Extending on this:
The issue escalated last week with roughly 70% of the users being deactivated during sync processes, reproducibly.
We were able to ascertain that the issue is connected to the result paging of ldap searches in conjunction with the net::ldap lib (not reproducing with e.g. ldapsearch). ldap backend is provided by slapd with no issues showing in the service logs.
Having seen this we were able to work around the issue by setting net::ldap to not use paging. This is done by patching zammad/lib/ldap.rb. In method “connection_params” we set:
params[:force_no_page] = true
This initializes the net::ldap connection to not use paging and solves the issue.
Please note that a similar issue came up earlier in Add possibility to authenticate via for LDAP sync · Issue #1422 · zammad/zammad · GitHub . That was fixed for that special case in Fixed issue #1442 - IBM bluepages searches fail. · zammad/zammad@0afcc33 · GitHub .
I’ll check if we can offer a more generic solution for this in a new dev category topic.
Update:
Added a solution proposal in the dev category.