Thank you all, I have it working now
I will leave my RocketChat configuration (from the Administration/LDAP interface) here for posterity, as there is little documentation online:
General section:
Find users after login: False (for some reason users cant connect the first time if this is set to True)
Host: IP of your host
Samba4 may not listen on all interfaces if you added them to UCS after the initial configuration, you can add them to /etc/samba/smb.conf, restart the ‘samba’ and ‘samba-ad-dc’ services and check with
netstat -tapn | grep samba
Port: 636 (LDAPS)
Reject Unauthorized: False (UCS comes with a self-signed certificate. In a production environment you should generate a correct certificate and set this to True)
Authentication section:
Enable: True
User DN: A Simple Authentication Account will not do the trick as those don’t appear to be synced to S4. You need to create an actual user. You can list existing S4 users on UCS with:
univention-s4search objectClass=user | grep ^dn
Sync/Import section:
Username Field: sAMAccountName
Unique Identifier Field: sAMAccountName
User Data Field Map: {“displayName”:“name”, “mail”:“email”}
User Search section:
Filter:
(&(objectClass=organizationalPerson)(memberOf:1.2.840.113556.1.4.1941:=cn=YourGroup,cn=groups,dc=example,dc=com))
scope: sub
Search Field: sAMAccountName