[rt-users] RT::Extension::LDAPImport and nested groups in Active Directory

Benjamin Klier benjamin.klier at mpl.mpg.de
Tue Nov 3 07:26:43 EST 2015


I'm trying to import my users and groups from Active Directory. Getting 
in the users works just fine, but importing the groups (with a 
$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.

searching with: base => 'OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX' control => 
'Net::LDAP::Control::Paged=HASH(0x93cc210)' filter => 
'(|(CN=MY_RT_USERS_*))' scope => 'sub'
search found 2 objects
Processing group MY_RT_USERS_AGENTS
Found new group MY_RT_USERS_AGENTS to create in RT
         RT Field        RT Value -> LDAP Value
         Description     unset => Imported from LDAP
         Member_Attr     unset => ARRAY(0x9834d90)
         Name    unset => MY_RT_USERS_AGENTS
Processing group membership for MY_RT_USERS_AGENTS
No group in RT, would create with members:
searching with: base => 
'CN=ANOTHER_GROUP,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX' control => 
'Net::LDAP::Control::Paged=HASH(0x983cfc0)' filter => 
'(&(objectClass=user)(!(cn=*Template*))(!(enabled=false))(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*)(lastLogonTimestamp>=130251456000000000))' 
scope => 'base'
search found 0 objects
Imported 1/2 groups

The problem seems to be that in our AD the main groups norally just 
concatenate other subgroups so that they doesn't include users but just 
other groups, for example

MY_RT_USERS_AGENTS
   +
   +-----> SOME_SUBGROUP
   |       +
   |       +----> USER_1
   |       |
   |       +----> USER_2
   |       |
   |       +----> USER_3
   |
   +-----> ANOTHER_SUBGROUP
           +
           +----> USER_4
           |
           +----> USER_5
           |
           +----> ...

Unfortunately it's not an option to rework our AD group structure :-(

Crawling the rt-users archive didn't get me anywhat closer to find a 
solution to that problem.

I'm using RT::Extension::LDAPImport v0.36

Maybe anyone has some experience with a configuration like that and 
would be able to give me the missing hint :-)

-- 

Benjamin Klier
Systemadministration

Max-Planck-Institut für die Physik des Lichts
Guenther-Scharowsky-Str. 1/Bau 24
D-91058 Erlangen

Tel.: 09131-6877-511
Fax : 09131-6877-199

eMail : benjamin.klier at mpl.mpg.de
http://www.mpl.mpg.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4950 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20151103/84088932/attachment.bin>


More information about the rt-users mailing list