Bulid-in admin account became inactive after LDAP sync

Centos 7, Zammad 3.1.x (latest) from package.
LDAP sync with MS AD setup for Agents.
Problem: Buld-in admin account after running LDAP sync change state to inactive.
Account has unique first name, last name, e-mail (no match with any AD accounts).
Account based on build-in admin account, I just renamed all available for me fields.
Why it is happened?

Well just a shot into the blue with the information provided, you have enabled rolle mapping for the admin role. As your local admin does not match any ldap user, it will remove it rights.

Or, other bonus, you configured Zammad to only synchronize users which groups are mapped. As your local admin does not qualify for this, this might be the reason as well.

Not sure, what I fully understood here… but, with LDAP sync Admin role not used.
So, how to fix this? I want to have a single user in Zammad with Admin role, what are Local only.
In case I got MS AD sync problem, I can always login as local admin into Zammad.

Do I need to change this (in red) parameter?

That should do the trick, yes.
You need to reactivate the local admin account once, after the next synch has run, it should still be active.

unfortunately, it did not. admin account are continuously locket out after sync.
Can you give me command example to dump all data from db about account by its e-mail?
Also I did found in one of topics here console command, what delete all LDAP synced accounts from db, but this command does not run in zammad 3.1:

Run the following line via the [Zammad rails console ]
::ExternalSync.destroy_all(source: “Ldap::User”)

Is it possible to have local accounts when ldap sync are turned on at all?

The mentioned snippet only removes the mapping for the ldap (so “resets” the links).
While we’re talking about .destroy_all: Please do not use it if possible, especially not in Ticket and User scopes.

Yes, that is perfectly possible.


Not sure what you exactly expect, what data do you need, whats the goal? I can then have a look if I can help.

What I want, is to get one account in Zammad, what are local to it, and what will works, even if LDAP request will fails.
So, how can I troubleshoot it?

Create an account which login and email address to not mach any ldap users and go for it?
This should be all right.

I have success with local user only if his email has foreign domain (bogus@blabla.com).
If user has non-existed email from my domain (bogus@blabla.lv), user became inactive after sync cycle.
Is it bug|feature?

I think @thorsteneckel can answer that better than me.
I would say this is unexpected.