[rt-users] RT::Extension::LDAPImport and nested groups in Active Directory

Benjamin Klier benjamin.klier at mpl.mpg.de
Wed Nov 4 04:18:24 EST 2015 

That looks promising, but unfortunately my perl isn't that good - maybe 
you could give me a small code example how to add my groups from AD and 
populate them with the AD users.

Re
Benjamin

Am 03.11.2015 um 19:04 schrieb Jeffrey Pilant:
> Benjamin Klier writes:
>> I'm trying to import my users and groups from Active Directory. Getting
>> in the users works just fine, but importing the groups (with a
>> $LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.
>>
> <snip>
>> The problem seems to be that in our AD the main groups norally just
>> concatenate other subgroups so that they doesn't include users but just
>> other groups, for example
>>
>> MY_RT_USERS_AGENTS
>>    +
>>    +-----> SOME_SUBGROUP
>>    |       +
>>    |       +----> USER_1
>>    |       |
>>    |       +----> USER_2
>>    |       |
>>    |       +----> USER_3
>>    |
>>    +-----> ANOTHER_SUBGROUP
>>            +
>>            +----> USER_4
>>            |
>>            +----> USER_5
>>            |
>>            +----> ...
>>
>> Unfortunately it's not an option to rework our AD group structure :-(
>>
>> Crawling the rt-users archive didn't get me anywhat closer to find a
>> solution to that problem.
>>
>> I'm using RT::Extension::LDAPImport v0.36
>>
>> Maybe anyone has some experience with a configuration like that and
>> would be able to give me the missing hint :-)
> Why flatten the AD structure?  You should be able to recreate it entirely with RT groups.
>
> Psuedocode:
>    Sub AddAGroup(SomeGroup)
>    Obj = LDAP(SomeGroup)
>    RT->AddGroiupName(Obj->Name)
>    For each member in Obj:
>      If member is a group then AddAGroup(member)
>      RT->AddUserToGroup(Obj->Name, member)
>    next.
>
> This recursive algorithm should duplicate the AD layout below a node if you give it an AD node.
>
> /jeff
> ________________________________________________________________________
> The information contained in this e-mail is for the exclusive use of the
> intended recipient(s) and may be confidential, proprietary, and/or
> legally privileged.  Inadvertent disclosure of this message does not
> constitute a waiver of any privilege.  If you receive this message in
> error, please do not directly or indirectly use, print, copy, forward,
> or disclose any part of this message.  Please also delete this e-mail
> and all copies and notify the sender.  Thank you.
>
> For alternate languages please go to http://bayerdisclaimer.bayerweb.com
> ________________________________________________________________________


-- 

Benjamin Klier
Systemadministration

Max-Planck-Institut für die Physik des Lichts
Guenther-Scharowsky-Str. 1/Bau 24
D-91058 Erlangen

Tel.: 09131-6877-511
Fax : 09131-6877-199

eMail : benjamin.klier at mpl.mpg.de
http://www.mpl.mpg.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4950 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20151104/81f876f5/attachment.bin>

More information about the rt-users mailing list