pg-ldap-sync 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +6 -0
- data/Gemfile +0 -1
- data/README.md +9 -2
- data/config/sample-config.yaml +15 -1
- data/config/sample-config2.yaml +8 -5
- data/lib/pg_ldap_sync/application.rb +20 -2
- data/lib/pg_ldap_sync/compat.rb +1 -0
- data/lib/pg_ldap_sync/version.rb +1 -1
- data/pg-ldap-sync.gemspec +1 -1
- data.tar.gz.sig +0 -0
- metadata +19 -21
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a08af19305647e9c74adbf8d4354f826d95eea24e3ac9d362e1f32df2e347f2e
|
|
4
|
+
data.tar.gz: b07f7ef2e6eee98529979b8b935dcf0d1a5b5e29535ba499824b36cfb71ebbca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ab386f3df54231fd962696446d38ce9cf2fa0bdef9bd383b9e9af72a96eb67527be1bb7ddf09133f80fd92a5e2868e5d07269a87bf0b45d648c732b5ae643017
|
|
7
|
+
data.tar.gz: 05631b8dea00b093943017f425cb82dd64edb2323afda113bafee01235368c1526f2386236de84979654c2c495c102ff1e7f441a1538199581730772d5845721
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data/CHANGELOG.md
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -20,16 +20,18 @@ It is meant to be started as a cron job.
|
|
|
20
20
|
|
|
21
21
|
## FEATURES:
|
|
22
22
|
|
|
23
|
+
* User+group creation, deletion and changes in memberships are synchronized from LDAP to PostgreSQL
|
|
24
|
+
* Nested groups/roles supported
|
|
23
25
|
* Configurable per YAML config file
|
|
24
26
|
* Can use Active Directory as LDAP-Server
|
|
25
|
-
* Nested groups/roles supported
|
|
26
27
|
* Set scope of considered users/groups on LDAP and PG side
|
|
27
28
|
* Test mode which doesn't do any changes to the DBMS
|
|
28
29
|
* Both LDAP and PG connections can be secured by SSL/TLS
|
|
30
|
+
* NTLM and Kerberos authentication to LDAP server
|
|
29
31
|
|
|
30
32
|
## REQUIREMENTS:
|
|
31
33
|
|
|
32
|
-
* Ruby-2.0
|
|
34
|
+
* Ruby-2.0+
|
|
33
35
|
* LDAP-v3 server
|
|
34
36
|
* PostgreSQL-server v9.0+
|
|
35
37
|
|
|
@@ -70,6 +72,11 @@ Run in modify-mode:
|
|
|
70
72
|
pg_ldap_sync -c my_config.yaml -vv
|
|
71
73
|
```
|
|
72
74
|
|
|
75
|
+
It is recommended to avoid granting permissions to synchronized users on the PostgreSQL server, but to grant permissions to groups instead.
|
|
76
|
+
This is because `DROP USER` statements invoked when a user leaves otherwise fail due to depending objects.
|
|
77
|
+
`DROP GROUP` equally fails if there are depending objects, but groups are typically more stable and removed rarely.
|
|
78
|
+
|
|
79
|
+
|
|
73
80
|
## TEST:
|
|
74
81
|
There is a small test suite in the `test` directory that runs against an internal LDAP server and a PostgreSQL server. Ensure `pg_ctl`, `initdb` and `psql` commands are in the `PATH` like so:
|
|
75
82
|
```sh
|
data/config/sample-config.yaml
CHANGED
|
@@ -5,13 +5,26 @@
|
|
|
5
5
|
# Connection parameters to LDAP server
|
|
6
6
|
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
|
|
7
7
|
ldap_connection:
|
|
8
|
-
host:
|
|
8
|
+
host: ldapserver
|
|
9
9
|
port: 389
|
|
10
10
|
auth:
|
|
11
11
|
method: :simple
|
|
12
12
|
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
|
|
13
13
|
password: secret
|
|
14
14
|
|
|
15
|
+
# or GSSAPI / Kerberos authentication:
|
|
16
|
+
auth:
|
|
17
|
+
method: :gssapi
|
|
18
|
+
hostname: ldapserver.company.de
|
|
19
|
+
servicename: ldap # optional, defaults to "ldap"
|
|
20
|
+
|
|
21
|
+
# or GSS-SPNEGO / NTLM authentication
|
|
22
|
+
auth:
|
|
23
|
+
method: :gss_spnego
|
|
24
|
+
username: 'myuser'
|
|
25
|
+
password: 'secret'
|
|
26
|
+
domain: 'company.de' # optional
|
|
27
|
+
|
|
15
28
|
# Search parameters for LDAP users which should be synchronized
|
|
16
29
|
ldap_users:
|
|
17
30
|
base: OU=company,OU=company,DC=company,DC=de
|
|
@@ -51,4 +64,5 @@ pg_groups:
|
|
|
51
64
|
filter: NOT rolcanlogin AND NOT rolsuper
|
|
52
65
|
# Options for CREATE RULE statements
|
|
53
66
|
create_options: NOLOGIN
|
|
67
|
+
# Options for GRANT <role> TO <group> statements
|
|
54
68
|
grant_options:
|
data/config/sample-config2.yaml
CHANGED
|
@@ -1,9 +1,11 @@
|
|
|
1
1
|
# With this sample config the distinction between LDAP-synchronized
|
|
2
|
-
# groups/users from is done by the
|
|
3
|
-
#
|
|
4
|
-
# pg_ldap_sync can
|
|
5
|
-
#
|
|
6
|
-
#
|
|
2
|
+
# groups/users from manually created PostgreSQL users is done by the
|
|
3
|
+
# membership in ldap_user and ldap_group.
|
|
4
|
+
# These two roles have to be defined manally before pg_ldap_sync can
|
|
5
|
+
# run and all synchronized users/groups will become member of them
|
|
6
|
+
# later on:
|
|
7
|
+
# CREATE GROUP ldap_groups;
|
|
8
|
+
# CREATE USER ldap_users;
|
|
7
9
|
#
|
|
8
10
|
|
|
9
11
|
# Connection parameters to LDAP server
|
|
@@ -63,4 +65,5 @@ pg_groups:
|
|
|
63
65
|
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
|
|
64
66
|
# Options for CREATE RULE statements
|
|
65
67
|
create_options: NOLOGIN IN ROLE ldap_groups
|
|
68
|
+
# Options for GRANT <role> TO <group> statements
|
|
66
69
|
grant_options:
|
|
@@ -103,7 +103,7 @@ class Application
|
|
|
103
103
|
array += entry[ranged_attr]
|
|
104
104
|
log.debug "retrieved attribute range #{ranged_attr.inspect} of dn #{entry_dn}"
|
|
105
105
|
|
|
106
|
-
if ranged_attr =~ /;range=\d
|
|
106
|
+
if ranged_attr =~ /;range=\d+\-\*\z/
|
|
107
107
|
break
|
|
108
108
|
end
|
|
109
109
|
|
|
@@ -361,8 +361,26 @@ class Application
|
|
|
361
361
|
def start!
|
|
362
362
|
read_config_file(@config_fname)
|
|
363
363
|
|
|
364
|
+
ldap_conf = @config[:ldap_connection]
|
|
365
|
+
auth_meth = ldap_conf.dig(:auth, :method).to_s
|
|
366
|
+
if auth_meth == "gssapi"
|
|
367
|
+
begin
|
|
368
|
+
require 'net/ldap/auth_adapter/gssapi'
|
|
369
|
+
rescue LoadError => err
|
|
370
|
+
raise "#{err}\nTo use GSSAPI authentication please run:\n gem install net-ldap-auth_adapter-gssapi"
|
|
371
|
+
end
|
|
372
|
+
elsif auth_meth == "gss_spnego"
|
|
373
|
+
begin
|
|
374
|
+
require 'net-ldap-gss-spnego'
|
|
375
|
+
# This doesn't work since this file is defined in net-ldap as a placeholder:
|
|
376
|
+
# require 'net/ldap/auth_adapter/gss_spnego'
|
|
377
|
+
rescue LoadError => err
|
|
378
|
+
raise "#{err}\nTo use GSSAPI authentication please run:\n gem install net-ldap-gss-spnego"
|
|
379
|
+
end
|
|
380
|
+
end
|
|
381
|
+
|
|
364
382
|
# gather LDAP users and groups
|
|
365
|
-
@ldap = Net::LDAP.new
|
|
383
|
+
@ldap = Net::LDAP.new ldap_conf
|
|
366
384
|
ldap_users = uniq_names search_ldap_users
|
|
367
385
|
ldap_groups = uniq_names search_ldap_groups
|
|
368
386
|
|
data/lib/pg_ldap_sync/compat.rb
CHANGED
data/lib/pg_ldap_sync/version.rb
CHANGED
data/pg-ldap-sync.gemspec
CHANGED
|
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
|
|
|
24
24
|
spec.add_runtime_dependency "net-ldap", "~> 0.16"
|
|
25
25
|
spec.add_runtime_dependency "kwalify", "~> 0.7"
|
|
26
26
|
spec.add_runtime_dependency "pg", ">= 0.14", "< 2.0"
|
|
27
|
-
spec.add_development_dependency "ruby-ldapserver", "~> 0.
|
|
27
|
+
spec.add_development_dependency "ruby-ldapserver", "~> 0.7"
|
|
28
28
|
spec.add_development_dependency "minitest", "~> 5.0"
|
|
29
29
|
spec.add_development_dependency "bundler", ">= 1.16", "< 3.0"
|
|
30
30
|
spec.add_development_dependency "rake", "~> 13.0"
|
data.tar.gz.sig
CHANGED
|
Binary file
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pg-ldap-sync
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lars Kanis
|
|
@@ -10,9 +10,9 @@ bindir: exe
|
|
|
10
10
|
cert_chain:
|
|
11
11
|
- |
|
|
12
12
|
-----BEGIN CERTIFICATE-----
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
MIIEBDCCAmygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1sYXJz
|
|
14
|
+
L0RDPWdyZWl6LXJlaW5zZG9yZi9EQz1kZTAeFw0yMzAyMTUxNzQxMTVaFw0yNDAy
|
|
15
|
+
MTUxNzQxMTVaMCgxJjAkBgNVBAMMHWxhcnMvREM9Z3JlaXotcmVpbnNkb3JmL0RD
|
|
16
16
|
PWRlMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwum6Y1KznfpzXOT/
|
|
17
17
|
mZgJTBbxZuuZF49Fq3K0WA67YBzNlDv95qzSp7V/7Ek3NCcnT7G+2kSuhNo1FhdN
|
|
18
18
|
eSDO/moYebZNAcu3iqLsuzuULXPLuoU0GsMnVMqV9DZPh7cQHE5EBZ7hlzDBK7k/
|
|
@@ -21,21 +21,19 @@ cert_chain:
|
|
|
21
21
|
JMNDFsmHK/6Ji4Kk48Z3TyscHQnipAID5GhS1oD21/WePdj7GhmbF5gBzkV5uepd
|
|
22
22
|
eJQPgWGwrQW/Z2oPjRuJrRofzWfrMWqbOahj9uth6WSxhNexUtbjk6P8emmXOJi5
|
|
23
23
|
chQPnWX+N3Gj+jjYxqTFdwT7Mj3pv1VHa+aNUbqSPpvJeDyxRIuo9hvzDaBHb/Cg
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
oL1mUdzB8KrZL4/WbG5YNX6UTtJbIOu9qEFbBAy4/jtIkJX+dlNoFwd4GXQW1YNO
|
|
36
|
-
nA==
|
|
24
|
+
9qRVcm8a96n4t7y2lrX1oookY6bkBaxWOMtWlqIprq8JZXM9AgMBAAGjOTA3MAkG
|
|
25
|
+
A1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQ4h1tIyvdUWtMI739xMzTR
|
|
26
|
+
7EfMFzANBgkqhkiG9w0BAQsFAAOCAYEAQAcuTARfiiVUVx5KURICfdTM2Kd7LhOn
|
|
27
|
+
qt3Vs4ANGvT226LEp3RnQ+kWGQYMRb3cw3LY2TNQRPlnZxE994mgjBscN4fbjXqO
|
|
28
|
+
T0JbVpeszRZa5k1goggbnWT7CO7yU7WcHh13DaSubY7HUpAJn2xz9w2stxQfN/EE
|
|
29
|
+
VMlnDJ1P7mUHAvpK8X9j9h7Xlc1niViT18MYwux8mboVTryrLr+clATUkkM3yBF0
|
|
30
|
+
RV+c34ReW5eXO9Tr6aKTxh/pFC9ggDT6jOxuJgSvG8HWJzVf4NDvMavIas4KYjiI
|
|
31
|
+
BU6CpWaG5NxicqL3BERi52U43HV08br+LNVpb7Rekgve/PJuSFnAR015bhSRXe5U
|
|
32
|
+
vBioD1qW2ZW9tXg8Ww2IfDaO5a1So5Xby51rhNlyo6ATj2NkuLWZUKPKHhAz0TKm
|
|
33
|
+
Dzx/gFSOrRoCt2mXNgrmcAfr386AfaMvCh7cXqdxZwmVo7ILZCYXck0pajvubsDd
|
|
34
|
+
NUIIFkVXvd1odFyK9LF1RFAtxn/iAmpx
|
|
37
35
|
-----END CERTIFICATE-----
|
|
38
|
-
date:
|
|
36
|
+
date: 2023-08-24 00:00:00.000000000 Z
|
|
39
37
|
dependencies:
|
|
40
38
|
- !ruby/object:Gem::Dependency
|
|
41
39
|
name: net-ldap
|
|
@@ -91,14 +89,14 @@ dependencies:
|
|
|
91
89
|
requirements:
|
|
92
90
|
- - "~>"
|
|
93
91
|
- !ruby/object:Gem::Version
|
|
94
|
-
version: '0.
|
|
92
|
+
version: '0.7'
|
|
95
93
|
type: :development
|
|
96
94
|
prerelease: false
|
|
97
95
|
version_requirements: !ruby/object:Gem::Requirement
|
|
98
96
|
requirements:
|
|
99
97
|
- - "~>"
|
|
100
98
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: '0.
|
|
99
|
+
version: '0.7'
|
|
102
100
|
- !ruby/object:Gem::Dependency
|
|
103
101
|
name: minitest
|
|
104
102
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -212,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
212
210
|
- !ruby/object:Gem::Version
|
|
213
211
|
version: '0'
|
|
214
212
|
requirements: []
|
|
215
|
-
rubygems_version: 3.
|
|
213
|
+
rubygems_version: 3.4.6
|
|
216
214
|
signing_key:
|
|
217
215
|
specification_version: 4
|
|
218
216
|
summary: Use LDAP permissions in PostgreSQL
|
metadata.gz.sig
CHANGED
|
Binary file
|