You are here

LDAP nested groups

1 post / 0 new
unixbeheer_86273's picture
LDAP nested groups


We recently started syncing Opsview accounts with our LDAP environment (Active Directory). At first I've created a group definition file for each department requiring access to Opsview. This requires quite some administration in the group directory on the Opsview server.

It would be preferable to move this administration to Active Directory. So we've created AD groups for each Opsview role and made the department groups member of these role groups. I've created the group definition files for each role group and changed the group filter so it searches through these nested group:

group_filter: (&(objectClass=group)(|(sAMAccountName=%s)(memberof:1.2.840.113556.1.4.1941:=cn=%s,ou=Applications,ou=Groups,dc=binckbank,dc=nv)))

Because this will result in multiple groups being found the opsview_sync_ldap script exits on line 393 (Got more than one group in LDAP directory for group ...). I fiddled a bit with the script so it sums the members of all groups found:

    #if ( $count > 1 ) {
    #    die "Got more than one group in LDAP directory for group $groupname";

    # For each group, get list of users to create in Opsview
    # Keep a list of users seen
    my $member_field = $ldapcfg->{opsview_sync}->{group_member_field}
        || "member";

    my @members;
    while ( my $group = $search->pop_entry ) {
        push @members, $group->get_value($member_field);

Would it be possible to include the handling of multiple groups in a future release?

Best Regards,