room/space membership by LDAP groups?

[d-sko]

Is your feature request related to a problem? Please describe.
I'm not sure if this is possible for an auth provider, but it would be very useful to add and remove users to/from rooms and spaces based on their LDAP groups.
This way it would be possible to create spaces and rooms for every department or team and they would be automatically assigned by the group membership of the user. And if the user switches to an other department/team, he would be removed from the old rooms and added to the new ones without any administrative tasks on the synapse end of things.

Describe the solution you'd like
a configurable list of mappings based on the CN of the group and the room name or ID, something like this (with one or more rooms per group):

modules:
 - module: "ldap_auth_provider.LdapAuthProviderModule"
   config:
     enabled: true
     [...]
     room_mapping:
       - cn: "CN=some,CN=group,DC=example,DC=com"
         rooms: "room 1"
       - cn: "CN=some,CN=other,CN=group,DC=example,DC=com"
         rooms: "room 2"
       - cn: "CN=yet,CN=another,CN=group,DC=example,DC=com"
         rooms:
           - "room 1"
           - "room 2"
     [...]

Describe alternatives you've considered
I considered using the maubot plugin here: https://github.com/davidmehren/maubot-ldap-inviter but it has 2 mayor drawbacks: it doesn't remove users from rooms and it has to be invoked manually by command.

[richvdh]

somewhat related to matrix-org/synapse#10791

[BloodyIron]

Except this is for LDAP/Active Directory, not SSO. Really would be worth having LDAP/AD groups sync into Matrix in a bunch of different ways. Access control, room membership, it would be very useful in many regards.

Can we please get that?