Infos:
- Used Zammad version: 7.0.1-3b453545.docker
- Used Zammad installation type: docker-compose
- Operating system: Oracle Linux 9
- Browser + version: -
Problem Summary:
After setting up LDAP synchronization, we discovered that some users share a single mailbox and therefore have identical mail attributes in Active Directory. To enforce a 1-account-per-email policy, we updated the LDAP user filter to exclude those shared mailboxes.
However, this caused an unintended side effect: any user excluded from the LDAP filter gets deactivated on the next sync run.
Root Cause (from source code analysis):
After reviewing the Zammad source code, I identified the mechanism responsible:
- Every user imported via LDAP gets a record in the
external_syncstable (source = 'Ldap::User',object = 'User'). - On each sync run, Zammad computes “lost” users as:
lost_ids = active_ids_in_external_syncs - found_ids_from_current_ldap_filter - All users in
lost_idsare deactivated (active = false).
So once a user has been synced via LDAP, removing them from the filter will always result in their account being deactivated — regardless of intent.
Constraints:
- We cannot delete and recreate the affected accounts, as that would permanently destroy their associated tickets.
- We want those accounts to remain active and be managed manually going forward (no longer controlled by LDAP sync).
Question:
Would it be safe to manually remove the affected users’ rows from the external_syncs table?
The expected outcome is:
- Those users would no longer be tracked by LDAP sync (
active_idswould no longer include them). - They would not be deactivated on future sync runs.
- Their existing tickets and data would remain intact.
Are there any other references or side effects we should be aware of before doing this? For example, does users.source also need to be cleared?