From afd5fdd52107f41ce0794ac9fc8989ba6b892ede Mon Sep 17 00:00:00 2001
From: Matheus Barbosa Silva
 <36537004+matheusbsilva137@users.noreply.github.com>
Date: Fri, 12 Jan 2024 18:07:46 -0300
Subject: [PATCH] fix: LDAP Group filter doesn't work and throws "No Such
 Object" error on login (#31377)

---
 .changeset/wet-crabs-brush.md             | 5 +++++
 apps/meteor/server/lib/ldap/Connection.ts | 4 ++--
 apps/meteor/server/lib/ldap/Manager.ts    | 9 ++++-----
 3 files changed, 11 insertions(+), 7 deletions(-)
 create mode 100644 .changeset/wet-crabs-brush.md

diff --git a/.changeset/wet-crabs-brush.md b/.changeset/wet-crabs-brush.md
new file mode 100644
index 00000000000..375d59addc0
--- /dev/null
+++ b/.changeset/wet-crabs-brush.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed LDAP "Group filter" malfunction, which prevented LDAP users from logging in.
diff --git a/apps/meteor/server/lib/ldap/Connection.ts b/apps/meteor/server/lib/ldap/Connection.ts
index 2ab6ba9c73c..167f1b36e50 100644
--- a/apps/meteor/server/lib/ldap/Connection.ts
+++ b/apps/meteor/server/lib/ldap/Connection.ts
@@ -465,9 +465,9 @@ export class LDAPConnection {
 
 		searchLogger.debug({ msg: 'Group filter LDAP:', filter: searchOptions.filter });
 
-		const result = await this.searchRaw(this.options.baseDN, searchOptions);
+		const result = await this.searchAndCount(this.options.baseDN, searchOptions);
 
-		if (!Array.isArray(result) || result.length === 0) {
+		if (result === 0) {
 			return false;
 		}
 		return true;
diff --git a/apps/meteor/server/lib/ldap/Manager.ts b/apps/meteor/server/lib/ldap/Manager.ts
index 99fe356d53c..4a5cdf2df8d 100644
--- a/apps/meteor/server/lib/ldap/Manager.ts
+++ b/apps/meteor/server/lib/ldap/Manager.ts
@@ -200,6 +200,10 @@ export class LDAPManager {
 			}
 
 			const [ldapUser] = users;
+			if (!(await ldap.isUserAcceptedByGroupFilter(escapedUsername, ldapUser.dn))) {
+				throw new Error('User not found');
+			}
+
 			if (!(await ldap.authenticate(ldapUser.dn, password))) {
 				logger.debug(`Wrong password for ${escapedUsername}`);
 				throw new Error('Invalid user or wrong password');
@@ -212,11 +216,6 @@ export class LDAPManager {
 					authLogger.debug(`Bind successful but user ${ldapUser.dn} was not found via search`);
 				}
 			}
-
-			if (!(await ldap.isUserAcceptedByGroupFilter(escapedUsername, ldapUser.dn))) {
-				throw new Error('User not in a valid group');
-			}
-
 			return ldapUser;
 		} catch (error) {
 			logger.error(error);