LDAP synchronization doesn't assign customer roles

  • Used Zammad version: 2.7
  • Used Zammad installation source: source
  • Operating system: Debian
  • Browser + version: any

Expected behavior:

  • The customers defined in the LDAP sync should be assigned to the customer role

Actual behavior:

  • Some users are not getting assigned to that role. The log says success tcp unchanged.

Steps to reproduce the behavior:

  • I have configured the LDAP sync to assign users in the LDAP group domänen-benutzer (domain-users) to the customer role in Zammad.
  • The user does match the filter. I tested the filter in my local LDAP server. And the user is also in the group domänen-benutzer, but does not get assigned to the role in Zammad :slightly_frowning_face:

@thorsteneckel Do you have any idea, why the users are not getting assigned?

Please re-execute the script I provided you in your previous thread and send it to support@zammad.com and refer to me and this thread. Please make sure to give me detailed on what is going wrong, what accounts are affected (email login dn etc.) and what role entry you refer to. I’ll have a look when I find the time.

I reexecuted the script, you mentioned in this thread: LDAP Integration won't sync the admin (Minimum one user needs to have admin permissions.)
and sent an email with the log and the failing user.

Since the tests contained sensitive data we continued the conversation on support.zammad.com

Here is the result:
The domain users group is a special role in the active directory/LDAP server. Currently Zammad is not able to work with this group correctly in all cases.

So the workaround is to use another (custom) group, to map the users and roles.

After I updated the LDAP integration configuration I go the following result from the LDAP sync:

  • Users: 0 created, 317 updated, 1 untouched, 46 skipped, 123 failed, 0 deactivated

So, all users got correctly updated and assigned to the role “customer”.

Thanks to @thorsteneckel for the help!

1 Like

Thanks for the summary @MarvinKlar - I’m happy that it works for you.

I’ll add my summary to share the information (gathered in Ticket #1030839):

The Microsoft Active Directory (AD) has one special group - usually called Domain-Users (or Domänen-Benutzer in German). This is actually not a common LDAP group but a AD specific logical group based on an attribute called “primary Group” with the value 516 (or similar). However, Zammad is currently not capable of handling this AD specific logic because of the generic approach we implemented. This also leads to other issues as described in this issue. We’re planning to implement LDAP profiles to be able to handle the specific cases of the various LDAP servers.

The current workaround is to assign these users to an actual LDAP group and use this instead of the primary AD group.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.