LDAP (Active Directory) sync does not apply role mapping

Infos:

  • Used Zammad version: 5.1.1-1652256634
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.04
  • Browser + version: any

Expected behavior:

  • LDAP sync sets the role “Agent” to users that are member of a dedicated AD group

Actual behavior:

  • LDAP sync does not apply the role mapping

I have the following setup:

One User should be Agent. He has the following AD object:

PS C:\> Get-ADUser -Identity agent1


DistinguishedName : CN=Agent1 Bernhard
                    agent1,OU=Users,OU=OU100,OU=TLOU100,DC=tickets,DC=support,DC=com
Enabled           : True
SamAccountName    : agent1
UserPrincipalName : bernhard.agent1@support.com

And there is a group where the user is member of:

PS C:\> Get-ADGroup -Identity TicketGroup1_Zammad-Agents


DistinguishedName : CN=TicketGroup1_Zammad-Agents,OU=OU300,OU=TLOU300,DC=tickets,DC=support,DC=com
ObjectClass       : group

PS C:\> Get-ADGroupMember -Identity TicketGroup1_Zammad-Agents


distinguishedName : CN=Agent1 Bernhard
                    agent1,OU=Users,OU=OU100,OU=TLOU100,DC=tickets,DC=support,DC=com
objectClass       : user
SamAccountName    : agent1

My LDAP config looks like this:

irb(main):001:0> Setting.get('ldap_config')
=> {
  "host_url"=>"ldaps://dc.tickets.support.com:636",
  "ssl_verify"=>false,
  "base_dn"=>"dc=tickets,dc=support,dc=com",
  "bind_user"=>"CN=LDAP User,OU=Users,OU=OU900,OU=TLOU900,DC=tickets,DC=support,DC=com",
  "bind_pw"=>"unknown",
  "user_uid"=>"samaccountname",
  "user_filter"=>"(&(objectClass=user)(physicalDeliveryOfficeName=Headquarter)(userAccountControl=512)(samaccountname=*)(!(samaccountname=*$)))",
  "group_uid"=>"dn",
  "group_filter"=>"(objectClass=group)",
  "user_attributes"=>{"samaccountname"=>"login", "givenname"=>"firstname", "sn"=>"lastname", "mail"=>"email", "telephonenumber"=>"phone", "title"=>"note"},
  "group_role_map"=>{"CN=TicketGroup1_Zammad-Agents,OU=OU300,OU=TLOU300,DC=tickets,DC=support,DC=com"=>["2"]}
}

I cannot use the configuration wizard, since the task “Analyzing structure” takes so long, that the LDAP server breaks the connection (that is a security setting from the AD service provider). So I have to set the configuration manually using the console.

But unfortunately the user agent1 does not get the agent role.

Does anyone know that I am doing wrong here?

Regards,
Michael

Is there no one that has a similar setup and can share some ideas with me? I am really struggling with this and want to go productive, but without having the possibility to assing Agent roles I am stuck and the only workaround would be going with manual user setup, which I want to avoid.