Problems LDAP Agent-Sync - disabled users

Infos:

  • Used Zammad version: 3.3.x
  • Used Zammad installation source: package
  • Operating system: Ubuntu 18.04.4
  • Browser + version: Edge Chromium 84

Hello,
I currently testing and configuring Zammad. We are currently not using it productive.
A time ago I got the LDAP integration to work. Users and Groups getting synced. The LDAP Users, and Agents are getting assigned correctly.

I have a few AD-Groups for assignment

  • Zammad-Agents
  • Zammad-Admins
  • All-Users

I can login with my normal AD-Account as customer. With my Dom-Admin I can login as agent…
Although I put the dom-admin Accounts of my collegues in the Agents-Group. They where correctly assigned but got disabled with every ldap-sync. I can manually enable them, at next sync they got disabled…

The Users do not have other Zammad-AD-groups except the Agents. They are not member of “All-Users”. The users are of course not disabled in AD.

How can I debug this behavior?
Thank you in advance.
Christian

Users that come from a LDAP sync usually only get disabled for one reason:

either

  • your search filter is set to exclude specific accounts which apply to your affected accounts
  • the users don’t appear in your search at all

The easiest and fast way to double check that is to use an ldap browser and, while using it, to ensure, you’re using the same filters like Zammad.

All accounts Zammad can no longer find (for whatever reason) will automatically be deactivated.

Hi,

I tested the ldap filter with an LDAP Browser. Everything looks as expected there.
currently i am using (&(objectClass=user)(samaccountname=))
before this i used (&(objectClass=user)(samaccountname=
)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) to exclude disabled accounts in the query.
although my BaseDN is not very complex OU=Company,DC=domain,DC=local

The groups are inside of this BaseDN
cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local

All 4 Admins are member of this security group but only my account doesn’t get disabled. the others are disabled after the Sync.

This is the (german) output of the Sync-Reults

  • LDAP Benutzer zu Zammad Benutzer (331/331):
    • Benutzer: 0 erstellt, 4 aktualisierte, 79 nicht verändert, 247 übersprungen, 1 fehlgeschlagen, 0 deaktiviert
  • LDAP Gruppen zu Zammad Rolle Zuweisung:
    • Admin: 0 erstellt, 1 aktualisierte, 0 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert
    • Agent: 0 erstellt, 0 aktualisierte, 1 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert
    • Kunde: 0 erstellt, 3 aktualisierte, 78 nicht verändert, 0 fehlgeschlagen, 0 deaktiviert

After i click “Neu Starten” the Sync disables the other accounts…
Is there a more detailed version of the “last logs” available inside the Server? the “success tcp skipped” Messages is not very helpful currently. and it seems the list is cut after a number of entrys.

thank you so far for your reply.
Greets from Bavaria

You can get the debug-script of from this issue:

It might help you.

Hi,

thanks for the Link. I put it on the server and ran the script. It seems to pars all groups if they match with the search pattern and on a match puts all users which are in this group.

for example following output
entry.dn.downcase = "cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local" mapping = {"cn=zammad-agents,ou=security groups,ou=company,dc=domain,dc=local"=>["2"], "cn=zammad-admins,ou=security groups,ou=company,dc=domain,dc=local"=>["1"], "cn=all users,ou=distribution groups,ou=company,dc=domain,dc=local"=>["3"]} roles = ["2"] HERE 1 members = ["CN=adm-meier,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-mueller,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-huber,OU=Admins,ou=company,dc=domain,dc=local", "CN=adm-schmidt,OU=Admins,ou=company,dc=domain,dc=local"]

the user-Accounts which matches here are only in this group matched.
What does the output HERE 1 mean?
HERE 1 is three times in the debug-output at every group…

but I dont know how this could help me…

greets Christian

I’m sorry, you’re right.
For the full debugging experience, put the following into e.g. ldap_debug.rb into /opt/zammad :

# redirect app logging
Rails.logger = Logger.new('debug.log').tap do |logger|
  logger.level = :debug
end
ActiveRecord::Base.logger = Rails.logger.clone


ImportJob.create(name: 'Import::Ldap', payload: {}).start


require 'mixin/rails_logger'

module Mixin
  module RailsLogger
    def self.logger
      @logger ||= Logger.new(log_to).tap do |logger|
        logger.level = :debug
      end
    end

    def self.log_to
      'debug_issue.log'
    end
  end
end

import_job = ImportJob.create(name: 'Import::Ldap')

result = Sequencer.process('Import::Ldap::Users',
                           parameters: {
                             import_job: import_job
                           })

import_job.save!

Rails.logger.info JSON.pretty_generate(import_job.reload.attributes)

After saving, run zammad run rails r /opt/zammad/ldap_debug.rb and wait for the prompt to return.
Zammad will write an big logfile which contains all details the ldap sync is stumbling on.