Zammad: Integration of LDAP authentication

is this a duplicate of #58 ?

@wagnst This is the new issue, #58 is old and already closed.

Note: We are working on "enterprise ready" features for Q1 2017 which will include LDAP integration. Stay tuned.

@rolfschmidt maybe ADFS with OAuth2 is a short term solution

Any news on this?

LDAP support would be incredible. Any update as to when we'll see these features, and what other enterprise features are being implemented?

Any News? The first Quarter of 2017 is getting in the last days :)
Any chance to get this in the April Update?

Yes this feature would be great!
We are a organisation with about 4000 user and 50 agents and we are planning to replace OTRS with Zammad. But without LDAP authentication it makes no sense.

Small update, we are in testing state. At leaste there will be a beta testing LDAP integration available in next release (and after that release we call it stable).

A small preview about how to use it (any feedback is welcome - we tried to make it easy as possible (with auto detection of ldap settings) - the Zammad way):

@bchynds

LDAP support would be incredible. Any update as to when we'll see these features, and what other enterprise features are being implemented?

Enterprise features: Most important one is role management (and others like out of office and exchange).

That looks nice. Looking forward to test this with our 25k Users when it's available.

That looks nice. Looking forward to test this with our 25k Users when it's available.

🎉

Hello,

is there a migration/merge of existing agent users with LDAP?

is there a migration/merge of existing agent users with LDAP?

To identify already existing users wir search for login and email address in existing user base (one of them must match).

Hi there,

i just noticed that the ldap integration is now in the delevop branch. Im now in testing mode and its working on "Analyzing entries with given configuration..." for about 10 Minutes now.

But we got about 25k Users in our AD. I will wait a bit.

@Julian0o you are fast man!

Im now in testing mode and its working on "Analyzing entries with given configuration..." for about 10 Minutes now.

Is the scheduler started? In our test environment with 9k users it takes about 60 seconds.

PS: You can start the queued background jobs also manually with rails r 'Delayed::Worker.new.work_off'

-Martin

I was to fast :) Forgot to specify a admin role and now im a normal user :)

@martini
Do you have some advice to fix that? Im just missing the OTRS Config.pm now :D

To get back admin role, your the the following:

rails c
u = User.find_by(email: '[email protected]')
u.roles = Role.where(name: ['Agent', 'Admin'])
u.save!

Then login again and you are admin.

Thanks! Now second try ;)

PS: Is there a way to get these comands without looking deep in the code?

PS: Is there a way to get these comands without looking deep in the code?

Most is rails standard commands. But maybe we should create a cheat sheet....

Initial Sync took about 10 Minutes.
Now i get an error:

An error occurred: Can't connect to '' on port '389', Connection refused - connect(2) for 127.0.0.1:389
LDAP Host configured ist "ldaps://xxx.lan"

Edit: Doing a second try with strickt IP Adress and not the dns adress where 5 IP Adresses are behind.

Possible to get the log/production.log?

@martini I can send the log to your mailadress. Where it should go?

@martini I can send the log to your mailadress. Where it should go?

support at zammad dot com

Okay now its working and the sync is going on. Now syncing 45 Minutes with 6k/22k.
Does OTRS sync users too?

But why i cannot change the uid mapping? We use the userprincipalname for agent login mapping.

And why i can only map admin and agent as "role". Is the role management only missing or is this the final role management?

Okay now its working and the sync is going on. Now syncing 45 Minutes with 6k/22k.

Just a notice, we work to speed up this (~3 times faster).

Does OTRS sync users too?

Agents (and role assignments) are synced in OTRS. Customers not, which leads to issues:

a) if the customer is removed from ldap (history and revision issues)
b) you want to search for tickets via customer attributes - no overview, no triggers, no sla's with customer attributes (not possible, because data is in min 2 data sources)
c) performance issues for ldap queries (can also be network related)

But why i cannot change the uid mapping? We use the userprincipalname for agent login mapping.

Currently we try to autodetect all settings. If you have ideas how to improved/enrich the config settings.

And why i can only map admin and agent as "role". Is the role management only missing or is this the final role management?

The role management will be there in next release (here you can define role with permissions). If your want to test it on your installation (package install), download https://raw.githubusercontent.com/zammad/zammad/develop/app/assets/javascripts/app/controllers/role.coffee and precompile assets again.

Okay that makes sense.

I just noticed that you can login via samaccountname and Mail. Thats a good behaviour! For us: UPN = Mailadress

The sync time is not a problem i think because it's only the initial sync wich takes a while.

Advice for the autodetection of tags. We use many microsoft services (skype for business, exchange,...). By default you can exclude all attributes wich start with "ms". You don't need the exchange configuration or sip Settings of the users in Zammad (i think). That could speed up everything.
My useraccount has about 45 ms Attribs.

For the Role Plugin i need some additional info or googleing ;) I uploaded the File but don't know how to precompile assets.

EDIT: Im on a good way to install the role plugin!

Now suddenly the sync stopped... Already restarted all services and the server completely. Any advice to restart the sync?

Already did rails r 'Delayed::Worker.new.work_off'

Update: Zammad just made it by itself! 👍
Just waited and suddenly the sync was finished!

Does the sync download photos vom active directory? We store them in the thumbnailPhoto Attribute.

Next Question: How often does the Sync run? Now it's 24 Hours later and there was no new sync.

Does the sync download photos vom active directory? We store them in the thumbnailPhoto Attribute.

Not right now. But a good idea!

Next Question: How often does the Sync run? Now it's 24 Hours later and there was no new sync.

There is a job in the scheduler table which is starting the sync every hour (of course the script/scheduler.rb need to be running).

Check if the jobs exists via rails console:

Scheduler.where(name: 'Import Jobs')

To (re)create the job do:

Scheduler.create_or_update(
  name:          'Import Jobs',
  method:       'ImportJob.start_registered',
  period:        1.hour,
  prio:          1,
  active:        true,
  updated_by_id: 1,
  created_by_id: 1
)

=> #]>

But Webinterface says:
Last sync

20.04.2017 09:30 - 20.04.2017 09:51

Hi @Julian0o - can you please check the Setting.get('import_backends')? There should be a LDAP entry. If so, please run the command ImportJob.all and post the result. Please be aware that the output contains confidential data like the PW and your mapping in the attribute payload. The content of payload is not relevant and can get deleted completely.

The Output is to big to paste from the ruby console. Is there a way to get the output in a file?

Sorry im a total ruby noob :)

Please try ImportJob.last.attributes.except('payload').inspect - since we are only interested in the last run. If it's still to big you can use File.write('/tmp/zammad_ldap.txt', ImportJob.last.attributes.except('payload').inspect) to write it to the file /tmp/zammad_ldap.txt.

irb(main):001:0> ImportJob.last.attributes.except('payload').inspect
=> "{\"id\"=>10, \"name\"=>\"Import::Ldap\", \"dry_run\"=>false, \"result\"=>{\"skipped\"=>122, \"created\"=>10, \"updated\"=>27, \"unchanged\"=>22256, \"failed\"=>0, \"sum\"=>22415, \"role_ids\"=>{3=>{\"created\"=>10, \"updated\"=>25, \"unchanged\"=>22220, \"failed\"=>0}, 2=>{\"created\"=>0, \"updated\"=>2, \"unchanged\"=>36, \"failed\"=>0}, 1=>{\"created\"=>0, \"updated\"=>1, \"unchanged\"=>5, \"failed\"=>0}}}, \"started_at\"=>Fri, 21 Apr 2017 08:32:15 UTC +00:00, \"finished_at\"=>Fri, 21 Apr 2017 08:44:07 UTC +00:00, \"created_at\"=>Fri, 21 Apr 2017 08:32:15 UTC +00:00, \"updated_at\"=>Fri, 21 Apr 2017 08:44:07 UTC +00:00}"

EDIT: It Changed

Last sync

21.04.2017 10:32 - 21.04.2017 10:44

Thanks! Hm that's strange 🤔 Can you please provide the output of this statement:
ImportJob.where(name: 'Import::Ldap', dry_run: false).order(created_at: :desc).limit(1).first.attributes.except('payload').inspect

This same statement is used by the LDAP frontend controller which is responsible for rendering the text.

I'm pretty sure you did but just for sanity reasons: Have you tried reloading the page?

irb(main):001:0> ImportJob.where(name: 'Import::Ldap', dry_run: false).order(created_at: :desc).limit(1).first.attributes.except('payload').inspect
=> "{\"id\"=>12, \"name\"=>\"Import::Ldap\", \"dry_run\"=>false, \"result\"=>{\"skipped\"=>110, \"created\"=>0, \"updated\"=>14, \"unchanged\"=>14176, \"failed\"=>0, \"sum\"=>22415, \"role_ids\"=>{3=>{\"created\"=>0, \"updated\"=>14, \"unchanged\"=>14145, \"failed\"=>0}, 2=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>31, \"failed\"=>0}, 1=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>5, \"failed\"=>0}}}, \"started_at\"=>Fri, 21 Apr 2017 10:33:07 UTC +00:00, \"finished_at\"=>nil, \"created_at\"=>Fri, 21 Apr 2017 10:33:07 UTC +00:00, \"updated_at\"=>Fri, 21 Apr 2017 10:40:31 UTC +00:00}"

i noticed it in the morning after booting the pc. So i did a hard reload :)
Now a sync is running. Maybe it was a one timer problem.

Strange 🤔 This looks good to me, too. Ok, just let us know if there is anything.

Hi!

I've also tried the LDAP Connector and ran into the same problem as Julian0o (https://github.com/zammad/zammad/issues/350#issuecomment-295259450) and didn't declare any admin-group. So thanks to @martini I used the rails snippet to get back admin role.

I never completed a LDAP-Import but the groups seemed to be already synced.
Now my user still seems to have Customer role and I can't change any settings.

Luckily I'm still able to perform admin-tasks, so I created an independent admin-user but still can't change anything on the first user.

Any ideas on this?

I was able to resolve this by once again running martinis rails commands. 👍

But I have still one question - is it okay that the group permissions are synced even before the initial sync takes place?
In my case I realised that too much users would have been synced and exited the LDAP-Connection-Wizard, but found myself with the situation explained above.

The LDAP-Import is hanging since yesterday

Is it possible to stop / restart the import?

Hi @SGVubmluZ0cK - can you please use the rails admin console and provide me the output of each of the following three commands:

Setting.get('import_backends')

ImportJob.last.attributes.except('payload').inspect

ImportJob.where(name: 'Import::Ldap', dry_run: false).order(created_at: :desc).limit(1).first.attributes.except('payload').inspect

Thanks!

Thats what the rails admin console says:

irb(main):004:0> Setting.get('import_backends')
=> ["Import::Ldap"]

irb(main):005:0> ImportJob.last.attributes.except('payload').inspect
=> "{\"id\"=>55, \"name\"=>\"Import::Ldap\", \"dry_run\"=>false, \"result\"=>{\"skipped\"=>2, \"created\"=>2, \"updated\"=>0, \"unchanged\"=>496, \"failed\"=>0, \"sum\"=>2403, \"role_ids\"=>{3=>{\"created\"=>2, \"updated\"=>0, \"unchanged\"=>493, \"failed\"=>0}, 2=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>3, \"failed\"=>0}, 1=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>1, \"failed\"=>0}}}, \"started_at\"=>Wed, 26 Apr 2017 09:57:42 UTC +00:00, \"finished_at\"=>nil, \"created_at\"=>Wed, 26 Apr 2017 09:57:42 UTC +00:00, \"updated_at\"=>Wed, 26 Apr 2017 10:00:11 UTC +00:00}"

irb(main):006:0> ImportJob.where(name: 'Import::Ldap', dry_run: false).order(created_at: :desc).limit(1).first.attributes.except('payload').inspect
=> "{\"id\"=>55, \"name\"=>\"Import::Ldap\", \"dry_run\"=>false, \"result\"=>{\"skipped\"=>2, \"created\"=>2, \"updated\"=>0, \"unchanged\"=>496, \"failed\"=>0, \"sum\"=>2403, \"role_ids\"=>{3=>{\"created\"=>2, \"updated\"=>0, \"unchanged\"=>493, \"failed\"=>0}, 2=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>3, \"failed\"=>0}, 1=>{\"created\"=>0, \"updated\"=>0, \"unchanged\"=>1, \"failed\"=>0}}}, \"started_at\"=>Wed, 26 Apr 2017 09:57:42 UTC +00:00, \"finished_at\"=>nil, \"created_at\"=>Wed, 26 Apr 2017 09:57:42 UTC +00:00, \"updated_at\"=>Wed, 26 Apr 2017 10:00:11 UTC +00:00}"

Thanks a lot!

Hi @SGVubmluZ0cK - at first glance everything looks fine to me. Surely it isn't. Could you please create a new issue? There are some questions about your system/setup that I need to know to dig in deeper. There is also a request to your production.log file which would be great if you could provide it.
Please also copy - paste the output of the commands from above to your new issue so we have everything in place. Thanks!

Hi @Julian0o - the issue where Zammad removed your role assignments due to missing LDAP group to Zammad role mapping is fixed with the commit above. Users will now keep their local role assignment if no mapping is specified. But if a mapping is specified the LDAP is the leading source for role assignments. Feedback is appreciated 🤓

Hi guys. Is authentication via ADFS possible or on the cards for future releases? 😃

Hi @kmclea16!

Yes, ADFS is possible since Zammad uses the great omniauth gem to authenticate and sync users via third party providers. There is already a gem that provides ADFS for omniauth.

However there is no plan to implement this in the near future, but it should be not that hard. Who knows, maybe someone can provide a pull request? Would be great if you could create a new issue for that.

LDAP authentication is now ready for the upcoming Zammad version 1.6 release 🎉 Feel free to open new issues if you have trouble with this functionality.

@kmclea16 - would be great to see the ADFS issue or even a pull request 👀