Map LDAP group memberships into RT's user-defined groups?

Hey. Been a while, glad to see RT’s still going strong.

I’m setting up a new instance (4.0.2) and I’d like to do authn/authz
against Active Directory. Last time I did this was in the 3.4 era and at
that time I think I used ldapimport, which was a godsend compared to
manual entry but was suboptimal in at least two respects:
* changes (e.g. terminations or new hires) in the upstream LDAP
instance didn’t propagate automatically
* had to go through and manually assign the newly-imported users
to appropriate user-defined groups.

Looks like RT::Extension::LDAPImport can autocreate RT groups from LDAP
groups, which is a start but not quite what I’m looking for.

My question: is it possible to define mappings between AD (LDAP) groups
and RT’s user-defined groups such that e.g. when I onboard a new
developer RT will automatically give her membership in its “dev”
UD-group based on the fact that she’s a member of (f’rinstance) the
“Engineering” group in AD? I’d be OK with this happening as a result of
an rtimportldap cronjob -or- at runtime (e.g. when she logs into RT for
the first time, or creates a support ticket via email.) Basically, I
have about 15 groups in Active Drecktory that collapse down to four or
five different privilege sets in RT, and I’d prefer it if I didn’t have
to manage multiple groups in RT with similar/identical rights.

2ndary requirement is the ability to update RT group membership based on
AD group changes, f’rexample when user jschmoe is removed from the
“Engineering” AD group and put into the “sales engineering” group then
(presuming those map to different RT groups) the change should be
automatically propagated to RT. Again, this could be event-driven or the
result of a cronjob, I’m not picky.

I did some searching against the archives, and it looks like I’m not the
first person to tread this ground:

I’m guessing this functionality does not currently exist within the main
RT framework; nor have I been able to locate any extensions which appear
to provide it. So before I attempt to kludge it up myself I’m wondering
A. if anyone’s already solved this problem or has suggestions for
where in the code I should start looking to make changes (hence
the list post) and/or
B. what BestPractical might offer for a cost/time estimate to Do It
The Right Way… which is why this is cc’d to
sales@bestpractical. Apologies if that’s an impropriety of some
sort.

Thanks,
	Ole

Ole Craig
Operations
www.symplified.com

My question: is it possible to define mappings between AD (LDAP) groups
and RT’s user-defined groups such that e.g. when I onboard a new
developer RT will automatically give her membership in its “dev"
UD-group based on the fact that she’s a member of (f’rinstance) the
"Engineering” group in AD? I’d be OK with this happening as a result of
an rtimportldap cronjob -or- at runtime (e.g. when she logs into RT for
the first time, or creates a support ticket via email.) Basically, I
have about 15 groups in Active Drecktory that collapse down to four or
five different privilege sets in RT, and I’d prefer it if I didn’t have
to manage multiple groups in RT with similar/identical rights.

LDAPImport’s mapping is LDAP Group Name -> RT Group Name.
You can just take the 15 groups from LDAP, make them members of 4
groups in RT and assign rights to the top level groups. Groups can be
members of Groups.

2ndary requirement is the ability to update RT group membership based on
AD group changes, f’rexample when user jschmoe is removed from the
"Engineering" AD group and put into the “sales engineering” group then
(presuming those map to different RT groups) the change should be
automatically propagated to RT. Again, this could be event-driven or the
result of a cronjob, I’m not picky.

LDAPImport should do this.

-kevin