RT::Extension::LDAPImport and nested groups in Active Directory

RT Users
1

I’m trying to import my users and groups from Active Directory. Getting
in the users works just fine, but importing the groups (with a
$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.

searching with: base => ‘OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX’ control =>
‘Net::LDAP::Control::Paged=HASH(0x93cc210)’ filter =>
‘(|(CN=MY_RT_USERS_))’ scope => ‘sub’
search found 2 objects
Processing group MY_RT_USERS_AGENTS
Found new group MY_RT_USERS_AGENTS to create in RT
RT Field RT Value → LDAP Value
Description unset => Imported from LDAP
Member_Attr unset => ARRAY(0x9834d90)
Name unset => MY_RT_USERS_AGENTS
Processing group membership for MY_RT_USERS_AGENTS
No group in RT, would create with members:
searching with: base =>
‘CN=ANOTHER_GROUP,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX’ control =>
‘Net::LDAP::Control::Paged=HASH(0x983cfc0)’ filter =>
'(&(objectClass=user)(!(cn=Template))(!(enabled=false))(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=)(lastLogonTimestamp>=130251456000000000))’
scope => ‘base’
search found 0 objects
Imported 1/2 groups

The problem seems to be that in our AD the main groups norally just
concatenate other subgroups so that they doesn’t include users but just
other groups, for example

MY_RT_USERS_AGENTS
±----> SOME_SUBGROUP
| +
| ±—> USER_1
| |
| ±—> USER_2
| |
| ±—> USER_3
|
±----> ANOTHER_SUBGROUP
±—> USER_4
|
±—> USER_5
|
±—> …

Unfortunately it’s not an option to rework our AD group structure :frowning:

Crawling the rt-users archive didn’t get me anywhat closer to find a
solution to that problem.

I’m using RT::Extension::LDAPImport v0.36

Maybe anyone has some experience with a configuration like that and
would be able to give me the missing hint :slight_smile:

Benjamin Klier
Systemadministration

Max-Planck-Institut für die Physik des Lichts
Guenther-Scharowsky-Str. 1/Bau 24
D-91058 Erlangen

Tel.: 09131-6877-511
Fax : 09131-6877-199

eMail : benjamin.klier@mpl.mpg.de
http://www.mpl.mpg.de

smime.p7s (4.83 KB)

2

Benjamin Klier writes:

I’m trying to import my users and groups from Active Directory. Getting
in the users works just fine, but importing the groups (with a
$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.

> >The problem seems to be that in our AD the main groups norally just >concatenate other subgroups so that they doesn't include users but just >other groups, for example > >MY_RT_USERS_AGENTS > + > +-----> SOME_SUBGROUP > | + > | +----> USER_1 > | | > | +----> USER_2 > | | > | +----> USER_3 > | > +-----> ANOTHER_SUBGROUP > + > +----> USER_4 > | > +----> USER_5 > | > +----> ... > >Unfortunately it's not an option to rework our AD group structure :-( > >Crawling the rt-users archive didn't get me anywhat closer to find a >solution to that problem. > >I'm using RT::Extension::LDAPImport v0.36 > >Maybe anyone has some experience with a configuration like that and >would be able to give me the missing hint :-)

Why flatten the AD structure? You should be able to recreate it entirely with RT groups.

Psuedocode:
Sub AddAGroup(SomeGroup)
Obj = LDAP(SomeGroup)
RT->AddGroiupName(Obj->Name)
For each member in Obj:
If member is a group then AddAGroup(member)
RT->AddUserToGroup(Obj->Name, member)
next.

This recursive algorithm should duplicate the AD layout below a node if you give it an AD node.

/jeff
The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged. Inadvertent disclosure of this message does not
constitute a waiver of any privilege. If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message. Please also delete this e-mail
and all copies and notify the sender. Thank you.

For alternate languages please go to http://bayerdisclaimer.bayerweb.com

3

That looks promising, but unfortunately my perl isn’t that good - maybe
you could give me a small code example how to add my groups from AD and
populate them with the AD users.

Re
BenjaminAm 03.11.2015 um 19:04 schrieb Jeffrey Pilant:

Benjamin Klier writes:

I’m trying to import my users and groups from Active Directory. Getting
in the users works just fine, but importing the groups (with a
$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors.

> The problem seems to be that in our AD the main groups norally just > concatenate other subgroups so that they doesn't include users but just > other groups, for example > > MY_RT_USERS_AGENTS > + > +-----> SOME_SUBGROUP > | + > | +----> USER_1 > | | > | +----> USER_2 > | | > | +----> USER_3 > | > +-----> ANOTHER_SUBGROUP > + > +----> USER_4 > | > +----> USER_5 > | > +----> ... > > Unfortunately it's not an option to rework our AD group structure :-( > > Crawling the rt-users archive didn't get me anywhat closer to find a > solution to that problem. > > I'm using RT::Extension::LDAPImport v0.36 > > Maybe anyone has some experience with a configuration like that and > would be able to give me the missing hint :-) Why flatten the AD structure? You should be able to recreate it entirely with RT groups.

Psuedocode:
Sub AddAGroup(SomeGroup)
Obj = LDAP(SomeGroup)
RT->AddGroiupName(Obj->Name)
For each member in Obj:
If member is a group then AddAGroup(member)
RT->AddUserToGroup(Obj->Name, member)
next.

This recursive algorithm should duplicate the AD layout below a node if you give it an AD node.

/jeff

The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged. Inadvertent disclosure of this message does not
constitute a waiver of any privilege. If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message. Please also delete this e-mail
and all copies and notify the sender. Thank you.

For alternate languages please go to http://bayerdisclaimer.bayerweb.com

Benjamin Klier
Systemadministration

Max-Planck-Institut für die Physik des Lichts
Guenther-Scharowsky-Str. 1/Bau 24
D-91058 Erlangen

Tel.: 09131-6877-511
Fax : 09131-6877-199

eMail : benjamin.klier@mpl.mpg.de
http://www.mpl.mpg.de

smime.p7s (4.83 KB)