We use mostly LDAP group synced channels to control channel access via Active Directory.
Several of my team-members left “private channel 1” after the initial group sync, including me.
Now some of the team-members wants to re-join “private channel 1” asking for my help…, but I left the channel myself and now I’m not able to “invite” them.
One solution would be to contact someone who is still a member and ask for an invite.
Worst case scenario is that all the members are on vacation so no one can invite me or my colleague.
Or i cant remember the channel name making it impossible to know who I can ask.
I tried to remove the user from the AD group, run a LDAP sync, put the user back in the AD group and sync again. This only leads the MM user account to become disabled and enabled. They do not rejoin the private channel.
If I remove the AD group link from the channel, sync and link again everyone would automatically become members, but the chat log gets cluttered with “users x was removed…user x joined” making this a less desirable solution. I would also get questions from our security admin as to why I keep changing the membership in the private channels.
So the real question. Is there a way for my users to see which private channels they have access to by AD membership so they can leave and join at there own request. Just like we can with public channels?
@ahmaddanial would you know more about this, and be able to elaborate? I’m not as familiar with LDAP integration.
Based on the explanation you provided, I understand that you are using this feature to sync groups to channel.
The explanation behind the behavior that you are seeing here is explained in the FAQ section here.
The implementation of group removals does not currently differentiate between users who have removed themselves or have been removed by the LDAP synchronization process. Our design optimizes for users who have removed themselves from a team or channel. In the future, we may add the ability for admins to re-add users who have been removed, and even prevent users from leaving a team or channel.
Additionally, LDAP users who are not accessible to Mattermost based on filters will be removed from the groups and from group-synced teams and channels. If they were removed from teams and channels then they will not be re-added to those teams and channels upon becoming subsequently re-accessible to Mattermost.
To answer the question that you have here:
While the AD membership applies to LDAP users in general instead of channel specific, you can run the following SQL query to obtain the list of channel membership of every user:
SELECT DISTINCT u.Username, u.AuthService, t.DisplayName AS TeamName, c.DisplayName AS Channel
Name, c.Type, cm.SchemeUser AS User, cm.SchemeAdmin AS Admin FROM ChannelMembers AS cm JOIN Channels
AS c ON (cm.ChannelId=c.Id) JOIN Users AS u ON (cm.UserId=u.Id) JOIN Teams AS t ON (c.TeamId=t.Id);
Columns to take note of:
- AuthService: empty,
- Type: O (public) or P (private)
Ultimately, you will lose membership of private channel once leave it. The only way to get in again is to trigger the sync again to pull the information from the LDAP group again to add the users into the respective channel.