LDAP (Active Directory) sync does not apply role mapping


  • Used Zammad version: 5.1.1-1652256634
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.04
  • Browser + version: any

Expected behavior:

  • LDAP sync sets the role “Agent” to users that are member of a dedicated AD group

Actual behavior:

  • LDAP sync does not apply the role mapping

I have the following setup:

One User should be Agent. He has the following AD object:

PS C:\> Get-ADUser -Identity agent1

DistinguishedName : CN=Agent1 Bernhard
Enabled           : True
SamAccountName    : agent1
UserPrincipalName : bernhard.agent1@support.com

And there is a group where the user is member of:

PS C:\> Get-ADGroup -Identity TicketGroup1_Zammad-Agents

DistinguishedName : CN=TicketGroup1_Zammad-Agents,OU=OU300,OU=TLOU300,DC=tickets,DC=support,DC=com
ObjectClass       : group

PS C:\> Get-ADGroupMember -Identity TicketGroup1_Zammad-Agents

distinguishedName : CN=Agent1 Bernhard
objectClass       : user
SamAccountName    : agent1

My LDAP config looks like this:

irb(main):001:0> Setting.get('ldap_config')
=> {
  "bind_user"=>"CN=LDAP User,OU=Users,OU=OU900,OU=TLOU900,DC=tickets,DC=support,DC=com",
  "user_attributes"=>{"samaccountname"=>"login", "givenname"=>"firstname", "sn"=>"lastname", "mail"=>"email", "telephonenumber"=>"phone", "title"=>"note"},

I cannot use the configuration wizard, since the task “Analyzing structure” takes so long, that the LDAP server breaks the connection (that is a security setting from the AD service provider). So I have to set the configuration manually using the console.

But unfortunately the user agent1 does not get the agent role.

Does anyone know that I am doing wrong here?


Is there no one that has a similar setup and can share some ideas with me? I am really struggling with this and want to go productive, but without having the possibility to assing Agent roles I am stuck and the only workaround would be going with manual user setup, which I want to avoid.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.