[rt-users] map LDAP group memberships into RT's user-defined groups?

Ole Craig ocraig at symplified.com
Tue Oct 18 12:55:30 EDT 2011


Hey. Been a while, glad to see RT's still going strong.

I'm setting up a new instance (4.0.2) and I'd like to do authn/authz
against Active Directory. Last time I did this was in the 3.4 era and at
that time I think I used ldapimport, which was a godsend compared to
manual entry but was suboptimal in at least two respects:
      * changes (e.g. terminations or new hires) in the upstream LDAP
        instance didn't propagate automatically
      * had to go through and manually assign the newly-imported users
        to appropriate user-defined groups. 

Looks like RT::Extension::LDAPImport can autocreate RT groups from LDAP
groups, which is a start but not quite what I'm looking for.

My question: is it possible to define mappings between AD (LDAP) groups
and RT's user-defined groups such that e.g. when I onboard a new
developer RT will automatically give her membership in its "dev"
UD-group based on the fact that she's a member of (f'rinstance) the
"Engineering" group in AD? I'd be OK with this happening as a result of
an rtimportldap cronjob -or- at runtime (e.g. when she logs into RT for
the first time, or creates a support ticket via email.) Basically, I
have about 15 groups in Active Drecktory that collapse down to four or
five different privilege sets in RT, and I'd prefer it if I didn't have
to manage multiple groups in RT with similar/identical rights.

2ndary requirement is the ability to update RT group membership based on
AD group changes, f'rexample when user jschmoe is removed from the
"Engineering" AD group and put into the "sales engineering" group then
(presuming those map to different RT groups) the change should be
automatically propagated to RT. Again, this could be event-driven or the
result of a cronjob, I'm not picky.

I did some searching against the archives, and it looks like I'm not the
first person to tread this ground:

http://www.gossamer-threads.com/lists/rt/users/73305?search_string=ldap%20group;#73305
http://www.gossamer-threads.com/lists/rt/users/94786?search_string=ldap%20group;#94786

I'm guessing this functionality does not currently exist within the main
RT framework; nor have I been able to locate any extensions which appear
to provide it. So before I attempt to kludge it up myself I'm wondering 
     A. if anyone's already solved this problem or has suggestions for
        where in the code I should start looking to make changes (hence
        the list post) and/or 
     B. what BestPractical might offer for a cost/time estimate to Do It
        The Right Way... which is why this is cc'd to
        sales at bestpractical. Apologies if that's an impropriety of some
        sort.

	Thanks,
		Ole
-- 
Ole Craig
Operations
www.symplified.com






More information about the rt-users mailing list