Mattermost, Inc.

Mattermost 4.4.1: Investigating AD/LDAP sync issue

We are currently investigating an issue with AD/LDAP sync in Mattermost v4.4.1 where some users get deactivated after the sync runs.

If you have upgraded and are experiencing an issue, please provide the following information to help troubleshoot the issue.

  1. Please attach your LDAP settings from config.json with the username/password removed. If you don’t feel comfortable posting it here, you can private message @jasonblais instead.
  2. What AD/LDAP server and version are you using? For example, Active Directory on Windows Server 2016
  3. What errors do you see in the server logs?
  4. Please send an example user from your system by using the ldapsearch command on your LDAP server. You can private message @jasonblais.
  5. Do you have SAML login enabled? If you do, have you set Enable Synchronizing SAML Accounts With AD/LDAP in System Console > SAML 2.0 to true or false?

We are seeing the issue here. But there is a caveat, the only people getting disconnected are people with an email account not the same as their AD account. For example. If the AD account is jsmith but the email is john@company.com, they get deactivated and kicked out. They get reactivated when they log back in again. Meanwhile people who have an email that matches there AD account, they have no issue. Here are some examples:

[2017/11/20 14:37:47 CST] [INFO] Mattermost user was updated by AD/LDAP server. deactivated username=jsmith email=john@company.com

We did find this error message in the logs that ties to the user’s desktop IP address when he was kicked out:

[2017/11/17 13:44:03 CST] [EROR] /api/v4/users/me/teams/members: code=401 rid=9icgyt61w3gu88377wwkzx96ko uid= ip=10.11.232.150 Invalid or expired session, please login again. [details: UserRequired]

"LdapSettings": {
    "Enable": true,
    "EnableSync": true,
    "LdapServer":XXXXXXXXXXXXXXXX,
    "LdapPort": 636,
    "ConnectionSecurity": "TLS",
    "BaseDN": "XXXXXXXXXXXXXXX",
    "BindUsername": XXXXXXXXXXXXXXXXXXXXXXXX
    "BindPassword":XXXXXXXXXXXXXXXXXXXXXXX,
    "UserFilter": "(\u0026(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))",
    "FirstNameAttribute": "givenName",
    "LastNameAttribute": "sn",
    "EmailAttribute": "mail",
    "UsernameAttribute": "sAMAccountName",
    "NicknameAttribute": "",
    "IdAttribute": "sAMAccountName",
    "PositionAttribute": "",
    "SyncIntervalMinutes": 1440,
    "SkipCertificateVerification": false,
    "QueryTimeout": 60,
    "MaxPageSize": 100,
    "LoginFieldName": "Username"
},

NOTE: I bumped the sync time to once every 24 hours in order to stop people from getting booted every hour.

We are have an E10 license.

@Kalli

We have cut 4.4.2-RC1, which fixes an issue where AD/LDAP accounts get deactivated following an AD/LDAP sync if their email address between the AD/LDAP server and Mattermost don’t match case.

It would be good to verify it fixes the issue you are experiencing. If you are open to it, you can download 4.4.2-RC1 here: https://releases.mattermost.com/4.4.2-rc1/mattermost-4.4.2-rc1-linux-amd64.tar.gz. If this fix doesn’t resolve it for you, let me know and we’ll continue investigating as a high priority.

For other fixes in v4.4.2, you can find a draft of the changelog here.

4.4.2 is now cut, which fixes the AD/LDAP sync issue. You can download it below, or from our downloads page on 11/23:

https://releases.mattermost.com/4.4.2/mattermost-4.4.2-linux-amd64.tar.gz