LDAP integration won't sync the admin (Minimum one user needs to have admin permissions)


  • Used Zammad version: 3.1.x
  • Used Zammad installation source: (source, package, …) apt-get install
  • Operating system: ubuntu
  • Browser + version: any

I did find the old article from:

and confirmed that the ldap attributes have been set as described in that article

Expected behavior:

LDAP configuration should succed.

Manage -> System -> Integrations -> LDAP -> Configure

I configure everything and get as far as the LDAP Mapping configuration screen, then I add 2 Roles,
1 AD Group for Admin Role (with 1 user Administrator)
1 AD Group for Agent role ( with 3 users)

All other options are left default, also this one:

Users without assigned LDAP groups: Assign signup roles

then the mapping works and I get this message:

# LDAP Configuration
    With your current configuration the following will happen:

    * LDAP user to Zammad user (168):
      * Users: 163 created, 1 updated, 0 untouched, 4 skipped, 0 failed, 0 deactivated
    * LDAP groups to Zammad roles assignments:
      * **Admin: 1** created, 0 updated, 0 untouched, 0 failed, 0 deactivated
      * Agent: 3 created, 0 updated, 0 untouched, 0 failed, 0 deactivated
      * Customer: 159 created, 1 updated, 0 untouched, 0 failed, 0 deactivated

…which means that the admin account gets mapped properly,

… however if I go back choose this option

Users without assigned LDAP groups: Don't synchronize

I would expect it to work as well, … it should find the admin user and not synchronize the users which are not assiged in LDAP groups, but…

Actual behavior:

as soon as I choose in the screen before (LDAP Mapping)

Users without assigned LDAP groups: Don't synchronize

and click on “Continue” then on the next screen I get this red error message:

Minimum one user needs to have admin permissions.

Steps to reproduce the behavior:

  • go as far as the LDAP Mapping window in the LDAP integration wizard
  • map an AD Group “GR_zammad_admin” to the Admin Zammad Role
    (above AD Group contains one user Administrator)
  • map a AD Group “GR_zammad_agents” to the Agent Zammand role
    (above AD group contains 3 AD normal Users)
  • Choose the option
    Users without assigned LDAP groups: Don't synchronize
  • Press Continue

I did check that the Administrator users has all the necessary ldap attributes configured in AD on the windows side: givennamen, sn, mail, samaccountname, telephonenumber

I did not add any additional ldap attributes to the LDAP Mappings
Above attributes are configured per default in the ldap integration and I did not change them…

Did you ensure that the administrator still appears within the LDAP-Search for the given conditions?
This sounds like you have no local administrator and, with changing the options, also excluded the ldap-admin which would be the last person standing.

This error might also be raised if Zammad would have to deactivate the last admin user (because it doesn’t appear in the sync which is why it will deactivate the affected user).

While we’re at this topic, please also nnot that manual given admin-role will be removed/updated by ldap sync if Zammad is going to sync a ldap user.

Also, please ensure that you’re not working with nested groups, which are currently not supported by Zammad.

Hi, thanks for your answer.

Yes the administrator account appears with LDAP-Search for the given conditions, for example with the ldp.exe utility in windows, I can see the administrator object with the same filter. So in my opinion the ldap query works.

Yes it seems as if zammad deactivates the local admin account anyway because it use the ones it finds via ldap, but if the ldap mapping does not work, it appears to not find the administrator account

Thanks for the hint. I created a new custom admin-role and used this one instead of the default one.

I am not using nested groups.

It still does not work. I receive the same error message :confused:




Just a small follow up for you: We’re currently evaluating this issue and will come back as soon as we have updates on this.

Did you ensure that the local admin user does not use a username or email address which appears within the LDAP? Background: If you have a user that matches any of those two attributes via an ldap search (your role mapping is not relevant in that case, as long as the above search filter can find that user (which is the case)

To your second post, because this currently is getting dangerous (for mixing stuff up):
While your configuration is correct, it’s possible that because of the above, Zammad deactivates your local last admin first, before applying other administrators (your ldap ones) which might cause this issue.

You may need to workaround this issue by creating a local admin user with absolute with a unique emailaddress and login which does not life within your LDAP (so e.g. @exmaple.com).

That was indeed the problem. Thanks!

After changing the email address from the local existing admin user to an email address which does not exist in AD, the sync worked.

Thanks again!

1 Like