Q: LDAP_Moira groups and how they relate to RT local groups used for permissions

• A queue admin is trying to figure out how to use LDAP/Moira groups for permissions in the new RT. What do the various ...rtacl groups mean?

The terms LDAP and Moira are used interchangeably. When we say change the membership of an LDAP group we mean via webmoira .

Answer

In general you will want to add an LDAP group and grant it permissions on the queue, not rename an existing RT group to the name of the LDAP group. (The LDAP group already exists in RT.)

There are several possible scenarios:

1. If an LDAP group with the correct name already exists and the membership matches who should have that level of access in RT, you would look it up on the Tools > Configuration > Queues > Select > Group Rights screen and grant it the appropriate permissions.
2. The an LDAP group exists but the membership doesn't match what you want, you can change the membership if that's appropriate (depends on what else the group is used for) and then proceed as above, or you may need to create a new LDAP group via Moira, wait for that to propagate overnight, and then grant it permissions on the queue instead.
3. If you see a group with the name: oldrt-something-rtacl then that's most likely a local RT group, renamed during the upgrade so it wouldn't be overridden by LDAP. The most common case for this is because the RT group had subgroups as members, but the LDAP one didn't, or the membership was substantially different. There should be a matching something-rtacl Moira/LDAP group that does exist and can be used once membership is checked, or you can grant access to a different one.

More Questions?

• Send email to tooltime