I've set up an Insight object type called "Permission Group" with a User-type attribute named Managed By. 

I then created an LDAP import to pull in all the Active Directory security groups.  This import included a mapping of the AD managedBy field to my Managed By attribute, but it failed, and the log indicated that it was failing to map the DN value that AD stores in managedBy to my User object.  I changed my Managed By field to text and was successfully able to import values such as:

CN=Joe User,OU=Subdepartment,OU=Dept,OU=Staff,DC=domain,DC=com

I figured I could just set up an object mapping in my import task (something like "DN" = ${managedBy}, but the Insight import feature doesn't allow object mappings for user objects.  

The only other option I could think of would be to create a User object type in Insight, import all users (including their DNs) into it, and then modify Permission Group's import task to map managedBy to the User object type based on "DN" = ${managedBy}, but (a) that adds an unnecessary layer of complexity and (b) we would lose the connection to the actual users (this field exists so that we can notify them of change requests).

I'm running Insight 5.5.12.2.  Is there any way for the import feature to import users based on an object mapping?