Zammad not mapping LDAP roles correctly


  • Used Zammad version: 5.3.0 / 5.1.1
  • Used Zammad installation type: (source, package, docker-compose, …): package
  • Operating system: debian 11
  • Browser + version: Chrome/

Expected behavior:

  • After upgrading LDAP from 5.1.1 to 5.3.0, users should be assigned LDAP roles as configured

Actual behavior:

  • only some users get assigned the configured roles from mapping

Steps to reproduce the behavior:

  • upgrade from 5.1.1 to 5.3.0


after upgrading from 5.1.1 to any higher version, not all users get assigned the correct LDAP rules.
Following situation:
All users from LDAP gets synced to zammad.
All users are members of the group users.
Some users are members of the group admin.

I have configured a mapping, all users being part of the group
cn=admin,ou=group should get assigned the roles admin, agent and customer

All users being part of the group
cn=users,ou=group should get assigned the role customer.

In version 5.1.1, everything is working as expected.
After the upgrade, only some users that are part of the admin group get assigned the admin and agent role. All other users being part of the LDAP group admin only get assigned the role customer based on the second filter

After doing a manual lookup in LDAP, I can see that the users with the fauly assignments are still part of the LDAP admin group.

When going to the user tab within zammad and clicking on a customer that should be an admin, zammad shows me checked boxes for admin, agent and customer. But this user can only do customer-related things and has no permissions for admin and customer. When clicking on apply without doing any changes to the checkboxes, the user gets assigned to the roles admin and agent. On the next LDAP sync, theres roles are gone again. Even if the checkboxes are still checked.

Seems to be related to After package upgrade LDAP Syncs remove all roles from admins and agents · Issue #4168 · zammad/zammad · GitHub

All LDAP accounts without spaces or special characters.

Would be great if someone could help me with that or tell me if there is a good way to debug this (e.g. zammad log files e.g.)


Here is a screenshot of a user profile.

This user is part of the LDAP group admin.
Somehow, Zammad removes the roles admin and customer from this user in >5.1.1 on sync.
When clicking on the user tab, the user still has the checkboxes for admin and agent. But is not listed in the admin/agent tab and don’t have the permissions to do anything admin/agent related
Screenshot 2022-12-15 110537

Double check your configuration and ensure that the user appears in every filter / group you provide. If it doesn’t, Zammad will remove the assignment naturally.

The mentioned issue couldn’t be reproduced. Nothing changed in between 5.1.x and 5.3.x on the filter logic part. If you have several LDAPs configured, make sure they don’t nuke each other as mentioned in the limitations LDAP / Active Directory — Zammad documentation

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.