The particular critical use case is when user entries don't have a memberOf attribute (or the bind DN can't see the memberOf attribute), so including just group members in the normal user import stage is impossible without manually listing the group memberships.
The PR is a better version of this awful hack possible with the latest release:
Set( $LDAPGroupMapping, {
Name => 'cn',
Member_Attr => sub {
require Net::LDAP::Util;
my %args = @_;
my $self = $args{'self'};
my $members = $args{'ldap_entry'}->get_value('member', asref => 1);
# Yay, dn is stored in an attribute called distinguishedName, which
# makes this filter so much easier. (Note that "dn" isn't actually an
# attribute, so you can't just filter by it you must use it as the
# base.)
my $membersOf = join "", map { "(distinguishedName=" . Net::LDAP::Util::escape_filter_value($_) . ")" } @$members;
local $RT::LDAPFilter = "(&(objectClass=person)(|$membersOf))";
$self->import_users( $args{'import'} );
return @$members;
},
Member_Attr_Value => 'dn',
});
RT for rt.cpan.org