This depends a bit on your AD LDAP structure
- Are CN matching the sAMAccountName
- Can you filter our certain groups you want
- Group in Group will be a problem
What can be tricky:
- New groups must be added before the user
- Users must be updated before a group can be removed
Here is an example. I won’t describe the LDAP Resource here, but its simple to create and used for auth in Icinga Web as well.
Import source: AD Users
Name: AD Users
Source Type: Ldap
Key column name: sAMAccountName
Resource: Your LDAP resource
Ldap Search Base: ou=User,ou=myorg,dc=int,dc=example,dc=com
Object class: user
Object filter: &(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Properties: sAMAccountName, cn, sn, givenName, mail, mobile, memberOf
Now where the magic happens is modifier:
Property: memberOf
Modifier: Filter Array Values
Method: Simple Match
Filter: *,ou=groups,ou=myorg,dc=int,dc=example,dc=com
Policy: Keep matching
When empty: Return empty array
Property: memberOf
Modifier: Regex Replacement
Pattern: /^cn=(.+?),ou=.*/i
Replacement: \1
The modifier will replace the DN with the simple CN, which should be identical to the sAMAccountName of the group.
Import source: AD Groups
Name: AD Users
Source Type: Ldap
Key column name: cn
Resource: Your LDAP resource
Ldap Search Base: ou=groups,ou=myorg,dc=int,dc=example,dc=com
Object class: group
Object filter:
Properties: cn, name
Sync rule: AD Groups
Type: User group
Properties from AD Groups:
-
${cn}-> object_name
Sync rule: AD Users
Type: User
Properties from AD Users:
-
${sAMAccountName}-> object_name -
${memberOf}-> groups -
${cn}-> display_name -
${mail}-> email -
${mobile}-> pager
Result
object User "mfrosch" {
display_name = "Markus Frosch"
email = "markus.frosch@netways.de"
groups = [
"net-auth-consulting",
// others
]
}
object UserGroup "net-auth-consulting" {
}