LDAP user filter

For feature requests, please see: Contributing Feature Proposals - Mattermost.

For troubleshooting questions, please post in the following format:

Summary
Scanned 1 LDAP users and 0 groups.

Steps to reproduce
Enterprise Edition
Mattermost Professional

Expected behavior
I purchased Mattermost Professional, which only includes LDAP users. However, whenever I attempt to sync. I am only receiving one LDAP user.
Here’s what I have for my LDAP settings.

“LdapSettings”: {
“Enable”: true,
“EnableSync”: true,
“LdapServer”: “example.local”,
“LdapPort”: 389,
“ConnectionSecurity”: “”,
“BaseDN”: “OU=example,DC=example,DC=local”,
“BindUsername”: “CN=Mattermost LDAP Bind,OU=Unmanaged Service Accounts,OU=example,DC=example,DC=local”,
“BindPassword”: “”,
“UserFilter”: “(\u0026(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))”,
“GroupFilter”: “”,
“GuestFilter”: “”,
“EnableAdminFilter”: false,
“AdminFilter”: “”,
“GroupDisplayNameAttribute”: “”,
“GroupIdAttribute”: “”,
“FirstNameAttribute”: “"givenName"”,
“LastNameAttribute”: “"sn"”,
“EmailAttribute”: “"mail"”,
“UsernameAttribute”: “"sAMAccountName"”,
“NicknameAttribute”: “”,
“IdAttribute”: “"sAMAccountName"”,
“PositionAttribute”: “”,
“LoginIdAttribute”: “"sAMAccountName"”,
“PictureAttribute”: “”,
“SyncIntervalMinutes”: 60,
“SkipCertificateVerification”: false,
“PublicCertificateFile”: “ldap-public.crt”,
“PrivateKeyFile”: “ldap-private.key”,
“QueryTimeout”: 60,
“MaxPageSize”: 0,
“LoginFieldName”: “”,
“LoginButtonColor”: “#0000”,
“LoginButtonBorderColor”: “#2389D7”,
“LoginButtonTextColor”: “#2389D7”,
“Trace”: false

Observed behavior
Mattermost should show 5 users.

Any ideas what’s causing the problem?

Hey johnsn02 and welcome to the Mattermost forums!

there could be several reaons for that, hard to tell without seeing your LDAP tree.
Can you confirm that the users you expect to be here all match the filter you specified and under the OU example since this is set as your basedn?
If you have the ldapsearch utility (or any other LDAP tool) available on one of the servers/clients in your environment, you could use it to run the query against your LDAP server and compare the returned user list.

Yes! I ran these two commands and both show our users. The users I specified match the OU. I am only receiving one user, but my ldapsearch shows all of our users.

ldapsearch -h example.local -p 389 -D “CN=Mattermost LDAP Bind,OU=Unmanaged Service Accounts,OU=example,DC=example,DC=local” -w “removedpassword” -b OU=example,DC=example,DC=local ‘(givenName=*)’

ldapsearch -h example.local -p 389 -D “CN=Mattermost LDAP Bind,OU=Unmanaged Service Accounts,OU=example,DC=example,DC=local” -w “removedpassword” -b OU=example,DC=example,DC=local “(&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))”

Thanks for the confirmation.
I compared your settings to mine and they look almost identical, but I’m not sure if this is just a copy/paste error here, so I’m mentioning it. As you can see in the quote, you’re using double quotation marks for all LDAP attributes. I’m not sure what the application will do when it encounters them and I’m still wondering why it returns just one account, but to rule that out, can you please get rid of the superfluous quotation marks so that this section looks like this afterwards?

"IdAttribute": "sAMAccountName",
"LoginIdAttribute": "sAMAccountName",
"UsernameAttribute": "sAMAccountName",
"EmailAttribute": "mail",
"FirstNameAttribute": "givenName",
"LastNameAttribute": "sn",

Do you know which account it is that is being synced to the Mattermost server? Is it maybe the bind account?

BTW, you should consider switching to ldaps (tcp/636) - ldap on port 389 transmits credentials in cleartext over your network.

Thank you so much!! That was the problem. I can see our users now.

Great Small thing, big impact.