How do you set up LDAP?


  • Used Zammad version: 3.6.x
  • Used Zammad installation source: (source, package, …) Ubuntu package
  • Operating system: Ubuntu 20.04
  • Browser + version: Firefox 85

Expected behavior:

Allow mapping the LDAP password to the zammad password attribute

Actual behavior:

The password attribute is not selectable when mapping LDAP

Steps to reproduce the behavior:

Attempt to configure LDAP.

Hi all,
I tried to setup zammad to authenticate with LDAP, however cannot seem to find how I could map LDAP’s user password value onto zammad’s Password attribute.

Would anyone who uses LDAP mind shedding some light onto this? I’m using openldap and keycloak to manage.

Thanks all :))

Hi @johnngnky

please take a look at this post:

if this is not helpful, do a search on the forums:

there are several related entries there.


Thanks Martin.
I had a look through the quoted thread but that applies to the login name. Is it possible to map the password as well?
I did have a look in the searches as well, but none of the threads concern passwords.

Hi John,

we did nothing to map the password. In fact, that attribute is not shown in the drop-down menu once you connec to the LDAP server…

Once you have the right filters in place, like these in our case:

UID objectguid
User Filter (&(objectClass=user)(samaccountname=)(!(samaccountname=$)))
GID dn
Group Filter (objectClass=group)

…the rest will follow and users will be able to authenticate against LDAP / AD.

I would suggest to use an LDAP explorer tool to find out which atttributes you need and then make the necessary adjustments on Zammad.


The password is stored in the userpassword attribute in ldap. (storing them in plaintext is bad practice, but I am very new to LDAP and keycloak, and this is all internal and for now, simply a dry run, so it shouldn’t pose too much a problem). Please see attached: image

Is that mapped to zammad? The password is managed by keycloak.

Okay let me jump in out of the order here real quick.

What ever you do do not sync your user passwords from ldap.
It’s not just bad practise but also doesn’t make any sense because

  • LDAP syncy run every 60 minute only
    • this means: Changing your user password would draw your user account inaccessible for up to 60 Minutes
  • LDAP passwords are by default encrypted, Zammad has no logic for that encryption
  • Zammad will always authenticate against your LDAP server during your login - this means your LDAP server has to be available in that moment

In short:
Don’t sync LDAP passwords - you don’t need that any way.

Thanks. In this case, do you know how to integrate it with keycloak? Keycloak stores passwords in the userpassword. Regarding authenticating w/ LDAP, how is that set up?

Sorry for these potentially stupid questions, but I’m very new to LDAP.


Maybe this will help:

Zammad is never interested in the user password of third parties - EVER.
As for keycloak authentication with Zammad, here’s a doc page that should help:

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.