LDAPImport succeds with user LDAP bind but fails with group

Continuing onwards with my attempt to pull groups and their members from Active Directory into Request Tracker I’ve made some progress. However, I’m currently stymied - LDAPImport will successfully connect and search for users but when re-using the LDAP connection it fails to connect for the group search.

Here’s the debugging information from an rtldapimport run:

Running test import, no data will be changed
Rerun command with --import to perform the import
Rerun command with --debug for more information
connecting to ldap://domaincontroller.alaska.gov
binding as CN=dor-requesttracker,OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov
searching with: base => ‘OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov’ control => ‘Net::LDAP::Control::Paged=HASH(0x524cd80)’ filter => '(&(cn = users))'
search found 0 objects
No results found, no import
Testing group import
searching with: base => ‘OU=Security Groups and Accounts,OU=IT,OU=Divisions,OU=DOR,OU=State Departments,DC=soa,DC=alaska,DC=gov’ control => ‘Net::LDAP::Control::Paged=HASH(0x86973b8)’ filter => ‘(|(CN=dor-requesttracker-admins)(CN=dor-asd-rt-staff))’
[Mon Aug 5 17:10:47 2013] [error]: LDAP search failed Can’t contact LDAP server (/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1237)
LDAP search failed Can’t contact LDAP server
search found 0 objects
No results found, no group import
Finished test

Looking at the perl for LDAPImport.pm shows me that the _run_search method is generating the “LDAP search failed” part of the debugging output. I’m assuming this means that Net::LDAP is generating the “Can’t contact LDAP server” from $result->code. I feel this hypothesis is further supported by the fact that a ‘grep “contact” LDAPImport.pm’ turn up nothing. It looks like Net:LDAP just gets the base and filter and off it goes. I’ve confirmed that my filter works with ldapsearch.

I there something different I need to do get a successful LDAP bind when looking performing the group import?

Kevin Elliott
Networking Specialist II
Alaska Department of Revenue, ASD-IT
(907) 465-2314

Hi Kevin,

I’ve confirmed
that my filter works with ldapsearch.

Can you send the working ldapsearch command? Seems suspicious to me
that the initial search for the user comes up empty.

[Mon Aug 5 17:10:47 2013] [error]: LDAP search failed Can’t contact LDAP server
(/usr/local/share/request-tracker4/plugins/RT-Extension-LDAPImport/lib/RT/Extension/LDAPImport.pm:1237)

LDAP search failed Can’t contact LDAP server

Looking at the perl for LDAPImport.pm shows me that the _run_search method is generating the
“LDAP search failed” part of the debugging output. I’m assuming this means that Net::LDAP is
generating the “Can’t contact LDAP server” from $result->code. I feel this hypothesis is
further supported by the fact that a `grep “contact” LDAPImport.pm’ turn up nothing. It looks
like Net:LDAP just gets the base and filter and off it goes. I’ve confirmed that my filter
works with ldapsearch.

Correct - those errors come from Net::LDAP->error().
What do the logs on your LDAP server say?

-kevin

Ah! That’s it. I forgot to change and test the filter ($LDAPFilter) used for the User import - not enough coffee this morning, I guess. The example used in the documentation is not applicable to Active Directory. Changing it from ‘(&(cn = users))’ to ‘(&(objectclass=person)(!(objectclass=computer)))’ allowed the User import to run successfully followed by the Group Import.

Thanks all!