RT::LDAPImport - Importing nested groups fails


#1

Hi,
i am trying to import from LDAP - Users work like a charm, also simple groups work. In case of a nested groups i get an error message on import that it cant resolve the group in the users subtree which is obviously broken as its a group:

dn: cn=all,cn=groups,cn=accounts,dc=company,dc=de
cn: all
description: All Users
mail: all@company.de
member: cn=external,cn=groups,cn=accounts,dc=company,dc=de
member: cn=internal,cn=groups,cn=accounts,dc=company,dc=de

Whereas internal and external are groups itself.

[3928] [Mon Nov  5 16:10:26 2018] [error]: No user found for
     cn=external,cn=groups,cn=accounts,dc=company,dc=de who
     should be a member of all (/usr/share/request-tracker4/lib/RT/LDAPImport.pm:1447)

Is there a way to import nested groups either flattened or as RT nested groups?

This is RT 4.4.2 on Ubuntu Bionic.

Flo


#2

Do you have:

'group_scope' => 'sub',

in your RT LDAP config?


#3

Its not about the ldap search scope - The issue is that it interprets a dn in the member attribute as user - uses the user filter and base. As it already has the full dn of the object referenced there no scope needed.

So my filter for users is obviously something like this:

Set($LDAPFilter, '(&(objectClass=posixAccount))');

Which wont match for groups. My group filter for example is this:

Set($LDAPGroupFilter, '(&(objectClass=groupofnames))');

So currently the import interprets a member attribute of a group as a user and tries to find it with the user filter which wont work.

Flo


#4

Relevant code in RT::LDAPimport.pm - This

a) is not allowed to use the $RT::LDAPFilter as that only matches users
b) must be recursive as the DN might be a group aswell and may contain more groups

1388         # Lookup each DN's full entry, or...
1389         if ($attr eq 'dn') {
1390             @entries = grep defined, map {
1391                 my @results = $self->_run_search(
1392                     scope   => 'base',
1393                     base    => $_,
1394                     filter  => $RT::LDAPFilter,
1395                 );
1396                 $results[0]
1397             } @$members;
1398         }