[rt-users] rtimportldap update: group mapping

Stanislav Sinyagin ssinyagin at yahoo.com
Mon Jan 13 04:37:55 EST 2003

Hello all, 

See the new version of the LDAP importing script, attached. 

In the new version: 

-- The whole script design is reorganized.

-- Group mapping. LDAP group objects (those containing member attributes)
may be mapped into RT groups. This feature was first implemented by Andi Hofmeister, 
and improved to support MS AD. Should work fine both in MS AD and NIS schema.

-- Missing RT groups are created automatically.

-- New option: --verbose. Unless it is set, only changes and errors are reported. 

-- Slightly new user parameters mapping:
  'info'                  => 'FreeformContactInfo',
  'description'           => 'Comments',
  'gecos'                 => 'Gecos'

See the tar.gz attached, and README below. 



$Id: rtimportldap.README,v 1.10 2003/01/13 09:17:42 stsiny Exp $
  The utility for importing the RT users from LDAP directory

Author: Stanislav Sinyagin <ssinyagin at yahoo.com>

LDAP group mapping is contributed by
Andreas Hofmeister <andreas.hofmeister at pyramid.de>

This script is written as generic as possible. It is tested
mainly in Microsoft Active Directory/Exchange 2000 environment,
but also designed (and tested) for standard LDAP schemas.

The script does not care about passwords. Old users' passwords
are not touched, and the new users are created without password.
Apache/mod_auth_ldap may be used for user authentication against
the LDAP server. Alternatively, you may use pam_ldap module.

The script is reenterable: existing users are updated,
and non-existing ones are created. Thus, it may be used
every time you make changes in your LDAP directory.

User entries found by the LDAP search filter are exported to RT
database. In addition, they may be added to RT groups, according
to --groupadd, --groupsync, and --groupmap options.
Missing RT groups are created automatically.

Usage: ./rtimportldap.pl options...
Options ([M] means mandatory, [O] means optional, + means multivalue):
  --rc         filename
      [O]  read options from file: opt=value pairs one per line
  --server     hostname
      [M]  LDAP host name or address
  --port       port
      [O]  LDAP TCP port. Default: 389
  --ldapver    3|2
      [O]  LDAP version. Default: 3
  --binddn     dn
      [O]  Bind DN
  --bindpw     password
      [O]  Bind password
  --basedn     dn
      [M]  Base DN
  --filter     filter
      [O]  LDAP search filter.
           Default: (|(objectClass=organizationalPerson)(objectClass=person))
  --uidattr    attr
      [O]  Username attribute. Default: uid
  --attrmap    lattr:rattr
      [O+] Mapping of LDAP to RT attribute. Use lattr:none to
           suppress standard mapping of lattr
  --groupadd   groupname
      [O+] Add all found LDAP users to these RT groups
  --groupsync  groupname
      [O+] Maintain exact matching of the LDAP search result and
           the RT group membership
  --groupmap   ldapgrp[:rtgrp]
      [O+] Synchronize members of LDAP group with members
           of RT group. LDAP group lookup is controlled by
           --gmbase, --gmfilter, --gmgidattr, and --gmmemattr
           options. Several LDAP groups may be merged into the
           same RT group. Group members must be found by --filter
           before group mapping.
  --gmbase     dn
      [O]  LDAP group search DN. Default: same as --basedn
  --gmfilter   filter
      [O]  Group mapping LDAP filter. Default: (objectClass=posixGroup)
  --gmgidattr  attr
      [O]  Group mapping GID attribute. Default: cn
  --gmmemattr  attr
      [O]  Group mapping member attribute. Default: memberUid
  --gmdescattr attr
      [O]  Group mapping description attribute. Default: description
  --disabled   1|0
      [O]  Set RT users as disabled. Default: 0
  --privileged 1|0
      [O]  Set RT users as privileged. Default: 1
  --latin1     1|0
      [O]  Convert LDAP values to Latin1 encoding. Default: 1
      [O]  Print extra information
      [O]  This help message

The filter is automatically updated so that the UID attribute
is explicitly searched in the directory. This means that
the script may report zero entries found.

RT uses HTML::Mason, which uses HTML::Entity for displaying
non-ASCII characters. As described in HTML::Entity, it conciders
the input string as Unicode if Perl version is more than 5.7,
and ISO-8859-1 (Latin1) otherwise.
--latin1 option converts the UTF-8 values of LDAP entries into
Latin1 before passing the data to RT. 
This is tested with Perl 5.6.1 and RT 2.0.15pre1 only.

Microsoft AD specifics:

   Option --uidattr=sAMAccountName is neccessary.

   LDAP attribute 'company' is Microsoft-specific, not defined
   in standard schemas that come with OpenLDAP. We map it to 
   'Organization' RT attribute.

   MS AD requires non-anonymous binding. In anonymous mode,
   it shows only the topmost entry. For normal work, you
   must bind as a valid domain or host user.

   MS AD uses proprietary schema for group mapping. The object class is
   "group", and the member attribute "member" contains DNs of the users,
   instead of UIDs. This script understands both NIS or MS AD ways.

   If using group mapping, the followng options are neccessary:
   --gmfilter="(objectClass=group)" --gmmemattr=member

Copyright (c) 2002 Stanislav Sinyagin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rtimportldap-20030113.tar.gz
Type: application/x-gzip-compressed
Size: 7627 bytes
Desc: rtimportldap-20030113.tar.gz
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20030113/fa8d1b0d/attachment.bin>

More information about the rt-users mailing list