Group Sync allows you to use the ACLs from your identity infrastructure
in order to set up permissions on Spaces and Rooms in the Element
Ecosystem. Please note that the initial version we are providing
only supports a single node, non-federated configuration.
From the Installer's Integrations page, click "Install" under "Group Sync".
Auto invite groupsync users to public room
LDAP Base DN
The distinguished name can be displayed by selecting View/Advanced Features in the Active Directory console and then, right-clicking on the object, selecting Properties/Attributes Editor.
The DN is OU=Demo corp,DC=olivier,DC=sales-demos,DC=element,DC=io.
Mapping attribute for room name
Mapping attribute for username
If @bob:my-domain.org is the mxid, bob is the localpart and groupsync expects to match this value in the LDAP attribute sAMAccountName.
LDAP Bind DN
Check interval in seconds
LDAP Bind Password
You need to create an App registration. You'll need the Tenant ID of
the organization, the Application (client ID) and a secret generated from
Certificates & secrets on the app.
Application (client ID)
Certificates & secrets
For the bridge to be able to operate correctly, navigate to API permissions
and ensure it has access to Group.Read.All, GroupMember.Read.All and
User.Read.All. Ensure that these are Application permissions (rather than Delegated).
Remember to grant the admin consent for those.
To use MSGraph source, select MSGraph as your source.
The space mapping mechanism allows us to configure spaces that Group Sync will maintain, beyond the ones that you can create manually.
It is optional – the configuration can be skipped but if you enable Group Sync, you have to edit the Space mapping by clicking on the EDIT button and rename the (unnamed space)to something meaningful.
Include all users in the directory in this space: all available users, regardless of group memberships join the space. This option is convenient when creating a common subspace shared between all users.
Include all users in the directory in this space
Add new space
You can then map an external ID (the LDAP distinguished name) against a power level. Every user belonging to this external ID is granted the power level set in the interface. This external ID that can be any LDAP object like an OrgUnit, a Group or a Security Group
A power level 0 is a default user that can write messages, react to messages and delete his own messages.
A power level 50 is a moderator that can creates rooms, delete messages from members.
A power level 100 is an administrator but since GroupSync manages spaces, invitations to the rooms, it does not make sense to map a group against a power level 100.
Custom power levels other than 0 and 50 are not supported yet.
A list of userid patterns that will not get kicked from rooms even if they don't belong to them according to LDAP.
This is useful for things like auditbot if Audibot has been enabled.
Patterns listed here will be wrapped in ^ and $ before matching.