Synchronize users via LDAP and than Exchange

Infos:

  • Used Zammad version: V 3.2.0
  • Used Zammad installation source: https://zammad.org/; CentOS
  • Operating system: CentOS
  • Browser + version: Firefox 60.9.0esr 64bit

Expected behavior:

  • Loginnames synchronized via LDAP remain unchanged when synchronizing via Exchange.

Actual behavior:

  • Users are created via LDAP and Exchange. In my case, the LDAP users correspond to the support staff. The users created via Exchange correspond to customers. Unfortunately, the Exchange mailbox also contains users that have already been created via LDAP. Somewhat impractical now is that the login names of the users created by LDAP (surname.vorname) are overwritten with a generic number when synchronizing the Exchange mailbox. SSO will then no longer work properly. The login is then only possible via the e-mail address. The login names are constantly changed back and forth during each synchronization. Once surname.vorname (LDAP) and then again generic number (Exchange).

Steps to reproduce the behavior:

  • Synchronize first LDAP and than Exchange. E-Mail-Adresses of the users in LDAP an Exchange have to be equal.

@thorsteneckel is this a bug or a feature?
However, might as well be covered by this issue: https://github.com/zammad/zammad/issues/2361

We were thinking about this a while ago. We were not sure what the proper way would be to handle this so we postponed our decision until we face it in the wild. Well, so the day has come…

I’m not yet convinced that just ignoring the login is enough. From my point of view the LDAP is the more sophisticated user management software with the possibility to manage roles and map those into Zammad.
Therefore I’d propose that we should skip Exchange Users if there is an existing LDAP connection to this very same user. Users that are present in the Exchange but not in the LDAP will be synced as expected.

What do you think @skull77? Would this suite your use case?

@MrGeneration you are an experienced (LDAP (and Exchange?)) admin. What’s your opinion?

It’s perfect for me. I also see LDAP as the primary source.

I as well would prefer LDAP to be the primary source.
If we find information of the same user on both sources, I’d always prefer LDAP, because the Exchange address book might have mixed up data (I mean beside the login attribute :stuck_out_tongue: ).

Cool! Could you please create an enhancement issue then for it?

Done: https://github.com/zammad/zammad/issues/2864

1 Like

Thanks for the Ticket! If you need a beta tester, I offer myself completely selflessly. :wink: