Applies to: Mattermost Self-Managed (all supported versions) with AD/LDAP authentication or group sync configured
Symptoms: Bind failures when saving or testing AD/LDAP settings, users not appearing after sync, or LDAP groups syncing with zero members
π Problem
Administrators integrating Mattermost with Active Directory or another LDAP directory frequently hit one of three issues:
- The AD/LDAP test in the System Console fails with a bind error.
- The bind succeeds, but no users appear after a sync.
- Groups sync, but they show zero members in Mattermost.
Each of these has a distinct cause. The bind error is almost always a credentials, format, or TLS mismatch. The empty user list is almost always an Email Attribute problem. The empty group is almost always a missing or misnamed member attribute on the directory side.
The exact server-side bind error message in Mattermost is:
Unable to bind to AD/LDAP server. Check BindUsername and BindPassword.
π Note: When you click AD/LDAP Test in the System Console, the UI may prefix this with text like "AD/LDAP Test Failure:". The underlying AppError itself is the line above. If you are grepping server logs, search for "Unable to bind to AD/LDAP server".
β Solution
Step 1 β Fix bind credential and format issues
Mattermost itself does not validate the format of BindUsername. It passes the value directly to the LDAP library, which then sends it to your directory. So the format that works is whatever your directory accepts.
For most Active Directory deployments, any of the following are valid:
- Full Distinguished Name, for example
CN=mattermost_svc,OU=Service Accounts,DC=domain,DC=local - User Principal Name, for example
mattermost_svc@domain.local - Down-level logon name, for example
DOMAIN\mattermost_svc
For OpenLDAP and most non-AD directories, you almost always need the full DN.
π‘ Tip: If you are not sure which formats your directory accepts, the full DN is the safest universal choice. Confirm the DN with your AD or directory administrator before troubleshooting further.
Step 2 β Match Connection Security to your LDAP port
The Connection Security field accepts three values, and they must line up with how your LDAP server is listening:
- Port 636 (LDAPS) β set Connection Security to
TLS - Port 389 with StartTLS upgrade β set Connection Security to
STARTTLS - Port 389 plain (unencrypted) β set Connection Security to
None
If you are testing against a directory that uses a self-signed certificate or a private CA that the Mattermost server does not trust, enable Skip Certificate Verification temporarily to confirm whether the failure is certificate-related.
β οΈ Important: Skip Certificate Verification should never be left enabled in production. Once you have confirmed certificates are the issue, install the correct CA chain on the Mattermost server and turn this setting back off.
Step 3 β Resolve "no users appearing after sync"
The most common cause of an empty user list after a successful bind is the Email Attribute. Mattermost requires Email Attribute to be set in configuration, and if the value it resolves to is blank for a given LDAP entry, that user will not be usable in Mattermost even though no error is thrown during sync.
To resolve:
- Navigate to System Console > Authentication > AD/LDAP.
- Set Email Attribute to an attribute that is populated and unique for every user you want to sync. In Active Directory,
mailis the default, anduserPrincipalNameis the most common fallback whenmailis not populated. - Save and run a sync.
π Note: Uniqueness is enforced at the Mattermost users table, not at the LDAP sync layer. If two LDAP users share the same email-like value, only one will land in Mattermost successfully.
Step 4 β Resolve "LDAP groups have no members"
Mattermost looks for group membership in two LDAP attributes on the group object:
memberuniqueMember
The values in those attributes must be full Distinguished Names of the member users. Mattermost also handles the Active Directory ranged-attribute pattern (member;range=0-1499) for groups with more than 1500 members.
To resolve:
- Inspect the group object in your directory using
ldapsearchor an equivalent tool. - Confirm at least one of
memberoruniqueMemberis present and populated with full user DNs. - Confirm that those member DNs match users that are also returned by your User Filter β Mattermost cannot map a group member to a user it cannot see.
- Re-run AD/LDAP sync from the System Console.
Comments
Please sign in to leave a comment.