LDAP synchronisation updates some accounts at each run

Technical assistance
1

Infos:

  • Used Zammad version: 6.2
  • Used Zammad installation type: RPM
  • Operating system: RHEL 8
  • Browser + version: Opera 106

Expected behavior:

If running twice in a row the LDAP account synchronisation (Integration → LDAP), I expect to see no updated accounts.

Actual behavior:

When I run the LDAP account synchronisation twice in a raw (or even more!), I always get 15 (out of 1000) accounts updated.

I was able to identify one of these accounts in the LDAP integration log (entries displayed in Integration → LDAP) and saw it was an (Active Directory) account with the userid and the lastname defined but with the firstname, email and phone empty (but present I think). It looks like if such an entry cause the entry to be marked as updated. Removing the lastname value stops this as the entry becomes ignored (which is the expected behaviour).

Steps to reproduce the behavior:

Define some accounts in LDAP with just the userid and the lastname defined and with firstname, email and phone empty (but present).

2

This usually happens if Zammad finds a fitting user more than once and so it basically updates user 1 and user 2 after.

You should be able to see that via the users history where an attribute is being removed and re-added (or changed whatever fits in your case).

Usually this happens for instances that use Exchange Sync and LDAP Sync at the same time. If your instance does fit such a use case, the Exchange Sync should not contain any users from your LDAP or this issue may occur.

Not really sure if that helps you.