fix(ldap): prevent excessive logging when Group BaseDN/Filter not configured

[smirk-dev]

Summary

Fixes excessive LDAP logging issue (#36705) where the system could generate ~1GB of logs per day when:

• LDAP role/channel sync is enabled
• "Validate membership for each group" strategy is selected
• Group BaseDN or Group Filter are not configured

The fix:

• Adds early validation in syncUserRoles and syncUserChannels to check if BaseDN and Filter are configured before entering the iteration loop
• Adds log throttling to isUserInGroup as a defense in depth measure

Changes

• Early validation: Before iterating over LDAP groups, the code now checks if the required settings (BaseDN and Filter) are configured when using "each_group" strategy. If not, it logs a single warning and returns early.
• Log throttling: The isUserInGroup function now tracks whether it has already logged the missing config error to prevent repeated logging.

Test plan

• Configure LDAP with role/channel sync enabled
• Select "Validate membership for each group" strategy
• Leave Group BaseDN or Group Filter empty
• Trigger a sync and verify only a single warning is logged instead of thousands of errors
• Verify sync works correctly when settings are properly configured

Issue(s)

Closes #36705

🤖 Generated with Claude Code

Summary by CodeRabbit

Bug Fixes

• Resolved excessive LDAP logging when Group BaseDN or Group Filter are not configured, preventing redundant error logs during each synchronization cycle.

Chores

• Updated .gitignore to exclude yarn.lock, deno.lock, and copilot configuration files.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 2018cdf

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Fixes excessive LDAP logging occurring when Group BaseDN or Group Filter are not configured. Implements log throttling in isUserInGroup and early validation guards in syncUserRoles and syncUserChannels to prevent per-user per-group error logs during sync cycles. Updates .gitignore with new file patterns.

Changes

Cohort / File(s)	Summary
Changeset Entry .changeset/quiet-llamas-dance.md	Documents fix for excessive LDAP logging, describing two code changes: early validation guards and log throttling mechanism.
Ignore List Updates .gitignore	Added yarn.lock, deno.lock, and .github/copilot-instructions.md to repository-wide ignore list.
LDAP Manager Implementation apps/meteor/ee/server/lib/ldap/Manager.ts	Added static field hasLoggedMissingGroupConfig for one-time logging in isUserInGroup. Introduced early-exit guards in syncUserRoles and syncUserChannels when using "each_group" strategy with missing Group BaseDN or Filter configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: Prevent LDAP sync from adding users to abac rooms/teams #37299: Modifies the same LDAP Manager implementation with changes to syncUserRoles and syncUserChannels logic.

Suggested reviewers

• tassoevan

Poem

🐰 Log spam be gone, with flags so bright,
Early exits guard the night,
One message logged, no more per-user spree,
LDAP silenced, how peaceful to be! 🌙

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: preventing excessive LDAP logging when Group BaseDN or Filter are not configured, which is the core fix addressed in this PR.
Linked Issues check	✅ Passed	The PR successfully implements both coding requirements from issue #36705: early validation guards in syncUserRoles/syncUserChannels to skip iteration when Group BaseDN/Filter are missing, and log throttling in isUserInGroup to prevent per-user logging spam.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing excessive LDAP logging. The .gitignore modifications and changeset entry are minor supporting changes with no unrelated scope creep detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 5 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/meteor/ee/server/lib/ldap/Manager.ts">

<violation number="1" location="apps/meteor/ee/server/lib/ldap/Manager.ts:311">
P2: Missing group-config warning logs once per user sync, still causing log spam when BaseDN/Filter are unset</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Missing group-config warning logs once per user sync, still causing log spam when BaseDN/Filter are unset

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/ee/server/lib/ldap/Manager.ts, line 311:

<comment>Missing group-config warning logs once per user sync, still causing log spam when BaseDN/Filter are unset</comment>

<file context>
@@ -300,6 +307,13 @@ export class LDAPEEManager extends LDAPManager {
 		}
 
+		if (searchStrategy === 'each_group' && (!syncUserRolesBaseDN || !syncUserRolesFilter)) {
+			logger.warn(
+				'LDAP Sync User Roles: "Group BaseDN" and "Group Filter" are required when using "Validate membership for each group" strategy. Skipping role sync.',
+			);
</file context>

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.changeset/quiet-llamas-dance.md:
- Around line 12-15: The phrase "defense in depth" in the changelog should be
hyphenated as "defense-in-depth"; update the sentence that describes log
throttling for the isUserInGroup function to read "Adds log throttling to the
`isUserInGroup` function as a defense-in-depth measure" and ensure the functions
`syncUserRoles` and `syncUserChannels` and `isUserInGroup` are referenced
exactly as shown.

🧹 Nitpick comments (2)

apps/meteor/ee/server/lib/ldap/Manager.ts (2)

26-29: Drop the inline comment; the field name is self-explanatory.

As per coding guidelines, avoid code comments in implementation.

♻️ Proposed change

-	// Track if we've already logged the missing config error to prevent log spam
 	private static hasLoggedMissingGroupConfig = false;

---

310-315: Consider throttling this warning as well.

If background sync runs frequently, this (and the similar channel warning) will still log every sync; consider reusing the missing-config throttle or a time-based throttle to keep warnings to a reasonable rate.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Hyphenate “defense-in-depth”.

Minor grammar: compound modifier should be hyphenated.

✏️ Proposed edit

-2. Adds log throttling to the `isUserInGroup` function as a defense in depth measure
+2. Adds log throttling to the `isUserInGroup` function as a defense-in-depth measure

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	This fix:
	1. Adds early validation in `syncUserRoles` and `syncUserChannels` to check if BaseDN and Filter are
	configured before entering the iteration loop
	2. Adds log throttling to the `isUserInGroup` function as a defense in depth measure
	This fix:
	1. Adds early validation in `syncUserRoles` and `syncUserChannels` to check if BaseDN and Filter are
	configured before entering the iteration loop
	2. Adds log throttling to the `isUserInGroup` function as a defense-in-depth measure

🧰 Tools

🪛 LanguageTool

[grammar] ~15-~15: Use a hyphen to join words.
Context: ...he isUserInGroup function as a defense in depth measure

(QB_NEW_EN_HYPHEN)

---

[grammar] ~15-~15: Use a hyphen to join words.
Context: ...isUserInGroup function as a defense in depth measure

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

In @.changeset/quiet-llamas-dance.md around lines 12 - 15, The phrase "defense
in depth" in the changelog should be hyphenated as "defense-in-depth"; update
the sentence that describes log throttling for the isUserInGroup function to
read "Adds log throttling to the `isUserInGroup` function as a defense-in-depth
measure" and ensure the functions `syncUserRoles` and `syncUserChannels` and
`isUserInGroup` are referenced exactly as shown.