LDAP deactivated: why?

fluca1978 · June 26, 2024, 9:26am

Using Zammad 6.3.1, I configured the LDAP integration as shown in https://admin-docs.zammad.org/en/latest/system/integrations/ldap/manage.html. During the configuration, the system has shown examples of extracted attributed correctly.
It worked for a while, resulting in:

LDAP user to Zammad user (66331):

    Users: 0 created, 0 updated, 0 untouched, 66331 skipped, 0 failed, 0 deactivated

and in fact in the integration panel the LDAP source results Info: Sync cancelled. Ldap integration deactivated. Activate via the switch. and cannot be reactivated. There should be a configuration problem, but how can I figure it out?

fluca1978 · June 27, 2024, 11:39am

Uhm, I’ve destroyed and recreated the LDAP source from scratch, but now the progress bar in the UI is not moving at all, and in the logs I found a lot of entries as follows:

I, [2024-06-27T13:35:52.092283#508-150200]  INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1719487875703" for 192.169.3.51 at 2024-06-27 13:35:52 +0200
I, [2024-06-27T13:35:52.096271#508-150200]  INFO -- : Processing by Integration::LdapController#job_start_index as JSON
```

I've around 6500 entries in LDAP, but after more than 30 minutes the progress bar has not moved at all, and there is no response (neither the error of the original post).

I suspect the system is in an unknown state, since if I click on the closing 'X' on the progress bar window (after 30 minutes or so), the Zammad UI works, but I see that there are no LDAP sources even if there is an alert to restart synchronization that has been disabled.
Ideas about what to dig?

fluca1978 · June 27, 2024, 11:56am

Argh! After a while, I realized that the above log entries were generated by the UI in order to update the progress bar, and have nothing to do with the real LDAP activity.

However, I’m not able to see any related activity in the logs.

fliebe92 · June 27, 2024, 12:03pm

When the import is not started at all, please, check your background worker.

fluca1978 · June 27, 2024, 1:57pm

I’ve made the synchronization work the first time, and in the end I got 29 users created.
Fine, but in Settings → Users there is nothing.
Then I entered again in the settings → Integrations and in the LDAP panel I’ve

Last sync

06/27/2024 3:55 pm - 06/27/2024 3:55 pm
Info: Sync cancelled. Ldap integration deactivated. Activate via the switch.

and no log entries at all. If I click on the sync button, after a few seconds I got again the message that the sync is deactivated.

How can I dig into this?

skip · June 27, 2024, 4:08pm

Have you tried to set the Zammad log do debug?

vi /opt/zammad/config/environments/production.rb

Change config.log_level = :info to config.log_level = :debug

restart zammad and see if there is more information in the log file

Once done, turn it back to :info

And another thing, install and set up logrotate since the log does not automatically rotate or compress, here is the task for ansible

MrGeneration · June 27, 2024, 4:17pm

That’s new to me for package installations. I’ve never seen a package installation that doesn’t rotate log files.

Also, suggesting debug logging within a productive installation is a bad idea. You will miss all relevant information if the system is under load.

skip · June 27, 2024, 4:47pm

I am always open to read and learn about the better solution

And I also act according to Cunningham’s law

skip · June 27, 2024, 4:59pm

BTW, not sure where it is written that we are talking about a production system either

MrGeneration · June 27, 2024, 5:15pm

Alright. You got this skip. We have a thread sonewhere here on how to debug ldap connections. Possibly outdated by now nit sure. Good luck.

skip · June 27, 2024, 5:25pm

I love treasure hunts!

Who knows what one can find arrr

skip · June 27, 2024, 5:25pm

fluca1978 · July 2, 2024, 6:56am

While I’m trying to run the application program from the other thread, I enabled the debug log for a while and found the following:

I, [2024-07-01T15:34:33.444554#48972-149480]  INFO -- :   Parameters: {"limit"=>"50", "_"=>"1719840542534", "facility"=>"ldap"}
D, [2024-07-01T15:34:33.456166#48972-149480] DEBUG -- :   HttpLog Load (0.2ms)  SELECT "http_logs".* FROM "http_logs" WHERE "http_logs"."facility" = $1 ORDER BY "http_logs"."created_at" DESC LIMIT $2  [["facility", "ldap"], ["LIMIT", 50]]
I, [2024-07-01T15:34:35.910093#48972-149540]  INFO -- : Started GET "/api/v1/integration/ldap/job_start?_=1719840542535" for 155.185.3.51 at 2024-07-01 15:34:35 +0200
I, [2024-07-01T15:34:35.914167#48972-149540]  INFO -- : Processing by Integration::LdapController#job_start_index as JSON
D, [2024-07-01T15:34:35.920847#48972-149540] DEBUG -- :   Permission Load (0.1ms)  SELECT "permissions".* FROM "permissions" WHERE "permissions"."name" = $1 LIMIT $2  [["name", "admin.integration.ldap"], ["LIMIT", 1]]
D, [2024-07-01T15:34:35.922076#48972-149540] DEBUG -- :   Permission Exists? (0.6ms)  SELECT 1 AS one FROM "permissions" INNER JOIN "permissions_roles" ON "permissions"."id" = "permissions_roles"."permission_id" INNER JOIN "roles" ON "permissions_roles"."role_id" = "roles"."id" INNER JOIN "roles_users" ON "roles"."id" = "roles_users"."role_id" WHERE "roles_users"."user_id" = $1 AND "roles"."active" = $2 AND "permissions"."active" = $3 AND "permissions"."name" IN ($4, $5, $6) LIMIT $7  [["user_id", 3], ["active", true], ["active", true], ["name", "admin"], ["name", "admin.integration"], ["name", "admin.integration.ldap"], ["LIMIT", 1]]
D, [2024-07-01T15:34:35.924581#48972-149540] DEBUG -- :   ImportJob Load (0.1ms)  SELECT "import_jobs".* FROM "import_jobs" WHERE "import_jobs"."name" = $1 AND "import_jobs"."dry_run" = $2 AND "import_jobs"."finished_at" IS NULL ORDER BY "import_jobs"."started_at" DESC, "import_jobs"."id" DESC LIMIT $3  [["name", "Import::Ldap"], ["dry_run", false], ["LIMIT", 1]]

Apparently, if I get it right, it is blaming about a missing permission, but I’m using the administrator account, so what am I really missing? The documentation does not talk about any particular permission needed before the integration is configured.

fliebe92 · July 3, 2024, 5:58am

Hi @fluca1978. I cannot see any error in your log.

fluca1978 · July 3, 2024, 6:16am

@fliebe92 I was confused from the log message Permission Exists? thinking it was an error message, now I understand it stands for something like “check if the permission exists”.

So, any suggestion on what to search for to understand why the integration job seems to complete succsfully but users are not listed in the available users/groups?

MrGeneration · July 3, 2024, 10:19am

The catchphrase ERROR is usually a very pointing one. Not sure if that applies here as well.

fluca1978 · July 3, 2024, 10:32am

After a better inspection, I found the following errors while doing the initial LDAP synchronization:

I, [2024-07-03T12:01:55.494663#505-149100]  INFO -- : Skipping. No Role assignment found for login 'bvalmori'
I, [2024-07-03T12:01:55.498363#505-149100]  INFO -- : Skipping. No Role assignment found for login 'francr'
I, [2024-07-03T12:01:55.501636#505-149100]  INFO -- : Skipping. No Role assignment found for login 'dfish'
...
I, [2024-07-03T12:01:55.514668#505-149100]  INFO -- : 2024-07-03T12:01:55+0200: [Worker(host:zammad-test pid:505)] Job AsyncImportJob [61989e27-8a4d-469b-b792-a8a7386245b4] from DelayedJob(default) with arguments: [{"_aj_globalid"=>"gid://zammad/ImportJob/11"}] (id=71) (queue=default) COMPLETED after 321.7847

Therefore, I suspect that even if the dialog at the end of the synchronization reports that 29 users and 29 groups have been created, these are somehow in a bad state and hence not visible.

Now, I double checked and the configuration for the LDAP integration selects the correct LDAP group (where the 29 users are) and assigns the agent profile.
Also, the UI does not show any “Recent Log” and does not mention any skipped user (skipped: 0).