Agents are turning to Customer - LDAP Sync Issue, Zammad Overriding existing permissions


If you are a Zammad Support or hosted customer and experience a technical issue, please refer to: using your zammad-hostname / or company contract.

  • Used Zammad version: 2.5
  • Used Zammad installation source: (source, package, …) Package
  • Operating system: Ubuntu 18.04
  • Browser + version: Safari 12.0

Expected behavior:

  • Agents shouldn’t turn to customers by themserlves

Actual behavior:

  • Some agents are turning to Customer and manual permission change is required to turn them back to agent.

Steps to reproduce the behavior:

  • Have no idea

ldap sync can change a users role, that’s the only thing I can think of.

U can exclude user group and create another ‘users’ with permission to turn Agent but all the new ‘users’ will can be turn from user to agents

You are right! how can I exclude agents from that?

You need to create a mapping from an ldap user group to the Agent role in
zammad integrations -> ldap -> role

If you don’t already have a suitable ldap group, create one called (eg) zammad-agent, add all the ldap users you want to be agents into that ldap group in ldap, then in zammad settings integrations -> ldap -> role create a mapping between zammad-agent to Agent.

Tried that the whole day but it didn’t work. It even creates an issue for other systems.
Is there any way to make Zammad not to override existing permissions?

turning off ldap sync is the only way. zammad is doing what it is told to do.

ldap is hard, I don’t understand it fully. See if you can find examples, documentation and other forum posts and of course someone else might be able to help you here in this thread.

@chesty Thank you for your help

Maybe @thorsteneckel could help on this?

It’s exactly as @chesty described. Zammad will (have to) overwrite local roles if there is a LDAP role mapping defined – since the LDAP is the leading truth for users. If no LDAP role mapping is defined the local roles won’t get changed.
So you probably have an error in your LDAP role mapping and need to double check it.

How I have it set up is I don’t map any ldap group to the customer role, I have customer as the default role on account creation, and then I map (eg) the ldap group bookings to the zammad role bookings.

If a user is in the ldap group bookings then they get assigned to the zammad bookings role, if they aren’t in the ldap group bookings, they don’t get any assigned any zammad role via ldap sync and because customer is the default role on account creation, when the account is first created (either manually or through ldap sync) they get assigned to the customer role.

Maybe if you have a user in two ldap groups, one mapped to customer and one mapped to agent it causes a conflict? I think, but I can’t remember for sure, that zammad doesn’t handle having agents as customers at the same time very well. I might be wrong there.

But if your ldap sync is removing the agent role from users, it sounds like you don’t have an ldap group to zammad role mapped.

Just create a group in your directory server containing all users you want to be agents and map that group to the agent role in zammads ldap settings.
That’s how we are doing it.


This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.