[rt-users] map LDAP group memberships into RT's user-defined groups?

Kevin Falcone falcone at bestpractical.com
Tue Oct 25 11:52:29 EDT 2011


On Tue, Oct 18, 2011 at 10:55:30AM -0600, Ole Craig wrote:
> My question: is it possible to define mappings between AD (LDAP) groups
> and RT's user-defined groups such that e.g. when I onboard a new
> developer RT will automatically give her membership in its "dev"
> UD-group based on the fact that she's a member of (f'rinstance) the
> "Engineering" group in AD? I'd be OK with this happening as a result of
> an rtimportldap cronjob -or- at runtime (e.g. when she logs into RT for
> the first time, or creates a support ticket via email.) Basically, I
> have about 15 groups in Active Drecktory that collapse down to four or
> five different privilege sets in RT, and I'd prefer it if I didn't have
> to manage multiple groups in RT with similar/identical rights.

LDAPImport's mapping is LDAP Group Name -> RT Group Name.
You can just take the 15 groups from LDAP, make them members of 4
groups in RT and assign rights to the top level groups.  Groups can be
members of Groups.

> 2ndary requirement is the ability to update RT group membership based on
> AD group changes, f'rexample when user jschmoe is removed from the
> "Engineering" AD group and put into the "sales engineering" group then
> (presuming those map to different RT groups) the change should be
> automatically propagated to RT. Again, this could be event-driven or the
> result of a cronjob, I'm not picky.

LDAPImport should do this.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20111025/811d719d/attachment.sig>


More information about the rt-users mailing list