LDAP Integration won't sync the admin (Minimum one user needs to have admin permissions.)

MarvinKlar · November 7, 2018, 9:24am

Infos:

Used Zammad version: 2.7.0
Installation method (source, package, …): source
Operating system: Debian
Database + version: MariaDB
Elasticsearch version: any
Browser + version: any

Expected behavior:

The LDAP synchronization should finish successfully

Actual behavior:

The LDAP synchronization fails with the following error: An error occurred: Minimum one user needs to have admin permissions.

Steps to reproduce the behavior:

Configure the LDAP integration as following:
Settings:
UID | objectguid
User Filter | (&(objectClass=user)(samaccountname=*)(!(samaccountname=*$)))
GID | dn
Group Filter | (objectClass=group)

Assignments:
User:
givenname firstname sn lastname userprincipalname login

Roles:
cn=administratoren,cn=builtin,dc=my,dc=domain - Admin
cn=agent,cn=zammad,dc=my,dc=domain - Agent

When configuring this, the LDAP configuration already says(!):
Mit Ihre aktuellen Konfiguration werden sich folgende Änderungen ergeben: LDAP Benutzer zu Zammad Benutzer (649): Benutzer: 0 erstellt, 62 aktualisierte, 410 nicht verändert, 56 übersprungen, 121 fehlgeschlagen, 0 deaktiviert LDAP Gruppen zu Zammad Rolle Zuweisung: Agent: 0 erstellt, 0 aktualisierte, 14 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert Kunde: 0 erstellt, 62 aktualisierte, 394 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert

Which means, that the configuration won’t sync the admin user! But, in our Active Directory is an admin, which matches the filter (&(objectClass=user)(samaccountname=*)(!(samaccountname=*$))) and is in the group cn=administratoren,cn=builtin,dc=my,dc=domain !

MarvinKlar · November 7, 2018, 9:25am

@anon29869905

I tryed to add the filter (!(userAccountControl:1.2.840.113556.1.4.803:=2)) to synchronize only active LDAP users. I don’t know if the error is because of this, but even when I removed this filter the error continued to occour.

anon29869905 · November 7, 2018, 9:29am

1.) Create a file called debug_issue.rb in your Zammad directory (usually /opt/zammad)
2.) Run the file from your Zammad directory via zammad run rails r debug_issue.rb or rails r debug_issue.rb as zammad user, depending on your installation source (package/source)
3.) Post the output here. Make sure all sensitive data is anonymized! If you want you can drop it as an email to support@zammad.com. Please refer to this thread and me
4.) Delete the debug_issue.rb file

require 'mixin/rails_logger'

module Mixin
  module RailsLogger
    def self.logger
      @logger ||= Logger.new(log_to).tap do |logger|
        logger.level = :debug
      end
    end

    def self.log_to
      # STDOUT
      'debug_issue.log'
    end
  end
end


job = ImportJob.create(
  name:    'Import::Ldap',
  payload: ImportJob.where(name: 'Import::Ldap').last.payload
)

job.start

MarvinKlar · November 7, 2018, 9:39am

Thank you very much for your help!

The script runs smoothly! I’ll email you the log…

anon29869905 · November 7, 2018, 9:45am

Hi @MarvinKlar - damn. The script shouldn’t run smooth Seems like I got the wrong payload for the test. To get the proper one: When does the error occur? Does it happen while doing the dry/test run or while syncing the live data afterwards? Could you please go and reproduce the error as you did before and then right after the error occurs start the script?

MarvinKlar · November 7, 2018, 10:00am

Sorry for my wrong mode of expression!

When saying ‘The script runs smoothl’, I mean, that the script is executable and produced the debug output successfully. Sorry for that. But as far as I can see, there are a few errors in the log. I just sent the email. There you can have a closer look!

anon29869905 · November 7, 2018, 10:27am

Seems like the error we’re looking for did not occur in this run. Could you please reproduce the error and run the script right after it occurred again. Then zip the log file and send it to the ticket

MarvinKlar · November 7, 2018, 11:09am

The error is displayed all the time in the System-Integrations->LDAP window.

I run the script again, zipped it and attached the new log to the ticket (but I can’t see it in the ticket :C ).

anon29869905 · November 8, 2018, 9:45am

Hi @MarvinKlar - the DN of the Admin account you send me was the information I needed. The account is not imported because it has no attribute values except the login. Zammad will skip those entries:

{"firstname"=>nil, "lastname"=>nil, "login"=>"*somevalue*"}

You could try to add values to these attributes or add a mapping for the email attribute (if not present yet).

MarvinKlar · November 8, 2018, 1:20pm

Thank you very much for your time and help! This was the problem!

anon29869905 · November 8, 2018, 2:06pm

You’re welcome! Would be great if you could share what you did exactly so others might profit from your experience

MarvinKlar · November 8, 2018, 2:18pm

Sure! As you said, the user need to have all the attributes, which are required for mapping. In this case the Firstname, Lastname and Login name I added these attributes to the administrator account in the Active Directory and restarted the sync.

system · March 8, 2019, 2:18pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.