@thorsteneckel Do you have any idea, why the users are not getting assigned?
Please re-execute the script I provided you in your previous thread and send it to email@example.com and refer to me and this thread. Please make sure to give me detailed on what is going wrong, what accounts are affected (email login dn etc.) and what role entry you refer to. I’ll have a look when I find the time.
I reexecuted the script, you mentioned in this thread: LDAP Integration won't sync the admin (Minimum one user needs to have admin permissions.)
and sent an email with the log and the failing user.
Since the tests contained sensitive data we continued the conversation on support.zammad.com
Here is the result:
The domain users group is a special role in the active directory/LDAP server. Currently Zammad is not able to work with this group correctly in all cases.
So the workaround is to use another (custom) group, to map the users and roles.
After I updated the LDAP integration configuration I go the following result from the LDAP sync:
- Users: 0 created, 317 updated, 1 untouched, 46 skipped, 123 failed, 0 deactivated
So, all users got correctly updated and assigned to the role “customer”.
Thanks to @thorsteneckel for the help!
Thanks for the summary @MarvinKlar - I’m happy that it works for you.
I’ll add my summary to share the information (gathered in Ticket #1030839):
The Microsoft Active Directory (AD) has one special group - usually called Domain-Users (or Domänen-Benutzer in German). This is actually not a common LDAP group but a AD specific logical group based on an attribute called “primary Group” with the value 516 (or similar). However, Zammad is currently not capable of handling this AD specific logic because of the generic approach we implemented. This also leads to other issues as described in this issue. We’re planning to implement LDAP profiles to be able to handle the specific cases of the various LDAP servers.
The current workaround is to assign these users to an actual LDAP group and use this instead of the primary AD group.
This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.