pg-ldap-sync 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +6 -0
- data/Gemfile +0 -1
- data/README.md +9 -2
- data/config/sample-config.yaml +15 -1
- data/config/sample-config2.yaml +8 -5
- data/lib/pg_ldap_sync/application.rb +20 -2
- data/lib/pg_ldap_sync/compat.rb +1 -0
- data/lib/pg_ldap_sync/version.rb +1 -1
- data/pg-ldap-sync.gemspec +1 -1
- data.tar.gz.sig +0 -0
- metadata +19 -21
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a08af19305647e9c74adbf8d4354f826d95eea24e3ac9d362e1f32df2e347f2e
|
|
4
|
+
data.tar.gz: b07f7ef2e6eee98529979b8b935dcf0d1a5b5e29535ba499824b36cfb71ebbca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ab386f3df54231fd962696446d38ce9cf2fa0bdef9bd383b9e9af72a96eb67527be1bb7ddf09133f80fd92a5e2868e5d07269a87bf0b45d648c732b5ae643017
|
|
7
|
+
data.tar.gz: 05631b8dea00b093943017f425cb82dd64edb2323afda113bafee01235368c1526f2386236de84979654c2c495c102ff1e7f441a1538199581730772d5845721
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -20,16 +20,18 @@ It is meant to be started as a cron job.
|
|
|
20
20
|
|
|
21
21
|
## FEATURES:
|
|
22
22
|
|
|
23
|
+
* User+group creation, deletion and changes in memberships are synchronized from LDAP to PostgreSQL
|
|
24
|
+
* Nested groups/roles supported
|
|
23
25
|
* Configurable per YAML config file
|
|
24
26
|
* Can use Active Directory as LDAP-Server
|
|
25
|
-
* Nested groups/roles supported
|
|
26
27
|
* Set scope of considered users/groups on LDAP and PG side
|
|
27
28
|
* Test mode which doesn't do any changes to the DBMS
|
|
28
29
|
* Both LDAP and PG connections can be secured by SSL/TLS
|
|
30
|
+
* NTLM and Kerberos authentication to LDAP server
|
|
29
31
|
|
|
30
32
|
## REQUIREMENTS:
|
|
31
33
|
|
|
32
|
-
* Ruby-2.0
|
|
34
|
+
* Ruby-2.0+
|
|
33
35
|
* LDAP-v3 server
|
|
34
36
|
* PostgreSQL-server v9.0+
|
|
35
37
|
|
|
@@ -70,6 +72,11 @@ Run in modify-mode:
|
|
|
70
72
|
pg_ldap_sync -c my_config.yaml -vv
|
|
71
73
|
```
|
|
72
74
|
|
|
75
|
+
It is recommended to avoid granting permissions to synchronized users on the PostgreSQL server, but to grant permissions to groups instead.
|
|
76
|
+
This is because `DROP USER` statements invoked when a user leaves otherwise fail due to depending objects.
|
|
77
|
+
`DROP GROUP` equally fails if there are depending objects, but groups are typically more stable and removed rarely.
|
|
78
|
+
|
|
79
|
+
|
|
73
80
|
## TEST:
|
|
74
81
|
There is a small test suite in the `test` directory that runs against an internal LDAP server and a PostgreSQL server. Ensure `pg_ctl`, `initdb` and `psql` commands are in the `PATH` like so:
|
|
75
82
|
```sh
|
data/config/sample-config.yaml
CHANGED
|
@@ -5,13 +5,26 @@
|
|
|
5
5
|
# Connection parameters to LDAP server
|
|
6
6
|
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
|
|
7
7
|
ldap_connection:
|
|
8
|
-
host:
|
|
8
|
+
host: ldapserver
|
|
9
9
|
port: 389
|
|
10
10
|
auth:
|
|
11
11
|
method: :simple
|
|
12
12
|
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
|
|
13
13
|
password: secret
|
|
14
14
|
|
|
15
|
+
# or GSSAPI / Kerberos authentication:
|
|
16
|
+
auth:
|
|
17
|
+
method: :gssapi
|
|
18
|
+
hostname: ldapserver.company.de
|
|
19
|
+
servicename: ldap # optional, defaults to "ldap"
|
|
20
|
+
|
|
21
|
+
# or GSS-SPNEGO / NTLM authentication
|
|
22
|
+
auth:
|
|
23
|
+
method: :gss_spnego
|
|
24
|
+
username: 'myuser'
|
|
25
|
+
password: 'secret'
|
|
26
|
+
domain: 'company.de' # optional
|
|
27
|
+
|
|
15
28
|
# Search parameters for LDAP users which should be synchronized
|
|
16
29
|
ldap_users:
|
|
17
30
|
base: OU=company,OU=company,DC=company,DC=de
|
|
@@ -51,4 +64,5 @@ pg_groups:
|
|
|
51
64
|
filter: NOT rolcanlogin AND NOT rolsuper
|
|
52
65
|
# Options for CREATE RULE statements
|
|
53
66
|
create_options: NOLOGIN
|
|
67
|
+
# Options for GRANT <role> TO <group> statements
|
|
54
68
|
grant_options:
|
data/config/sample-config2.yaml
CHANGED
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
# With this sample config the distinction between LDAP-synchronized
|
|
2
|
-
# groups/users from is done by the
|
|
3
|
-
#
|
|
4
|
-
# pg_ldap_sync can
|
|
5
|
-
#
|
|
6
|
-
#
|
|
2
|
+
# groups/users from manually created PostgreSQL users is done by the
|
|
3
|
+
# membership in ldap_user and ldap_group.
|
|
4
|
+
# These two roles have to be defined manally before pg_ldap_sync can
|
|
5
|
+
# run and all synchronized users/groups will become member of them
|
|
6
|
+
# later on:
|
|
7
|
+
# CREATE GROUP ldap_groups;
|
|
8
|
+
# CREATE USER ldap_users;
|
|
7
9
|
#
|
|
8
10
|
|
|
9
11
|
# Connection parameters to LDAP server
|
|
@@ -63,4 +65,5 @@ pg_groups:
|
|
|
63
65
|
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
|
|
64
66
|
# Options for CREATE RULE statements
|
|
65
67
|
create_options: NOLOGIN IN ROLE ldap_groups
|
|
68
|
+
# Options for GRANT <role> TO <group> statements
|
|
66
69
|
grant_options:
|
|
@@ -103,7 +103,7 @@ class Application
|
|
|
103
103
|
array += entry[ranged_attr]
|
|
104
104
|
log.debug "retrieved attribute range #{ranged_attr.inspect} of dn #{entry_dn}"
|
|
105
105
|
|
|
106
|
-
if ranged_attr =~ /;range=\d
|
|
106
|
+
if ranged_attr =~ /;range=\d+\-\*\z/
|
|
107
107
|
break
|
|
108
108
|
end
|
|
109
109
|
|
|
@@ -361,8 +361,26 @@ class Application
|
|
|
361
361
|
def start!
|
|
362
362
|
read_config_file(@config_fname)
|
|
363
363
|
|
|
364
|
+
ldap_conf = @config[:ldap_connection]
|
|
365
|
+
auth_meth = ldap_conf.dig(:auth, :method).to_s
|
|
366
|
+
if auth_meth == "gssapi"
|
|
367
|
+
begin
|
|
368
|
+
require 'net/ldap/auth_adapter/gssapi'
|
|
369
|
+
rescue LoadError => err
|
|
370
|
+
raise "#{err}\nTo use GSSAPI authentication please run:\n gem install net-ldap-auth_adapter-gssapi"
|
|
371
|
+
end
|
|
372
|
+
elsif auth_meth == "gss_spnego"
|
|
373
|
+
begin
|
|
374
|
+
require 'net-ldap-gss-spnego'
|
|
375
|
+
# This doesn't work since this file is defined in net-ldap as a placeholder:
|
|
376
|
+
# require 'net/ldap/auth_adapter/gss_spnego'
|
|
377
|
+
rescue LoadError => err
|
|
378
|
+
raise "#{err}\nTo use GSSAPI authentication please run:\n gem install net-ldap-gss-spnego"
|
|
379
|
+
end
|
|
380
|
+
end
|
|
381
|
+
|
|
364
382
|
# gather LDAP users and groups
|
|
365
|
-
@ldap = Net::LDAP.new
|
|
383
|
+
@ldap = Net::LDAP.new ldap_conf
|
|
366
384
|
ldap_users = uniq_names search_ldap_users
|
|
367
385
|
ldap_groups = uniq_names search_ldap_groups
|
|
368
386
|
|
data/lib/pg_ldap_sync/compat.rb
CHANGED
data/lib/pg_ldap_sync/version.rb
CHANGED
data/pg-ldap-sync.gemspec
CHANGED
|
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
spec.add_runtime_dependency "net-ldap", "~> 0.16"
|
|
25
25
|
spec.add_runtime_dependency "kwalify", "~> 0.7"
|
|
26
26
|
spec.add_runtime_dependency "pg", ">= 0.14", "< 2.0"
|
|
27
|
-
spec.add_development_dependency "ruby-ldapserver", "~> 0.
|
|
27
|
+
spec.add_development_dependency "ruby-ldapserver", "~> 0.7"
|
|
28
28
|
spec.add_development_dependency "minitest", "~> 5.0"
|
|
29
29
|
spec.add_development_dependency "bundler", ">= 1.16", "< 3.0"
|
|
30
30
|
spec.add_development_dependency "rake", "~> 13.0"
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pg-ldap-sync
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lars Kanis
|
|
@@ -10,9 +10,9 @@ bindir: exe
|
|
|
10
10
|
cert_chain:
|
|
11
11
|
- |
|
|
12
12
|
-----BEGIN CERTIFICATE-----
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
MIIEBDCCAmygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1sYXJz
|
|
14
|
+
L0RDPWdyZWl6LXJlaW5zZG9yZi9EQz1kZTAeFw0yMzAyMTUxNzQxMTVaFw0yNDAy
|
|
15
|
+
MTUxNzQxMTVaMCgxJjAkBgNVBAMMHWxhcnMvREM9Z3JlaXotcmVpbnNkb3JmL0RD
|
|
16
16
|
PWRlMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwum6Y1KznfpzXOT/
|
|
17
17
|
mZgJTBbxZuuZF49Fq3K0WA67YBzNlDv95qzSp7V/7Ek3NCcnT7G+2kSuhNo1FhdN
|
|
18
18
|
eSDO/moYebZNAcu3iqLsuzuULXPLuoU0GsMnVMqV9DZPh7cQHE5EBZ7hlzDBK7k/
|
|
@@ -21,21 +21,19 @@ cert_chain:
|
|
|
21
21
|
JMNDFsmHK/6Ji4Kk48Z3TyscHQnipAID5GhS1oD21/WePdj7GhmbF5gBzkV5uepd
|
|
22
22
|
eJQPgWGwrQW/Z2oPjRuJrRofzWfrMWqbOahj9uth6WSxhNexUtbjk6P8emmXOJi5
|
|
23
23
|
chQPnWX+N3Gj+jjYxqTFdwT7Mj3pv1VHa+aNUbqSPpvJeDyxRIuo9hvzDaBHb/Cg
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
oL1mUdzB8KrZL4/WbG5YNX6UTtJbIOu9qEFbBAy4/jtIkJX+dlNoFwd4GXQW1YNO
|
|
36
|
-
nA==
|
|
24
|
+
9qRVcm8a96n4t7y2lrX1oookY6bkBaxWOMtWlqIprq8JZXM9AgMBAAGjOTA3MAkG
|
|
25
|
+
A1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQ4h1tIyvdUWtMI739xMzTR
|
|
26
|
+
7EfMFzANBgkqhkiG9w0BAQsFAAOCAYEAQAcuTARfiiVUVx5KURICfdTM2Kd7LhOn
|
|
27
|
+
qt3Vs4ANGvT226LEp3RnQ+kWGQYMRb3cw3LY2TNQRPlnZxE994mgjBscN4fbjXqO
|
|
28
|
+
T0JbVpeszRZa5k1goggbnWT7CO7yU7WcHh13DaSubY7HUpAJn2xz9w2stxQfN/EE
|
|
29
|
+
VMlnDJ1P7mUHAvpK8X9j9h7Xlc1niViT18MYwux8mboVTryrLr+clATUkkM3yBF0
|
|
30
|
+
RV+c34ReW5eXO9Tr6aKTxh/pFC9ggDT6jOxuJgSvG8HWJzVf4NDvMavIas4KYjiI
|
|
31
|
+
BU6CpWaG5NxicqL3BERi52U43HV08br+LNVpb7Rekgve/PJuSFnAR015bhSRXe5U
|
|
32
|
+
vBioD1qW2ZW9tXg8Ww2IfDaO5a1So5Xby51rhNlyo6ATj2NkuLWZUKPKHhAz0TKm
|
|
33
|
+
Dzx/gFSOrRoCt2mXNgrmcAfr386AfaMvCh7cXqdxZwmVo7ILZCYXck0pajvubsDd
|
|
34
|
+
NUIIFkVXvd1odFyK9LF1RFAtxn/iAmpx
|
|
37
35
|
-----END CERTIFICATE-----
|
|
38
|
-
date:
|
|
36
|
+
date: 2023-08-24 00:00:00.000000000 Z
|
|
39
37
|
dependencies:
|
|
40
38
|
- !ruby/object:Gem::Dependency
|
|
41
39
|
name: net-ldap
|
|
@@ -91,14 +89,14 @@ dependencies:
|
|
|
91
89
|
requirements:
|
|
92
90
|
- - "~>"
|
|
93
91
|
- !ruby/object:Gem::Version
|
|
94
|
-
version: '0.
|
|
92
|
+
version: '0.7'
|
|
95
93
|
type: :development
|
|
96
94
|
prerelease: false
|
|
97
95
|
version_requirements: !ruby/object:Gem::Requirement
|
|
98
96
|
requirements:
|
|
99
97
|
- - "~>"
|
|
100
98
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: '0.
|
|
99
|
+
version: '0.7'
|
|
102
100
|
- !ruby/object:Gem::Dependency
|
|
103
101
|
name: minitest
|
|
104
102
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -212,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
212
210
|
- !ruby/object:Gem::Version
|
|
213
211
|
version: '0'
|
|
214
212
|
requirements: []
|
|
215
|
-
rubygems_version: 3.
|
|
213
|
+
rubygems_version: 3.4.6
|
|
216
214
|
signing_key:
|
|
217
215
|
specification_version: 4
|
|
218
216
|
summary: Use LDAP permissions in PostgreSQL
|
metadata.gz.sig
CHANGED
|
Binary file
|