LDAP Integration won't sync the admin (Minimum one user needs to have admin permissions.)


  • Used Zammad version: 2.7.0
  • Installation method (source, package, …): source
  • Operating system: Debian
  • Database + version: MariaDB
  • Elasticsearch version: any
  • Browser + version: any

Expected behavior:

  • The LDAP synchronization should finish successfully

Actual behavior:

  • The LDAP synchronization fails with the following error: An error occurred: Minimum one user needs to have admin permissions.

Steps to reproduce the behavior:

  • Configure the LDAP integration as following:
    UID | objectguid
    User Filter | (&(objectClass=user)(samaccountname=*)(!(samaccountname=*$)))
    GID | dn
    Group Filter | (objectClass=group)

givenname firstname sn lastname userprincipalname login

cn=administratoren,cn=builtin,dc=my,dc=domain - Admin
cn=agent,cn=zammad,dc=my,dc=domain - Agent

When configuring this, the LDAP configuration already says(!):
Mit Ihre aktuellen Konfiguration werden sich folgende Änderungen ergeben: LDAP Benutzer zu Zammad Benutzer (649): Benutzer: 0 erstellt, 62 aktualisierte, 410 nicht verändert, 56 übersprungen, 121 fehlgeschlagen, 0 deaktiviert LDAP Gruppen zu Zammad Rolle Zuweisung: Agent: 0 erstellt, 0 aktualisierte, 14 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert Kunde: 0 erstellt, 62 aktualisierte, 394 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert

Which means, that the configuration won’t sync the admin user! But, in our Active Directory is an admin, which matches the filter (&(objectClass=user)(samaccountname=*)(!(samaccountname=*$))) and is in the group cn=administratoren,cn=builtin,dc=my,dc=domain !


I tryed to add the filter (!(userAccountControl:1.2.840.113556.1.4.803:=2)) to synchronize only active LDAP users. I don’t know if the error is because of this, but even when I removed this filter the error continued to occour.

1.) Create a file called debug_issue.rb in your Zammad directory (usually /opt/zammad)
2.) Run the file from your Zammad directory via zammad run rails r debug_issue.rb or rails r debug_issue.rb as zammad user, depending on your installation source (package/source)
3.) Post the output here. Make sure all sensitive data is anonymized! If you want you can drop it as an email to support@zammad.com. Please refer to this thread and me :slight_smile:
4.) Delete the debug_issue.rb file

require 'mixin/rails_logger'

module Mixin
  module RailsLogger
    def self.logger
      @logger ||= Logger.new(log_to).tap do |logger|
        logger.level = :debug

    def self.log_to
      # STDOUT

job = ImportJob.create(
  name:    'Import::Ldap',
  payload: ImportJob.where(name: 'Import::Ldap').last.payload


Thank you very much for your help!

The script runs smoothly! I’ll email you the log…

Hi @MarvinKlar - damn. The script shouldn’t run smooth :smiley: Seems like I got the wrong payload for the test. To get the proper one: When does the error occur? Does it happen while doing the dry/test run or while syncing the live data afterwards? Could you please go and reproduce the error as you did before and then right after the error occurs start the script?

Sorry for my wrong mode of expression!

When saying ‘The script runs smoothl’, I mean, that the script is executable and produced the debug output successfully. Sorry for that. But as far as I can see, there are a few errors in the log. I just sent the email. There you can have a closer look!

Seems like the error we’re looking for did not occur in this run. Could you please reproduce the error and run the script right after it occurred again. Then zip the log file and send it to the ticket :+1:

The error is displayed all the time in the System-Integrations->LDAP window.

I run the script again, zipped it and attached the new log to the ticket (but I can’t see it in the ticket :C ).

Hi @MarvinKlar - the DN of the Admin account you send me was the information I needed. The account is not imported because it has no attribute values except the login. Zammad will skip those entries:

{"firstname"=>nil, "lastname"=>nil, "login"=>"*somevalue*"}

You could try to add values to these attributes or add a mapping for the email attribute (if not present yet).

Thank you very much for your time and help! This was the problem! :slight_smile:

1 Like

You’re welcome! Would be great if you could share what you did exactly so others might profit from your experience :muscle:

Sure! As you said, the user need to have all the attributes, which are required for mapping. In this case the Firstname, Lastname and Login name :wink: I added these attributes to the administrator account in the Active Directory and restarted the sync.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.