Rtimportldap update: group mapping

Hello all,

See the new version of the LDAP importing script, attached.

In the new version:

– The whole script design is reorganized.

– Group mapping. LDAP group objects (those containing member attributes)
may be mapped into RT groups. This feature was first implemented by Andi Hofmeister,
and improved to support MS AD. Should work fine both in MS AD and NIS schema.

– Missing RT groups are created automatically.

– New option: --verbose. Unless it is set, only changes and errors are reported.

– Slightly new user parameters mapping:
‘info’ => ‘FreeformContactInfo’,
‘description’ => ‘Comments’,
‘gecos’ => ‘Gecos’

See the tar.gz attached, and README below.


$Id: rtimportldap.README,v 1.10 2003/01/13 09:17:42 stsiny Exp $
The utility for importing the RT users from LDAP directory

Author: Stanislav Sinyagin ssinyagin@yahoo.com

LDAP group mapping is contributed by
Andreas Hofmeister andreas.hofmeister@pyramid.de

This script is written as generic as possible. It is tested
mainly in Microsoft Active Directory/Exchange 2000 environment,
but also designed (and tested) for standard LDAP schemas.

The script does not care about passwords. Old users’ passwords
are not touched, and the new users are created without password.
Apache/mod_auth_ldap may be used for user authentication against
the LDAP server. Alternatively, you may use pam_ldap module.

The script is reenterable: existing users are updated,
and non-existing ones are created. Thus, it may be used
every time you make changes in your LDAP directory.

User entries found by the LDAP search filter are exported to RT
database. In addition, they may be added to RT groups, according
to --groupadd, --groupsync, and --groupmap options.
Missing RT groups are created automatically.

Usage: ./rtimportldap.pl options…
Options ([M] means mandatory, [O] means optional, + means multivalue):
–rc filename
[O] read options from file: opt=value pairs one per line
–server hostname
[M] LDAP host name or address
–port port
[O] LDAP TCP port. Default: 389
–ldapver 3|2
[O] LDAP version. Default: 3
–binddn dn
[O] Bind DN
–bindpw password
[O] Bind password
–basedn dn
[M] Base DN
–filter filter
[O] LDAP search filter.
Default: (|(objectClass=organizationalPerson)(objectClass=person))
–uidattr attr
[O] Username attribute. Default: uid
–attrmap lattr:rattr
[O+] Mapping of LDAP to RT attribute. Use lattr:none to
suppress standard mapping of lattr
–groupadd groupname
[O+] Add all found LDAP users to these RT groups
–groupsync groupname
[O+] Maintain exact matching of the LDAP search result and
the RT group membership
–groupmap ldapgrp[:rtgrp]
[O+] Synchronize members of LDAP group with members
of RT group. LDAP group lookup is controlled by
–gmbase, --gmfilter, --gmgidattr, and --gmmemattr
options. Several LDAP groups may be merged into the
same RT group. Group members must be found by --filter
before group mapping.
–gmbase dn
[O] LDAP group search DN. Default: same as --basedn
–gmfilter filter
[O] Group mapping LDAP filter. Default: (objectClass=posixGroup)
–gmgidattr attr
[O] Group mapping GID attribute. Default: cn
–gmmemattr attr
[O] Group mapping member attribute. Default: memberUid
–gmdescattr attr
[O] Group mapping description attribute. Default: description
–disabled 1|0
[O] Set RT users as disabled. Default: 0
–privileged 1|0
[O] Set RT users as privileged. Default: 1
–latin1 1|0
[O] Convert LDAP values to Latin1 encoding. Default: 1
[O] Print extra information
[O] This help message

The filter is automatically updated so that the UID attribute
is explicitly searched in the directory. This means that
the script may report zero entries found.

RT uses HTML::Mason, which uses HTML::Entity for displaying
non-ASCII characters. As described in HTML::Entity, it conciders
the input string as Unicode if Perl version is more than 5.7,
and ISO-8859-1 (Latin1) otherwise.
–latin1 option converts the UTF-8 values of LDAP entries into
Latin1 before passing the data to RT.
This is tested with Perl 5.6.1 and RT 2.0.15pre1 only.

Microsoft AD specifics:

Option --uidattr=sAMAccountName is neccessary.

LDAP attribute ‘company’ is Microsoft-specific, not defined
in standard schemas that come with OpenLDAP. We map it to
’Organization’ RT attribute.

MS AD requires non-anonymous binding. In anonymous mode,
it shows only the topmost entry. For normal work, you
must bind as a valid domain or host user.

MS AD uses proprietary schema for group mapping. The object class is
"group", and the member attribute “member” contains DNs of the users,
instead of UIDs. This script understands both NIS or MS AD ways.

If using group mapping, the followng options are neccessary:
–gmfilter="(objectClass=group)" --gmmemattr=member

Copyright © 2002 Stanislav Sinyagin

rtimportldap-20030113.tar.gz (7.45 KB)