[rt-users] RT::Extension::LDAPImport and nested groups in Active Directory

Benjamin Klier benjamin.klier at mpl.mpg.de
Tue Nov 3 07:26:43 EST 2015

I'm trying to import my users and groups from Active Directory. Getting 
in the users works just fine, but importing the groups (with a 
$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.

searching with: base => 'OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX' control => 
'Net::LDAP::Control::Paged=HASH(0x93cc210)' filter => 
'(|(CN=MY_RT_USERS_*))' scope => 'sub'
search found 2 objects
Processing group MY_RT_USERS_AGENTS
Found new group MY_RT_USERS_AGENTS to create in RT
         RT Field        RT Value -> LDAP Value
         Description     unset => Imported from LDAP
         Member_Attr     unset => ARRAY(0x9834d90)
         Name    unset => MY_RT_USERS_AGENTS
Processing group membership for MY_RT_USERS_AGENTS
No group in RT, would create with members:
searching with: base => 
'Net::LDAP::Control::Paged=HASH(0x983cfc0)' filter => 
scope => 'base'
search found 0 objects
Imported 1/2 groups

The problem seems to be that in our AD the main groups norally just 
concatenate other subgroups so that they doesn't include users but just 
other groups, for example

   +-----> SOME_SUBGROUP
   |       +
   |       +----> USER_1
   |       |
   |       +----> USER_2
   |       |
   |       +----> USER_3
           +----> USER_4
           +----> USER_5
           +----> ...

Unfortunately it's not an option to rework our AD group structure :-(

Crawling the rt-users archive didn't get me anywhat closer to find a 
solution to that problem.

I'm using RT::Extension::LDAPImport v0.36

Maybe anyone has some experience with a configuration like that and 
would be able to give me the missing hint :-)


Benjamin Klier

Max-Planck-Institut für die Physik des Lichts
Guenther-Scharowsky-Str. 1/Bau 24
D-91058 Erlangen

Tel.: 09131-6877-511
Fax : 09131-6877-199

eMail : benjamin.klier at mpl.mpg.de

