LDAP integration and user data

Hi,

I’d like to integrate our LDAP into Zammad, so users don’t have to create a new account and can user their existing credentials. Our IT department has some, in my opinion, unfounded, concerns regarding privacy, though. I don’t want to go into any detail, and just want to know a little more about the inner workings of LDAP with Zammad.

So, from my understanding of the documentation, Zammad will store all attributes provided by LDAP server. Does this only take the mapped attributes into account, or also unmapped attributes? E.g. I only need the email, first and last name. Will then only these data be saved in the database or also others like phone numbers, department? By looking into the database, I only found a ldap_sources table, which holds the LDAP providers, so I assume only mapped entries are actually stored.

Another concern, arises from the fact that Zammad verifies login data locally when these cannot be verified against the LDAP server.

I assume these are stored in the table authorizations. The column provider, I assume, refers to the external source, e.g. the LDAP server and user_id to the id in the users table.

How are the columns uid, token, secret, and username are populated? Username I presume is the username/login name to authorize against the LDAP. UID is probably generated by Zammad.

But what about token and secret? To my understanding, the secret is the user’s LDAP password hashed and salted to verify the login in case the LDAP isn’t reachable. But what about token, does this token derive from the tokens table?

Would it be possible to disable the local verification and solely rely on the LDAP?

Thanks, allot in advance, for some clarification.

Best Toni

I figured it out myself. I build a test system with openldap The authorization table is not used all. And Zammad only saves the mapped attributes. So if the password field is not mapped, nothing gets stored in the user table.

Best
Toni

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.