Problems LDAP Agent-Sync - disabled users

Christian · June 16, 2020, 10:08am

Infos:

Used Zammad version: 3.3.x
Used Zammad installation source: package
Operating system: Ubuntu 18.04.4
Browser + version: Edge Chromium 84

Hello,
I currently testing and configuring Zammad. We are currently not using it productive.
A time ago I got the LDAP integration to work. Users and Groups getting synced. The LDAP Users, and Agents are getting assigned correctly.

I have a few AD-Groups for assignment

Zammad-Agents
Zammad-Admins
All-Users

I can login with my normal AD-Account as customer. With my Dom-Admin I can login as agent…
Although I put the dom-admin Accounts of my collegues in the Agents-Group. They where correctly assigned but got disabled with every ldap-sync. I can manually enable them, at next sync they got disabled…

The Users do not have other Zammad-AD-groups except the Agents. They are not member of “All-Users”. The users are of course not disabled in AD.

How can I debug this behavior?
Thank you in advance.
Christian

MrGeneration · June 19, 2020, 7:55am

Users that come from a LDAP sync usually only get disabled for one reason:

either

your search filter is set to exclude specific accounts which apply to your affected accounts
the users don’t appear in your search at all

The easiest and fast way to double check that is to use an ldap browser and, while using it, to ensure, you’re using the same filters like Zammad.

All accounts Zammad can no longer find (for whatever reason) will automatically be deactivated.

Christian · June 24, 2020, 9:36am

Hi,

I tested the ldap filter with an LDAP Browser. Everything looks as expected there.
currently i am using (&(objectClass=user)(samaccountname=))
before this i used (&(objectClass=user)(samaccountname=)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) to exclude disabled accounts in the query.
although my BaseDN is not very complex OU=Company,DC=domain,DC=local

The groups are inside of this BaseDN
cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local

All 4 Admins are member of this security group but only my account doesn’t get disabled. the others are disabled after the Sync.

This is the (german) output of the Sync-Reults

LDAP Benutzer zu Zammad Benutzer (331/331):
- Benutzer: 0 erstellt, 4 aktualisierte, 79 nicht verändert, 247 übersprungen, 1 fehlgeschlagen, 0 deaktiviert
LDAP Gruppen zu Zammad Rolle Zuweisung:
- Admin: 0 erstellt, 1 aktualisierte, 0 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert
- Agent: 0 erstellt, 0 aktualisierte, 1 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert
- Kunde: 0 erstellt, 3 aktualisierte, 78 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert

After i click “Neu Starten” the Sync disables the other accounts…
Is there a more detailed version of the “last logs” available inside the Server? the “success tcp skipped” Messages is not very helpful currently. and it seems the list is cut after a number of entrys.

thank you so far for your reply.
Greets from Bavaria

MrGeneration · June 24, 2020, 10:11am

You can get the debug-script of from this issue:

It might help you.

Christian · June 24, 2020, 11:04am

Hi,

thanks for the Link. I put it on the server and ran the script. It seems to pars all groups if they match with the search pattern and on a match puts all users which are in this group.

for example following output
entry.dn.downcase = "cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local" mapping = {"cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local"=>["2"], "cn=zammad-admins,ou=security groups,ou=company,dc=domain,dc=local"=>["1"], "cn=all users,ou=distribution groups,ou=company,dc=domain,dc=local"=>["3"]} roles = ["2"] HERE 1 members = ["CN=adm-meier,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-mueller,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-huber,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-schmidt,OU=Admins,ou=company,dc=domain,dc=local"]

the user-Accounts which matches here are only in this group matched.
What does the output HERE 1 mean?
HERE 1 is three times in the debug-output at every group…

but I dont know how this could help me…

greets Christian

MrGeneration · June 26, 2020, 7:25am

I’m sorry, you’re right.
For the full debugging experience, put the following into e.g. ldap_debug.rb into /opt/zammad :

# redirect app logging
Rails.logger = Logger.new('debug.log').tap do |logger|
  logger.level = :debug
end
ActiveRecord::Base.logger = Rails.logger.clone


ImportJob.create(name: 'Import::Ldap', payload: {}).start


require 'mixin/rails_logger'

module Mixin
  module RailsLogger
    def self.logger
      @logger ||= Logger.new(log_to).tap do |logger|
        logger.level = :debug
      end
    end

    def self.log_to
      'debug_issue.log'
    end
  end
end

import_job = ImportJob.create(name: 'Import::Ldap')

result = Sequencer.process('Import::Ldap::Users',
                           parameters: {
                             import_job: import_job
                           })

import_job.save!

Rails.logger.info JSON.pretty_generate(import_job.reload.attributes)

After saving, run zammad run rails r /opt/zammad/ldap_debug.rb and wait for the prompt to return.
Zammad will write an big logfile which contains all details the ldap sync is stumbling on.

system · October 24, 2020, 7:25am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.