Confusion about LDAP attributes login & email

martin.von.wittich · April 3, 2019, 9:40am

Infos:

Used Zammad version: 2.9.x
Used Zammad installation source: docker-compose
Operating system: Debian 9
Browser + version: Chrome

Background

I’ve configured the LDAP integration to create our agents. Zammad suggested this attribute mapping:

LDAP givenname -> Zammad Firstname
LDAP sn -> Zammad Lastname
LDAP mail -> Zammad Login

I used it as suggested, but that caused our agents to be created with an empty email address:

irb(main):278:0> pp User.find_by(login: 'firstname.lastname@ourcompany.tld'); nil
#<User:0x00005562e616e628
 id: 41,                                                         
 organization_id: nil,   
 login: "firstname.lastname@ourcompany.tld",
 firstname: "Firstname",
 lastname: "Lastname",      
 email: "",

This in turn seemed to break email notifications, because Zammad didn’t know where to send the notifications to. I then reconfigured the LDAP integration like this:

LDAP givenname -> Zammad Firstname
LDAP sn -> Zammad Lastname
LDAP mail -> Zammad Email
LDAP uid -> Zammad Login

This seemed more sensible, and now our agents look like this:

irb(main):282:0> pp User.find_by(login: 'firstname.lastname'); nil
#<User:0x00005562e5c441c0
 id: 41,
 organization_id: nil,
 login: "firstname.lastname",
 firstname: "Firstname",
 lastname: "Lastname",
 email: "firstname.lastname@ourcompany.tld",

But my original admin account “Zammad Admin” (created during the setup, without LDAP of course) has login: "zammad.admin@ourcompany.tld", which is now inconsistent with all the other agents that have been synced via LDAP. I then wanted to edit “Zammad Admin” and set his login to zammad.admin, but the user interface doesn’t allow me to edit the login name

(The reason I want it consistent is because I use a script with the REST API to manage the role assignments of all our agents.)

Then I thought - why not configure the LDAP integration like this, to have all LDAP users consistent again with Zammad Admin:

LDAP givenname -> Zammad Firstname
LDAP sn -> Zammad Lastname
LDAP mail -> Zammad Email
LDAP mail -> Zammad Login

But that doesn’t work either. When you try to sync a single LDAP field onto multiple Zammad fields, Zammad will remove all but one field, that is, I can only sync LDAP mail into either Email or Login, but not both.

As a workaround, I’ll manually change the login of Zammad Admin in the Rails console, but I think it would be nice if this would all work in the user interface

Expected behavior:

It should be possible to modify the Login value of users.
LDAP sync should be able to sync an LDAP attribute onto multiple Zammad attributes.

Actual behavior:

It’s not possible to modify the Login value of users outside of the rails console.
LDAP sync will remove all but one the LDAP attributes when you attempt to sync it onto multiple Zammad attributes.

Steps to reproduce the behavior:

Attempt to edit the login value of a user.
Attempt to sync e.g. LDAP mail onto Zammad Email and Zammad login.

MrGeneration · April 8, 2019, 10:34am

Hey,

sorry for the delay!
I had this on a workshop recently as well in a fairly big LDAP with loads of custom attributes and a lot information filled in. So in that case (and proberbly yours as well), you’re running in a hardcoded attribute limit, which doesn’t give you all attributes or rather proberbly the wrong ones.

Normally, Zammad would also suggest to map mail to email within Zammad, but sometimes, above reason strikes. You can overcome that hardcoded limit -normally temporary is enough for doing so- (during configuration), but I want to talk about this in the team anyway, because I feel the limit is too low.

Open /opt/zammad/lib/ldap/user.rb in a editor of your choice, go to line 140 and change break if lookup_counter >= 50 to break if lookup_counter >= 500 or higher. You might need to fiddle until you have all the fields you need for selection / mapping.

github.com

zammad/zammad/blob/develop/lib/ldap/user.rb#L140


@ldap.search(custom_filter || filter, base: base_dn) do |entry|
  pre_merge_count = attributes.count


  attributes.reverse_merge!(entry.to_h
                                 .except(*BLACKLISTED)
                                 .transform_values(&:first)
                                 .compact)


  # check max 50 entries with the same attributes in a row
  lookup_counter = (pre_merge_count < attributes.count ? 0 : lookup_counter.next)
  break if lookup_counter >= 50
end


# format sample values for presentation
attributes.each do |name, value|
  attributes[name] = if value.encoding == Encoding.find('ascii-8bit')
                       "#{name} (binary data)"
                     else
                       "#{name} (e.g., #{value.utf8_encode})"
                     end
end

Note: A restart of services is not required, but you’ll need to reopen the LDAP configuration process. Adding a new field to the mapping will fix the issue and afterwards do it’s job as expected.

I hope that helps.

MrGeneration · April 8, 2019, 10:37am

Oh follow up because I didn’t completely read your post - sorry.

I think that this is a feature request, right?
I didn’t test mapping the same attribute to multiple Zammad fields yet, but can understand that this is somehow unexpected. I’ll talk to the devs, as I feel this should be possible already.

martin.von.wittich · April 8, 2019, 10:58am

You’re right, it is. Well, actually, it’s two feature requests

The LDAP integration should allow me to map the same LDAP attribute onto multiple Zammad attributes, and the Zammad user management should allow me to edit the login field.

I’ve moved the topic to Feature Requests.

I bet I know which one

system · August 6, 2019, 10:58am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.