LDAP should connect as per documentation and allow further configuration of filters/parameters.
After introducing the ldap URI (ldaps://ip|host) we instantly get an error “Can’t connect to ‘ds01.ldap.host’ on port ‘636’, Can’t bind to ‘ds01.ldap.host’, 49, Invalid Credentials”
Steps to reproduce the behavior:
Enable LDAP integration and add Apache Directory LDAP URI
We’re using Apache Directory (ldapv3 compliant server) as our source and when configuring the LDAP integration we never get past the intial screen which seems to try to bind without credentials.
The production.log shows “E, [2020-01-07T18:06:58.558776 #24255-47412182782020] ERROR – : Can’t bind to ‘ds01.ldap.host’, 49, Invalid Credentials (Exceptions::UnprocessableEntity)” and then a long stacktrace (I believe) but nothing regarding base/bind_dn which of course were never provided as we did not get to that screen.
Seeing the above behaviour I setup the ldap_config using zammad console and it does show-up in the UI but the results are exactly the same. Of interest is the fact that I did specify a correct bind_dn/user filters, etc.
We’re sure our ldap is working and the filters are correct but happy to take another look if someone could point us in the right direction. We’re at a bit of a loss as we’re getting failures without actually having gotten to the point (at least in the UI) where we specify the credentials.
Ill try to get a tcpdump running later see if that gives me some more information. In the meantime Ill search for an ldap_debug.rb script I saw mentioned in an issue on github as that may show more details.
The sync issue was due to a mismatch in attribute from LDAP to Zammad: specifically I use mail in ldap and in zammad I thought it was the same when it should have been email.
To debug the issue I created a file named debug_issue.rb in zammad $root and ran it using zammad run rails r debug_issue.rb and read the generated log.
Here is what the file should contain, I cannot find the source for this but I am sure it was somwhere on zammad github issue tracker.
@logger ||= Logger.new(log_to).tap do |logger|
logger.level = :debug
If anyone has any ideas on why from the GUI I cannot connect to map the attributes (which would be very helpful for group mapping) shoot them my way.
While running tcpdump -vv I performed an ldap search and then tried using the “Change” button from within Zammad -> Integrations -> LDAP to trigger a connection to our ldap server.
My understanding unfortunately fails here as I cannot see anything to indicate a problem. There is one noticeable difference in the volume of data generated by ldapsearch vs. the attempted connection via zammad but I believe this is due to the fact ldapsearch returns my list of users while connecting from zammad does not.
Here is the tcpdump output while using ldapsearch and here using the Zammad GUI.
@cpzengel I suggest resetting your ldap configuration to nothing.
Why? Because the Zammad-App for UCS configures the ldap configuration to work with univention which is using different uuid identifiers than Microsoft Active Directory does.
Technically speaking: Your use case is out of scope of the UCS app, while it technically will work, it requires you to do manual magic once.