas2IT Technologies. Any information contained
in this email, when addressed to Clients is subject to the terms and
conditions in governing the client contract.

[sampaiodiego]

@karthick-i2i I don't think this is the right place to ask that. but, you can see the issues list and pick one you think is the easiest to do. ;)

@rockneverdies55 and @shahar3012 , what you think is the most important thing on LDAP integration? The authentication? The structure?

[engelgabriel]

Some options to deploy something fast.

https://atmospherejs.com/?q=ldap

[rockneverdies55]

@sampaiodiego - I'm inclined to say "authentication" but at the same time I'm not really sure what you mean by "structure"...

[sampaiodiego]

@rockneverdies55 I know that LDAP (or active directory) can store a lot of "data" (such as groups).

An LDAP integration could create a room for every "group" (or whatever), but this could be a lot complex.

An authentication support could be easy to do, on the first configuration page ( #96 ) you may choose if the Rocket.Chat uses LDAP authentication or others methods.

[rockneverdies55]

Yes, I definitely agree. For now authentication should be the primary goal as a first step.

[dfyx]

👍

Right now, LDAP auth is one of the reasons why I stick with Let's Chat. Would be cool if RocketChat added support for it.

[Schniz]

By Kerberos you mean REMOTE_USER header or user/password?

[rockneverdies55]

@Schniz - By kerberos, I meant support for authenticating users via Kerberos. So the direct answer to your question would be user/password probably... But I'm not very clear on your question either; Kerberos vs REMOTE_USER?

[shahar3012]

@rockneverdies55 I think what @Schniz meant is that it would be nice to have a Kerberos authentication that works with REMOTE_USER header. Rocket.Chat will authenticate users based on the REMOTE_USER header that was passed by a proxy server like Apache that does the user authentication.

The REMOTE_USER approach is more easy to implement becuase you don't need to deal with the user authentication itself, only to support this type of login and/or adding the user to the db. You get the username in the header and uses it to login the user.

If you decide to make a complete SSO solution you could use Kerberos library with meteor that does the authentication and all the things that I have mentioned.

I don't think you should go to user/password authentication because in most cases organizations don't use username and password for SSO, they use smart cards or other biometric devices to identify users so in such case user/password is no longer needed - the credentials received from the operating system that support such things.

[Schniz]

@shahar3012 👍

[Schniz]

I'll add a bit to it. Many organizations use Kerberos as the SSO, without using the user/passwords but using tickets via GSSAPI.

So why shouldn't we use GSSAPI? well, there is no node module available yet for it.
I had a worker in my organization who developed a nice library using the SSPI Apache httpd plugin for node. in C++ of course. but IMHO, its a bit too much and unfortunately can't be open sourced. 😭

many orgs use Nginx or httpd as their Reverse Proxy services and use their SSO plugins in that way by providing a request header called X-Remote-User or REMOTE_USER to the app.

There's even a passport plugin implementing this type of authentication called passport-reverseproxy

[tracphil]

LDAP auth is important for me as well.

[douglas]

Hello,

Also needing the ldap backend to try it in a brazilian government company ;-)

Congrats guys, you are doing an amazing jog !

[marceloschmidt]

LDAP support is now available! We need to add a settings config for defining host and other parameters. Currently it is hardcoded in /server/lib/ldap.coffee with a testing server.

[tracphil]

Thank you!

[rockneverdies55]

@marceloschmidt - Thanks for taking care of this.

Is "settings config" stuff in progress currently? Is there an issue or something to follow up the development on that?

[marceloschmidt]

There is now: #222

[rockneverdies55]

Thanks @marceloschmidt. Would you like to update README so it indicates LDAP is supported now (or like to wait till settings page allows configuration)?

[marceloschmidt]

Done :)
I've also added a wiki entry on how to configure and use it.

[rwakida]

@marceloschmidt's wiki entry: https://github.com/RocketChat/Rocket.Chat/wiki/LDAP-Authentication

[Megatronic79]

Hey Guys,

Ive added LDAP support and added the DN of a service account, Port and URL - Rocket chat allows login with any username for as long as the password matches that of the service account?

How has it been set to authenticate? are you sending the username with the base DN to the LDAP server with password to authenticate? - at the moment it seems to ignore the username and just send the LDAP DN in the settings page and the password on the UI login?

Do you have any documentation for this with examples? or let me know where the rocket chat ogs are to troubleshoot?

[engelgabriel]

@Megatronic79

Yes, the only check at this point is for username and password.

When the logging happens, the username is not used. But are working on it, and there is a pull request being merged today. Can you take a look and give some feedback?

#690

[rodrigok]

@Megatronic79 now you can pass a query for LDAP to get user's DN, try this:

[Megatronic79]

Downloaded and testing the new changes, without a LDAP_BIND_search entry it seems the usernamer is still not being passed to the logon, i can use any username with the read-only-admin password and it will log them in. If i use the filter above the logon hangs at please wait...

Ive tried changing the uid= samaccount (as this is AD) but still get the hang, do we have any more information as to what scope and sub are? is this the search scope?

Where are the logs of the ldap on rocket.chat to see what is being passed to the ldap server?

[Megatronic79]

Looking in the logs here:

/var/log/rocket.chat/app-0.log

I can see the Attempt to bind is trying the entry in LDAP_DN.

Should we first be trying to logon with the LDAP_DN (with a password as anonymous is prob not going to work) and then once authenticated search for the user in LDAP?

otherwise do we need LDAP_DN instead set the base DN and attempt a logon? passing the username and password direct from the UI?

[engelgabriel]

@rodrigok any ideas?

[Megatronic79]

Im just putting an LDAP server online for @rodrigok to test against

[engelgabriel]

thanks @Megatronic79

[Megatronic79]

Latest changes from @rodrigok working great for LDAP authentication against Active directory - Group Filter is also working as expected.

We should update the Settings page to capture this information to make it clearer for users:

LDAP Settings Page:

BaseDN: (Root of the domain)
Bind UserDN: (User with search permissions on LDAP \ AD)
Bind UserPW: (Users password)
LDAP port: (LDAP Port - if not set default to 389)
Ldap URL: (ldap://ldapservername)
Ldap Group Filter: (LDAP query in the form (&(objectCategory=person)(objectclass=user)(memberOf=CN=ROCKET_GROUP,CN=Groups,DC=domain,DC=com)
Ldap Enable: (True false)

Then LDAP Filter is passed in the background as

{"filter": "Ldap Group Filter", "scope": "sub", "userDN": "Bind UserDN", "password": "Bind UserPW"}

Good work by @rodrigok in this one.

[Sing-Li]

👍 👍 👍

[engelgabriel]

👍 COOL!

@guarilha can copy this to the wiki?

[guarilha]

@engelgabriel 👍

[rockneverdies55]

Has anybody tried connecting to a LDAP server with self signed certificate (via ldaps url) ?