LDAP: groups outside of base_dn won't work

Infos:

  • Used Zammad version: 5.1.1
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.0.4
  • Browser + version: all

Expected behavior:

  • LDAP should work with groups outside Base DN

Actual behavior:

  • Configuration won’t save the role mapping and won’t assign roles

Steps to reproduce the behavior:

  • Configure LDAP with Base DN
  • Configure Role mapping with roles outside Base DN

We have a very large Active Directory, which won’t allow large queries. So when using the LDAP configuration wizard, using the top OU as Base DN the Web GUI hangs at “Analyzing structure”. I then used to try a Base DN so that the configuration wizard won’t hang, which succeeded. But when using a Base DN where all user objects are in, and trying to use a group DN which is not under the Base DN, then the configuration won’t save and the roles won’t get used. Is there a way how this can work? If it is only possible by using Setting.set('ldap_config') then this would be very hard for editing changes.

Maybe there could be a workaround that the “Analyzing structure” task can be avoided via a checkbox (“I know what I do expert mode”) - so the wizard would not need to get all groups from LDAP, and the user can type in everything manually (or copy/paste from LDAP), so the Base DN can be set to LDAP root, where it does see all objects below it.

Ok, so now I am really stuck. I don’t get the group assignment working. I tried to set ldap_config manually via console, and used the AD root as base_dn, but the users that are group members of the configured group won’t show up as agents. Since I can do this only manually via console, I have no clue where my configuration is wrong. Is anybody able to help me?

I still don’t have a working environment. The LDAP sync for users works as expected. I am still not able to choose the AD root as base DN, since then the wizard will run into a timeout since the AD DC will stop responding after a given amount of time.
Can anyone support me in getting a correct configuration, so I can use the console to set it?

And maybe another workaround would be if there is the possibility to configure another base DN for LDAP group search. That could work in this case.