Active Directory LDAP Sync but no Users available

Hello to all,

i just installed zammad 2.7 on centos 7. So long everything works fine but i have problems with the ldap sync (active directory) and created users in zammad.

here a screenshot from my positiv ldap sync. i created two security groups in my ad that are synced with with zammad under roles.



The connection to my active directory under the admin menu system - integrations - ldap works fine and zammad writes on the activity stream that the users from the ldap sync are created.


But when i create a test ticket no customers from the ldap sync are found and shown after 2 or 3 letters. Under the admin menu users there are no users under agent and customer listed.



Thanks for the help.

it says 156 users skipped, I think skipped means they aren’t created.
The first time it runs it will say (eg) 156 users created, then subsequent runs it will say (eg) 156 users untouched.
I guess you need to look at the mapping between the ldap group and the zammad role, it appears to me (but I might be wrong) zammad isn’t seeing any users in the ldap groups you’ve defined for the customer or agent role.

If you query AD for cn=g-zammad-02,ou=blah… does it list any users?

Hello chesty,

thank for your reply. The ldap query for the AD Groups that i definded in zammad works fine.


It’s right, that the other users should be skipped for the AD Import. I only want the users imported that are in the two defined groups under roles in zammad. In the screenshots before you can see, that zammad says the users of the two groups are imported, but there arent any visible.

Any other ideas ?

Thanks Macomar

I don’t know. I’m sure someone will be along soon that will know what’s going on.

In the meantime have a look in the postgres database to double check you can see the users.

I think with the gui it first does a normal get to load the structure of the page with no users, then uses a web socket call to populate the users. So check the logs on the server, and also the browser console for errors.

Also make sure you don’t have two tabs open to zammad. Each user can only be logged in on one tab only, so don’t open two tabs on the one computer and don’t log in as the same user on two different computers.

Hi @macomar

it is also important that the needed attributes like firstname, lastname, e-mail are available for those users.
Zammad skips users if they are missing some needed attributes.


Hello to all,

problem solved. My AD sync was working fine. It was a problem with elasticsearch and centos 7.

i did the following:
sysctl -w vm.max_map_count=262144
zammad run rails r “Setting.set(‘es_url’, ‘http://localhost:9200’)”
systemctl restart elasticsearch
zammad run rake searchindex:rebuild

Now the users from the AD groups are visible.

Thanks for the help.

nice. I’m surprised it uses elastic search for looking up users, but there you go. It’s possible it doesn’t I suppose but caused an exception somewhere in the code path that looks up users, it doesn’t matter either way, good catch.

One more question about the AD Sync. All users were created via my user group in Active Directory, except for one person. I checked the user list again after two days, but the missing person from the LDAP group is not created in Zammad. Is there a log like I can search for the bug, or is there a bug here?

I remember seeing a post a month or two ago with a similar problem that turned out to be missing data from AD, like the email address field was blank or other field zammad needs.

oh man, that was this post, how embarrassing. sorry dude.
There are logs, I believe there’s a log for the scheduler which is where the ldap sync process gets started.
I use the docker images I don’t know where the log is stored for non docker installs. I’m guessing somewhere in /var/log, but i don’t know.
There’s also a way to increase the logging level but it requires a little knowledge of rails and zammad which I don’t have. There might be an example in this forum. I think this post might help with turning on the debugging Users get deactivated after LDAP-Sync

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.