How do you set up LDAP?

johnngnky · January 27, 2021, 5:17pm

Infos:

Used Zammad version: 3.6.x
Used Zammad installation source: (source, package, …) Ubuntu package
Operating system: Ubuntu 20.04
Browser + version: Firefox 85

Expected behavior:

Allow mapping the LDAP password to the zammad password attribute

Actual behavior:

The password attribute is not selectable when mapping LDAP

Steps to reproduce the behavior:

Attempt to configure LDAP.

Hi all,
I tried to setup zammad to authenticate with LDAP, however cannot seem to find how I could map LDAP’s user password value onto zammad’s Password attribute.

Would anyone who uses LDAP mind shedding some light onto this? I’m using openldap and keycloak to manage.

Thanks all :))

rsysadmin · January 27, 2021, 6:46pm

Hi @johnngnky

please take a look at this post:

if this is not helpful, do a search on the forums:

https://community.zammad.org/search?q=ldap

there are several related entries there.

HTH,
Martin

johnngnky · January 27, 2021, 10:26pm

Thanks Martin.
I had a look through the quoted thread but that applies to the login name. Is it possible to map the password as well?
I did have a look in the searches as well, but none of the threads concern passwords.

rsysadmin · January 28, 2021, 7:52am

Hi John,

we did nothing to map the password. In fact, that attribute is not shown in the drop-down menu once you connec to the LDAP server…

Once you have the right filters in place, like these in our case:

UID	objectguid
User Filter	(&(objectClass=user)(samaccountname=)(!(samaccountname=$)))
GID	dn
Group Filter	(objectClass=group)

…the rest will follow and users will be able to authenticate against LDAP / AD.

I would suggest to use an LDAP explorer tool to find out which atttributes you need and then make the necessary adjustments on Zammad.

Best,
Martin

johnngnky · January 28, 2021, 8:52am

The password is stored in the userpassword attribute in ldap. (storing them in plaintext is bad practice, but I am very new to LDAP and keycloak, and this is all internal and for now, simply a dry run, so it shouldn’t pose too much a problem). Please see attached:

Is that mapped to zammad? The password is managed by keycloak.

MrGeneration · January 28, 2021, 10:48am

Okay let me jump in out of the order here real quick.

What ever you do do not sync your user passwords from ldap.
It’s not just bad practise but also doesn’t make any sense because

LDAP syncy run every 60 minute only
- this means: Changing your user password would draw your user account inaccessible for up to 60 Minutes
LDAP passwords are by default encrypted, Zammad has no logic for that encryption
Zammad will always authenticate against your LDAP server during your login - this means your LDAP server has to be available in that moment

In short:
Don’t sync LDAP passwords - you don’t need that any way.

johnngnky · January 28, 2021, 11:05am

Thanks. In this case, do you know how to integrate it with keycloak? Keycloak stores passwords in the userpassword. Regarding authenticating w/ LDAP, how is that set up?

Sorry for these potentially stupid questions, but I’m very new to LDAP.

Thanks

rsysadmin · January 28, 2021, 12:31pm

Maybe this will help:

https://keycloak.discourse.group/search?q=zammad

MrGeneration · February 16, 2021, 9:41am

Zammad is never interested in the user password of third parties - EVER.
As for keycloak authentication with Zammad, here’s a doc page that should help:
https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html

system · June 16, 2021, 9:42am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.