Unable to edit LDAP Group Filter


  • Used Zammad version: 3.1.0
  • Used Zammad installation source: source
  • Operating system: Debian 10.1
  • Browser + version: Firefox 69.0.1

Expected behavior:

  • During LDAP configuration I should be able to edit the Group Filter

My LDAP configuration (openLDAP) uses posixgroup for actual posixgroups, and groupOfNames for organizational groups. We need to be able to assign Zammad roles by organizational groups.

Actual behavior:

  • LDAP Group Filter is set by default to “(objectClass=posixgroup)” and there is no UI to change it.

Steps to reproduce the behavior:

  • Install Zammad, configure LDAP integration

At the moment it’s not possible to change the group filter within LDAP.
Normally you’d change the user search query (which is possible).

If you need to map groups to roles, that should be possible with openLDAP just perfectly and natevily.

See: https://admin-docs.zammad.org/en/latest/integrations/ldap.html

If that doesn’t help, please get a bit more detailed, because right now I’m failing to follow you and thus can’t help you in a good way. :frowning:

I can’t map my groups to roles using openLDAP with my configuration. At least not the groups that I need to.

My ldap directory uses three different kinds of organizational units:

  1. objectClass=groupOfNames - for logical groups within the company (e.g. Management, Developers, Support, etc.)
  2. objectClass=posixGroup - for mapping user accounts to system groups when logging in to a physical machine
  3. objectClass=organizationalRole - for mapping behavioral roles that should not be reflected in logical groups (e.g. access to restricted systems, etc.)

With a default install of Zammad, I can only map the posixGroups to Zammad roles, the groupOfNames groups are not visible to Zammad.

Manually patching lib/ldap/group.rb to contain:

def filter
  @filter ||= lookup_filter(['(objectClass=groupOfUniqueNames)', '(objectClass=groupOfNames)', '(objectClass=group)', '(objectClass=posixgroup)', '(objectClass=organization)'])

causes Zammad to allow me to map the groupOfNames groups to Zammad roles. (Note the addition of ‘groupOfNames’, we don’t use the ‘groupOfUniqueNames’ class.)

Having a UI to be able to edit the group filter would prevent me from having to patch the code. (As would updating the code to support groupOfNames, but having a UI to edit the group filter would be more flexible for others.)

FWIW, it would also be useful to be able to map both groupOfNames and organizationalRoles to Zammad roles at the same time. (e.g. the ‘Support’ groupOfNames’ would be agents, and the ‘admin’ organizationalRole would be admins). We have other applications such as Nextcloud that expose the groupOfNames groups and we don’t want to expose the admin role as a group to those applications, which is why we use organizationalRoles for those. Note that organizationalRoles use a different schema per https://tools.ietf.org/html/rfc4519#section-3.10

I think that, if you think that this would be useful to you and others, a feature request on this Community would be the best solution. We’ll decide on that later based on feature requests.