Re: [rt-users] RT::Extension::LDAPImport and nested groups in Active Directory
That looks promising, but unfortunately my perl isn't that good - maybe you could give me a small code example how to add my groups from AD and populate them with the AD users. Re Benjamin Am 03.11.2015 um 19:04 schrieb Jeffrey Pilant: Benjamin Klier writes: I'm trying to import my users and groups from Active Directory. Getting in the users works just fine, but importing the groups (with a $LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors. The problem seems to be that in our AD the main groups norally just concatenate other subgroups so that they doesn't include users but just other groups, for example MY_RT_USERS_AGENTS + +-> SOME_SUBGROUP | + | +> USER_1 | | | +> USER_2 | | | +> USER_3 | +-> ANOTHER_SUBGROUP + +> USER_4 | +> USER_5 | +> ... Unfortunately it's not an option to rework our AD group structure :-( Crawling the rt-users archive didn't get me anywhat closer to find a solution to that problem. I'm using RT::Extension::LDAPImport v0.36 Maybe anyone has some experience with a configuration like that and would be able to give me the missing hint :-) Why flatten the AD structure? You should be able to recreate it entirely with RT groups. Psuedocode: Sub AddAGroup(SomeGroup) Obj = LDAP(SomeGroup) RT->AddGroiupName(Obj->Name) For each member in Obj: If member is a group then AddAGroup(member) RT->AddUserToGroup(Obj->Name, member) next. This recursive algorithm should duplicate the AD layout below a node if you give it an AD node. /jeff The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged. Inadvertent disclosure of this message does not constitute a waiver of any privilege. If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message. Please also delete this e-mail and all copies and notify the sender. Thank you. For alternate languages please go to http://bayerdisclaimer.bayerweb.com -- Benjamin Klier Systemadministration Max-Planck-Institut für die Physik des Lichts Guenther-Scharowsky-Str. 1/Bau 24 D-91058 Erlangen Tel.: 09131-6877-511 Fax : 09131-6877-199 eMail : benjamin.kl...@mpl.mpg.de http://www.mpl.mpg.de smime.p7s Description: S/MIME Cryptographic Signature
Re: [rt-users] RT::Extension::LDAPImport and nested groups in Active Directory
Benjamin Klier writes: >I'm trying to import my users and groups from Active Directory. Getting >in the users works just fine, but importing the groups (with a >$LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors. > > >The problem seems to be that in our AD the main groups norally just >concatenate other subgroups so that they doesn't include users but just >other groups, for example > >MY_RT_USERS_AGENTS > + > +-> SOME_SUBGROUP > | + > | +> USER_1 > | | > | +> USER_2 > | | > | +> USER_3 > | > +-> ANOTHER_SUBGROUP > + > +> USER_4 > | > +> USER_5 > | > +> ... > >Unfortunately it's not an option to rework our AD group structure :-( > >Crawling the rt-users archive didn't get me anywhat closer to find a >solution to that problem. > >I'm using RT::Extension::LDAPImport v0.36 > >Maybe anyone has some experience with a configuration like that and >would be able to give me the missing hint :-) Why flatten the AD structure? You should be able to recreate it entirely with RT groups. Psuedocode: Sub AddAGroup(SomeGroup) Obj = LDAP(SomeGroup) RT->AddGroiupName(Obj->Name) For each member in Obj: If member is a group then AddAGroup(member) RT->AddUserToGroup(Obj->Name, member) next. This recursive algorithm should duplicate the AD layout below a node if you give it an AD node. /jeff The information contained in this e-mail is for the exclusive use of the intended recipient(s) and may be confidential, proprietary, and/or legally privileged. Inadvertent disclosure of this message does not constitute a waiver of any privilege. If you receive this message in error, please do not directly or indirectly use, print, copy, forward, or disclose any part of this message. Please also delete this e-mail and all copies and notify the sender. Thank you. For alternate languages please go to http://bayerdisclaimer.bayerweb.com
[rt-users] RT::Extension::LDAPImport and nested groups in Active Directory
I'm trying to import my users and groups from Active Directory. Getting in the users works just fine, but importing the groups (with a $LDAPGroupFilter like (|(CN=MY_RT_USERS_*)) ) is giving some errors. searching with: base => 'OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX' control => 'Net::LDAP::Control::Paged=HASH(0x93cc210)' filter => '(|(CN=MY_RT_USERS_*))' scope => 'sub' search found 2 objects Processing group MY_RT_USERS_AGENTS Found new group MY_RT_USERS_AGENTS to create in RT RT FieldRT Value -> LDAP Value Description unset => Imported from LDAP Member_Attr unset => ARRAY(0x9834d90) Nameunset => MY_RT_USERS_AGENTS Processing group membership for MY_RT_USERS_AGENTS No group in RT, would create with members: searching with: base => 'CN=ANOTHER_GROUP,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX' control => 'Net::LDAP::Control::Paged=HASH(0x983cfc0)' filter => '(&(objectClass=user)(!(cn=*Template*))(!(enabled=false))(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*)(lastLogonTimestamp>=1302514560))' scope => 'base' search found 0 objects Imported 1/2 groups The problem seems to be that in our AD the main groups norally just concatenate other subgroups so that they doesn't include users but just other groups, for example MY_RT_USERS_AGENTS + +-> SOME_SUBGROUP | + | +> USER_1 | | | +> USER_2 | | | +> USER_3 | +-> ANOTHER_SUBGROUP + +> USER_4 | +> USER_5 | +> ... Unfortunately it's not an option to rework our AD group structure :-( Crawling the rt-users archive didn't get me anywhat closer to find a solution to that problem. I'm using RT::Extension::LDAPImport v0.36 Maybe anyone has some experience with a configuration like that and would be able to give me the missing hint :-) -- Benjamin Klier Systemadministration Max-Planck-Institut für die Physik des Lichts Guenther-Scharowsky-Str. 1/Bau 24 D-91058 Erlangen Tel.: 09131-6877-511 Fax : 09131-6877-199 eMail : benjamin.kl...@mpl.mpg.de http://www.mpl.mpg.de smime.p7s Description: S/MIME Cryptographic Signature