Your question
Ciao everyone,
Is the LDAP directory capable of syncing roles from LDAP ? Currently, I follow RBAC rules and each users get granted a role (i.e., group via memberOf) for any app they need to access.
This is then synced further to Authentik, which does the authorisation based on the user’s roles.
I tried to setup this mechanism with Stalwart, but it seems that it only created shared mailboxes and it’s not creating any roles when logging in.
Is this planned in Stalwart ? Or do I have maybe the wrong configuration ?
My current LDAP config is as follows :
Mailbox filter : (|(&(objectClass=inetOrgPerson)(|(mail=?)(mailAlias=?))(memberOf=cn=EMAIL-ACCESS,ou=Groups,dc=domain,dc=tld))(&(objectClass=groupOfNames)(|(mail=?)(mailAlias=?))))
Member Of Filter :
(&(objectClass=groupOfNames)(member=?))
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Stalwart’s LDAP integration does not currently sync Stalwart roles (i.e., the internal RBAC Role objects with enabledPermissions/disabledPermissions) directly from LDAP group memberships. Here is what it does and does not do:
What LDAP syncs:
- Group memberships via
memberOf attributes or filterMemberOf – these map to groups (shared mailboxes/distribution lists) in Stalwart, not to Stalwart roles.
- The LDAP-side group (
objectClass=groupOfNames) is treated as a Stalwart group account, which is why you’re seeing shared mailboxes being created rather than roles being assigned.
What it does not do:
- There is no mechanism to automatically map an LDAP group (e.g.,
cn=EMAIL-ACCESS) to a Stalwart internal Role object. Roles in Stalwart are defined and assigned on Stalwart’s own principal objects (Account, Group, Tenant) and are not read from the LDAP directory.
Workaround: The closest approach today is to assign a Stalwart Role to a Stalwart Group object that mirrors the LDAP group. When a user is a member of that LDAP group, they inherit the group’s Stalwart role through the group membership. However, the Role must still be configured manually in Stalwart’s own directory (WebUI under Management > Directory > Roles), and the Stalwart group must have that role assigned – this isn’t auto-synced from LDAP attributes.
You can read more about how LDAP attributes and group memberships are resolved in the LDAP directory docs and how roles work in the Roles authorization docs.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
@helpbot
Problem is, roles assignment lifecycle is managed centrally by Midpoint. It’s a pity that roles must be created and assigned only in Stalwart.
Would this feature be implemented in the future ?
The LDAP backend syncs group membership only: a memberOf group becomes a Stalwart group principal (which is why you’re seeing shared mailboxes), but there’s no mapping from an LDAP group or attribute to a Stalwart role or permission set. Roles are managed locally on the principal, not sourced from the directory, so there’s no configuration that achieves LDAP-driven role assignment today. Your config isn’t wrong, the feature just doesn’t exist.