[rt-users] RT::Extension::LDAPImport and nested groups in Active Directory

Jeffrey Pilant jeffrey.pilant at bayer.com
Tue Nov 3 13:04:40 EST 2015 

Benjamin Klier writes:
>I'm trying to import my users and groups from Active Directory. Getting 
>in the users works just fine, but importing the groups (with a 
>$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.
>
<snip>
>
>The problem seems to be that in our AD the main groups norally just 
>concatenate other subgroups so that they doesn't include users but just 
>other groups, for example
>
>MY_RT_USERS_AGENTS
>   +
>   +-----> SOME_SUBGROUP
>   |       +
>   |       +----> USER_1
>   |       |
>   |       +----> USER_2
>   |       |
>   |       +----> USER_3
>   |
>   +-----> ANOTHER_SUBGROUP
>           +
>           +----> USER_4
>           |
>           +----> USER_5
>           |
>           +----> ...
>
>Unfortunately it's not an option to rework our AD group structure :-(
>
>Crawling the rt-users archive didn't get me anywhat closer to find a 
>solution to that problem.
>
>I'm using RT::Extension::LDAPImport v0.36
>
>Maybe anyone has some experience with a configuration like that and 
>would be able to give me the missing hint :-)

Why flatten the AD structure?  You should be able to recreate it entirely with RT groups.

Psuedocode:
  Sub AddAGroup(SomeGroup)
  Obj = LDAP(SomeGroup)
  RT->AddGroiupName(Obj->Name)
  For each member in Obj:
    If member is a group then AddAGroup(member)
    RT->AddUserToGroup(Obj->Name, member)
  next.

This recursive algorithm should duplicate the AD layout below a node if you give it an AD node.

/jeff
________________________________________________________________________
The information contained in this e-mail is for the exclusive use of the 
intended recipient(s) and may be confidential, proprietary, and/or 
legally privileged.  Inadvertent disclosure of this message does not 
constitute a waiver of any privilege.  If you receive this message in 
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message.  Please also delete this e-mail 
and all copies and notify the sender.  Thank you. 

For alternate languages please go to http://bayerdisclaimer.bayerweb.com
________________________________________________________________________

More information about the rt-users mailing list