RT::LDAPImport - Importing nested groups fails

Florian_Lohoff · November 5, 2018, 4:13pm

Hi,
i am trying to import from LDAP - Users work like a charm, also simple groups work. In case of a nested groups i get an error message on import that it cant resolve the group in the users subtree which is obviously broken as its a group:

dn: cn=all,cn=groups,cn=accounts,dc=company,dc=de
cn: all
description: All Users
mail: all@company.de
member: cn=external,cn=groups,cn=accounts,dc=company,dc=de
member: cn=internal,cn=groups,cn=accounts,dc=company,dc=de

Whereas internal and external are groups itself.

[3928] [Mon Nov  5 16:10:26 2018] [error]: No user found for
     cn=external,cn=groups,cn=accounts,dc=company,dc=de who
     should be a member of all (/usr/share/request-tracker4/lib/RT/LDAPImport.pm:1447)

Is there a way to import nested groups either flattened or as RT nested groups?

This is RT 4.4.2 on Ubuntu Bionic.

Flo

GreenJimll · November 5, 2018, 5:55pm

Do you have:

'group_scope' => 'sub',

in your RT LDAP config?

Florian_Lohoff · November 6, 2018, 9:59am

Its not about the ldap search scope - The issue is that it interprets a dn in the member attribute as user - uses the user filter and base. As it already has the full dn of the object referenced there no scope needed.

So my filter for users is obviously something like this:

Set($LDAPFilter, '(&(objectClass=posixAccount))');

Which wont match for groups. My group filter for example is this:

Set($LDAPGroupFilter, '(&(objectClass=groupofnames))');

So currently the import interprets a member attribute of a group as a user and tries to find it with the user filter which wont work.

Flo

Florian_Lohoff · November 6, 2018, 10:07am

Relevant code in RT::LDAPimport.pm - This

a) is not allowed to use the $RT::LDAPFilter as that only matches users
b) must be recursive as the DN might be a group aswell and may contain more groups

1388         # Lookup each DN's full entry, or...
1389         if ($attr eq 'dn') {
1390             @entries = grep defined, map {
1391                 my @results = $self->_run_search(
1392                     scope   => 'base',
1393                     base    => $_,
1394                     filter  => $RT::LDAPFilter,
1395                 );
1396                 $results[0]
1397             } @$members;
1398         }

Matt_Brennan · August 15, 2019, 7:53pm

Hey Florian - I am running into this issue now as well. Did you ever solve it?

I’m looking at the code in question but my Perl is not quite good enough to make this a trivial fix (for me).

-Matt