LDAP Sync Error: User Deactivated Due to "Email Already Used" Validation Error

PeterS812 · November 10, 2025, 10:22am

Zammad version: 6.5.0
Installation method: Package
Operating system: Ubuntu server
Database: PostgreSQL

Note: Email addresses and usernames are masked for privacy reasons.

Expected Behavior
LDAP synchronization should successfully sync user accounts from Active Directory to Zammad without validation errors.

Actual Behavior
During LDAP sync, one specific user account fails to synchronize and gets deactivated with the following error:

log text
E, [2025-10-14T11:02:32.673879#3686711-196180] ERROR – : Validation failed: Email address '***@***is already used for another user. (ActiveRecord::RecordInvalid)
The error repeats during each LDAP sync cycle.

Steps to Reproduce
Configure LDAP integration with Active Directory
Create/have a user in AD
Run LDAP synchronization
User fails to sync with “Email address is already used for another user” error
User account becomes deactivated

What I’ve Already Tried

Searched the database for duplicates with ***@*** — none found
Searched via web interface (active and inactive users) — none found
Verified the AD mail attribute — correctly formatted with @
Checked LDAP mapping configuration — appears correct

Questions

Why does Zammad report “Email address is already used for another user” when no duplicate exists?
Could this be related to orphaned records in the external_sync table or soft-deleted users?
What SQL queries or Rails console commands can I run to fully detect any email conflicts?
How can I resolve this issue—should I merge or delete duplicates, adjust uniqueness settings, or take another approach?

Related Community Topics
I found similar issues reported:

github.com/zammad/zammad

LDAP sync may not work correctly if users with same email address exists

opened 07:46AM - 24 Oct 23 UTC

martini

bug LDAP verified user

### Used Zammad Version 6.1 ### Environment - Installation method: any … - Operating system (if you're unsure: `cat /etc/os-release` ): any - Database + version: any - Elasticsearch version: any - Browser + version: any Note about use cases: There are some use cases out there where you may have different users with same email address in LDAP/AD: a) If in the organization generally admin users and regular users are separated (for organizational reasons). b) If an organization is organized in different LDAP/AD branches their users of the different organization parts (hq and branches like EMEA, US, ...) are administered. Then it can happen that one user is active in several parts of the organization. ### Actual behaviour If there are e. g. three users with the same email address in LDAP, not 3 users will get created in Zammad, but one user and this user will be "updated 3 times" during a synchronization run. This will happen all 30 minutes. ### Expected behaviour If `user_email_multiple_use=true` all three users should get created/synced (like they exist in AD/LDAP). If `user_email_multiple_use=false` only the first user should get synced (only the first one). Because we don't want to break the current behaviour the solution for this would be a check inside the external data sync table. For example, a user with an email address already exists in the Zammad system and afterwards, LDAP sync is triggered which holds a user with the same email address: Here we can check if an external data sync entry exists, when not we are re-using the already existing user and when already a sync entry exists, we can decide related to the current `user_email_multiple_use` value what we need to do (create user or skip user). ### Steps to reproduce the behaviour * Create an AD/LDAP which contains 2 users with the same email address. * Configure LDAP * Start LDAP sync ### Support Ticket _No response_ ### I'm sure this is a bug and no feature request or a general question. yes

However, none of these describe the exact scenario where no duplicate can be found in the database or UI.

Additional Information

The production.log shows this error on every sync cycle. The AD user attributes are valid, but Zammad refuses to sync the account, claiming an email conflict that cannot be found.

Any guidance on troubleshooting or resolving this would be greatly appreciated!

Log Excerpt
text:
I, [2025-10-14T11:02:32.538276#3686711-196180] INFO – : Skipping. No Role assignment found for login ***
E, [2025-10-14T11:02:32.673879#3686711-196180] ERROR – : Validation failed: Email address ‘@’ is already used for another user. (ActiveRecord::RecordInvalid)
I, [2025-10-14T11:05:31.056163#3686711-196180] INFO – : LDAP job end

MrGeneration · November 10, 2025, 10:10pm

If I’d had to bet, I’d say that the user in question was created by a different LDAP server before (even if it was deleted after).

I believe I told you several times, or I mistake you with someone else:
Do never ever execute SQL queries, especially none that change data in Zammads database.
This can break existing functionality and even cause data loss.

Use the rails console. Executing ExternalSync.last will give you an idea of how the data structure looks like. As I’m out for a while on this topic, I neither have a LDAP absend instance to play with, nor do I remember the exact structure in that case.

PeterS812 · November 11, 2025, 1:45pm

Thanks for the reply.

This user was created on the same LPAD server as other users who successfully performed synchronization using ldap integration.
We don’t use SQL queries to update data