Znuny has greatly improved LDAP synchronization, by modifying its behavior in the last release of Znuny 7 (7.0.8). This improvement will be coming to Znuny LTS 6.5, as well.
Before that change, an agent not a member of any LDAP group configured for synchronization would keep any previously synchronized groups and roles.
We've changed that to meet most administrators' expectations: If an agent is not a member of the configured groups and can log in, the agent should not have access to any functionality.
This is a typical LDAP role synchronization configuration:
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'cn=1st_level,ou=znuny,ou=permissions,dc=example,dc=org' => {
'Agent 1st level' => 1,
},
'cn=2nd_level,ou=znuny,ou=permissions,dc=example,dc=org' => {
'Agent 2nd level' => 1,
},
'cn=admin,ou=znuny,ou=permissions,dc=example,dc=org' => {
'Administrator' => 1,
},
};Assume you have a user who was an admin and 2nd-level agent. When this user changes his position in your company, and you remove him from the LDAP groups for the 2nd_level and admin role, you would expect him to won't have access. But his permissions are still valid as long as he can log in. This is why we've changed this.
We also recommend regulating who is authorized to access the system. There are several possibilities to achieve this. For agents, depending on your authentication style, you should use one of the following settings:
- AuthModule::LDAP::GroupDN - Required group membership
- AuthModule::LDAP::AlwaysFilter - LDAP filter to limit authentication to certain accounts
For more fine-grain control of user synchronization, the setting AuthSyncModule::LDAP::AlwaysFilter is available. If you need help and are eligible for support, contact us, or use one of our community support channels:
The exact behavior change was applied to our HTTP environment sync module for our support customers. If you use SAML authentication for agents, updating the add-on is sufficient.