LDAP: groups outside of base_dn won't work

mortomanos · May 1, 2022, 6:46am

Infos:

Used Zammad version: 5.1.1
Used Zammad installation type: package
Operating system: Ubuntu 20.0.4
Browser + version: all

Expected behavior:

LDAP should work with groups outside Base DN

Actual behavior:

Configuration won’t save the role mapping and won’t assign roles

Steps to reproduce the behavior:

Configure LDAP with Base DN
Configure Role mapping with roles outside Base DN

We have a very large Active Directory, which won’t allow large queries. So when using the LDAP configuration wizard, using the top OU as Base DN the Web GUI hangs at “Analyzing structure”. I then used to try a Base DN so that the configuration wizard won’t hang, which succeeded. But when using a Base DN where all user objects are in, and trying to use a group DN which is not under the Base DN, then the configuration won’t save and the roles won’t get used. Is there a way how this can work? If it is only possible by using Setting.set('ldap_config') then this would be very hard for editing changes.

mortomanos · May 2, 2022, 7:13am

Maybe there could be a workaround that the “Analyzing structure” task can be avoided via a checkbox (“I know what I do expert mode”) - so the wizard would not need to get all groups from LDAP, and the user can type in everything manually (or copy/paste from LDAP), so the Base DN can be set to LDAP root, where it does see all objects below it.

mortomanos · May 3, 2022, 7:11am

Ok, so now I am really stuck. I don’t get the group assignment working. I tried to set ldap_config manually via console, and used the AD root as base_dn, but the users that are group members of the configured group won’t show up as agents. Since I can do this only manually via console, I have no clue where my configuration is wrong. Is anybody able to help me?

mortomanos · May 6, 2022, 8:44am

I still don’t have a working environment. The LDAP sync for users works as expected. I am still not able to choose the AD root as base DN, since then the wizard will run into a timeout since the AD DC will stop responding after a given amount of time.
Can anyone support me in getting a correct configuration, so I can use the console to set it?

mortomanos · May 6, 2022, 8:44am

And maybe another workaround would be if there is the possibility to configure another base DN for LDAP group search. That could work in this case.

MrGeneration · June 13, 2022, 5:19pm

You cannot provide individual paths that don’t show up in the configuration dialogue. Zammad will discard these settings. On Zammad 5.2 release the LDAP documentation is being reworked and will reflect that fact better.

mortomanos · June 15, 2022, 9:00am

When setting the ldap_config through console (and setting base DN to the LDAP root), afterwards the configuration including all paths show up in the configuration dialog as I set it. But the agents won’t get synched by the LDAP sync, even if the role mapping is shown in the dialog.
What also is interesting is that after the sync the following message is shown:

LDAP groups to Zammad roles assignments:
- Customer: 0 created, 0 updated, 206 untouched, 0 failed, 0 deactivated

But I don’t see a line for Agents. What am I missing?

system · October 13, 2022, 9:01am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.