LDAP skips ~50% our users

Infos:

  • Used Zammad version: 4.1.x
  • Used Zammad installation type: package
  • Operating system: Linux Ubuntu
  • Browser + version: Newest Chrome

Expected behavior:

Zammad syncs our Users via LDAP from Active Directory. They just need to be member of group A or group B.

Actual behavior:

Nearly 50% of our users get skipped - and I don’t know why. Because they get skipped, they also get disabled. And we can’t create tickets with disabled customers…
I saw this a few weeks ago - probably it appears since zammad 4.1 update(from 4.0).

Steps to reproduce the behavior:

  1. have some users in active directory(we have ~2500 if thats important)
  2. Put 50% of them in group A, the remaining 50% in group B.
  3. Build a User Filter like this: (In Microsoft Active Directory the Filter works just fine!)
    (&(objectClass=user)(|(memberOf=CN=GROUP_A,OU=TEST,DC=TEST,DC=de)(memberOf=CN=GROUP_B,OU=TEST,DC=TEST,DC=de)))
  4. Sync the ldap some times

I really don’t know what is going wrong here, and I tried to see what I was doing wrong here. My Colleague who knows more about LDAP-Syncs tried to find the issue too. But he said everything looks right, he double checked it, and in AD it works. So it looks like Zammad need to be wrong here?

Below some LDAP-Config-Infos:



image

Thanks for any help

Little correction here - of course we can create tickets with a disabled user as customer. The Problem is, that some important new created users don’t get synced into zammad via ldap

So what makes said important users that don’t important so special?
Do they miss e.g. attributes other users do have?

Any information in your production.log possibly?

Also… you’re mapping user roles if your ldap users are group members of specific groups, but also you decided to go for a memberOf user filter. I don’t see a reason why you should use both approaches, it feels kinda duplicate and possibly leads to issues. You may want to consider using the default user filter with inactive account filtering and check if the issue persists.

1 Like

Thanks for your reply!

I just meant that the user is important because my boss urgently needed to create a ticket with this important new executive as a customer. This is how the misbehavior first came to light.

To make it short:
Thanks for the tip that we doubled our user filter through the Zammad roles. This was configured by a former employee and I didn’t question it.
I have now set the user filter back to “(objectClass=user)”.

Now our main problem becomes more visible: Zammad roles.

First of all, we use Zammad internally in IT. (We create tickets ourselves and assign the respective employee as a customer)

Our configuration:
All Agents are also Admins right now(small team, its okay)
For our customers we created a custom role, so they can’t logon to zammad.

In the production log, for many users(I guess all) in group A, the following is displayed: “Skipping. No Role assignment found for login xxx”.

Am I not supposed to assign 2 groups to the same role? Or is it related to the order?

If its important: Users with Admin-Group are also in Group A, and a few Users with Group B could be in Group A too.

If I have enough time, I will test the behavior outside the working hours of my colleagues in more detail.

Have a look at the users Zammad complains about and ensure they’re member of the required groups.
Nested groups are not possible, keep that in mind (just in case).

That’s perfectly fine. You can map several roles based on different security groups if required.

This may be an issue depending on your configuration. Hard to tell really.
Technically Agents may also be customers, but I have no idea how that “can do nothing” role looks.
It may give you arrows in the knee.

Thanks again!
I had a look at some special-users zammad don’t like, and saw nothing special.
Also today I wrote a powershell script telling me that NO user has group A and group B. So thats not the point I guess.

But im very interested that you think the role could be the Problem!
Here a screenshot of the whole configuration (we turned everything off)

I hope that the quality is enough to see the settings.
Do you think we need to give the users some more rights in this role?

As a reminder: This role should contain users from our Active Directory which should not logon to zammad and should not get any Messages/Mails from zammad. They are just for our internal documentation, so that we pick them as customer and see all information from Active Directory(telephone number etc).

Why don’t you give those user an actual ticket.customer role then?
You can’t deny login for ldap users any way if your customers know where to go to - but you can adjust the roles permissions accordingly to e.g. not display any overviews.

I don’t see a benefit in doing so but that’s your decision.

Yes that makes sense. I will give them the customer role without any permissions.
Btw our special Role was configured by a previous employee. I think he just didnt want to edit the default customer role.

To the main Problem in this ticket:
We analyzed the skipped users more and saw they are all member of the same Group(I mean from the above Group A & Group B thing). I tried changing one user to the other group and he was turned active!

We don’t understand why that Group is a Problem - its only in Zammad.
As Next action we get rid of that Group.

I will give an Update if that fixes the skipped users thing

@MrGeneration Hi, I think I finaly found the bug - it seems like a problem within zammad.
See this 7 month old github issue which was never tested/verificated: LDAP role assignment fails when more than 1500 users are part of an active directory group · Issue #3634 · zammad/zammad · GitHub

Soo… Back to Group A and Group B. Group A worked fine, group B didnt. So I got all users into Group A. Now nobody was synced. Why…

If I configure the Role-Mapping to sync all Users of Group A (~2300 Users) into the role Customer, it just skips the Customer-Role…

See my config here:

And the result here: (NO Customer role - skipping ~2300 users)

If I then Add a role assignment to assign all users from group B (which are now also in group A but
just ~1400 users) into the customer-role, it just syncs these ~1400users. The difference between these groups(All users which are in Group A but NOT in group B) get skipped.

See here:

Conclusion: Zammad doesnt sync users if the group has more than 1500 users.

Please see this is a bug and nothing wrong with our system. It really looks like the same issue I mentioned from github. We just have these Problems using Zammad. And this isn’t the first time we think to leave zammad, because it costs so much time and isn’t our fault.

However, have a great weekend. Hoping to here from you soon.