LDAP sync resets roles memberships

  • Used Zammad version: 5.0.x (latest)
  • Used Zammad installation type: Debian package
  • Operating system: Debian GNU/Linux 11 (bullseye)

I set up the Zammad LDAP integration with some role assignments

cn=mitarbeiter-1,ou=groups,ou=lm,ou=iam,dc=ads,dc=XXX,dc=de -->  Mitarbeiter
cn=itg-members,ou=groups,ou=lm,ou=iam,dc=ads,dc=XXX,dc=de -->  Agent

Expected behavior:

  • Other roles aren’t touched during LDAP syncs

Actual behavior:

  • Membership of the other roles are reset

Is this the desired behaviour or am I doing something wrong?
Is there a method to avoid that other roles are touched?

Thanks!

Yes Zammad will update users roles according to the ldap sync, you can create many security groups to add/fix this issue via AD, if i understand your question right

Maybe not. :slight_smile:

Yes, Zammad does update users roles according to the ldap sync for the defined associations which is great. But it does also reset the role assignments of other roles which are not associated with AD security groups - which is not desirable.

Here is an example:

  • Defined roles: Agent, Mitarbeiter, External, SomeOtherRole
  • ldap sync: see above (only for Agent and Mitarbeiter)

Let’s say User1 is assigned to the role External and User2 is assigned to the role SomeOtherRole.
After the ldap sync both do not have that role anymore - no matter whether User1 and User2 are Agent or Mitarbeiter or none.

Does that make sense to you?

If you have a user that have 1 role LDAP Sync and 1 role not
Then ldap will of course reset to what ldap has,

You will need to create a ldap SG also for the roles missing in the ldap sync

I understand you want ldap to only enable roles which you have set up under ldap and leave roles you have manually assigned directly to the user, you would need to change your request to enhancement request, but for me personally this could get messy very quickly, especially if you want to limit a role assignment you have to go over all the attached users/customers and revoke it one by one,

Hope that helps :slight_smile:
Best regards

Sorry, but what does “ldap SG” refer to?

I am afraid I can’t follow you. Why would there be a vital difference between ldap-sync changing role assignments or an admin manually changing it?

Thanks!

Sorry SG = Security Group in active directory

are you referring to manually ticking these boxes under the user ?

image

or these ones

image

The latter ones: “Permissions”.

“Admin” and “Agent” does not seem to be touched.
So, only self the defined roles are checked against the LDAP SGs?

LDAP reset permission each time, if you want to manually assign roles then use the groups check boxes

image

I guess I have to rethink my distribution of roles and groups.

Too bad membership of Groups and Organizations cannot be synced through LDAP.
That would be helpful to organize the users of our departments and their corresponding helpdesk agents.
Or is that hidden somewhere where I haven’t looked yet?

Not sure what you mean there, i have organizational groups set up in AD, and then in Zammad ldap integration you assign them to Zammad roles which then are configured according to zammad groups and access

image

As for Organizations, you can use the set up within zammad to assign automatically using the “Domain based assignment” but if you want many organizations from the same Domain, you would need to submit a enhancement request to automate this i guess.

if you want many organizations from the same Domain

Yes. We have only internal “customers” but from multiple departments. I’d like to group them into separate organizations. For the agents, reporting etc.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.