pg-ldap-sync 0.1.0

data/.autotest

@@ -0,0 +1,23 @@
+# -*- ruby -*-
+
+require 'autotest/restart'
+
+# Autotest.add_hook :initialize do |at|
+#   at.extra_files << "../some/external/dependency.rb"
+#
+#   at.libs << ":../some/external"
+#
+#   at.add_exception 'vendor'
+#
+#   at.add_mapping(/dependency.rb/) do |f, _|
+#     at.files_matching(/test_.*rb$/)
+#   end
+#
+#   %w(TestA TestB).each do |klass|
+#     at.extra_class_map[klass] = "test/test_misc.rb"
+#   end
+# end
+
+# Autotest.add_hook :run_command do |at|
+#   system "rake build"
+# end

data/History.txt

@@ -0,0 +1,4 @@
+=== 0.1.0 / 2011-07-13
+
+* Birthday!
+

data/Manifest.txt

@@ -0,0 +1,15 @@
+.autotest
+History.txt
+Manifest.txt
+README.rdoc
+Rakefile
+bin/pg_ldap_sync
+config/sample-config.yaml
+config/sample-config2.yaml
+config/schema.yaml
+lib/pg_ldap_sync.rb
+lib/pg_ldap_sync/application.rb
+test/fixtures/config-ldapdb.yaml
+test/fixtures/ldapdb.yaml
+test/ldap_server.rb
+test/test_pg_ldap_sync.rb

data/README.rdoc

@@ -0,0 +1,102 @@
+= Use LDAP permissions in PostgreSQL
+
+* http://github.com/larskanis/pg-ldap-sync
+
+== DESCRIPTION:
+
+LDAP is often used to do a centralized user and role management
+in an enterprise environment. PostgreSQL offers different
+authentication methods, like LDAP, SSPI, GSSAPI or SSL.
+However, for any method the user must already exist in the database,
+before the authentication can be used. There is currently
+no authorization of database users directly based on LDAP.
+
+This program helps to solve the issue by synchronizing users,
+groups and their memberships from LDAP to PostgreSQL.
+Access to LDAP is read-only. <tt>pg_ldap_sync</tt> issues proper
+CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
+users and groups.
+
+It is meant to be started as a cron job.
+
+== FEATURES:
+
+* Configurable per YAML config file
+* Can use Active Directory as LDAP-Server
+* Nested groups/roles supported
+* Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
+* Test mode which doesn't do any changes to the DBMS
+
+== REQUIREMENTS:
+
+* Installed Ruby and rubygems
+* LDAP- and PostgreSQL-Server
+
+== INSTALL:
+
+Install Ruby and rubygems:
+* on Windows: http://rubyinstaller.org
+* on Debian/Ubuntu: <tt>apt-get install ruby rubygems</tt>
+
+Install pg-ldap-sync and a database connector for PostgreSQL:
+  gem install pg-ldap-sync pg
+You may also use the pure ruby postgres-connector which is less mature,
+but doesn't need compilation:
+  gem install pg-ldap-sync postgres-pr
+
+=== Install from Git:
+  git clone https://github.com/larskanis/pg-ldap-sync.git
+  cd pg-ldap-sync
+  gem install hoe
+  rake install_gem
+
+== USAGE:
+
+Create a config file based on <tt>config/sample-config.yaml</tt> .
+Run in test-mode:
+
+  pg_ldap_sync -c my_config.yaml -vv -t
+
+Run in modify-mode:
+
+  pg_ldap_sync -c my_config.yaml -vv
+
+
+== TEST:
+There is a small test suite in the <tt>test</tt> directory that runs
+against an internal ruby-ldapserver and PostgreSQL server. Ensure gem
+<tt>ruby-ldapserver</tt> is installed and <tt>pg_ctl</tt>, <tt>initdb</tt> and <tt>psql</tt>
+commands are in the <tt>PATH</tt>. Then:
+
+  cd pg-ldap-sync
+  rake test
+
+== ISSUES:
+* There is currently no way to set certain user attributes in PG
+  based on individual attributes in LDAP (expiration date etc.)
+
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2011 FIX
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,18 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+
+Hoe.spec 'pg-ldap-sync' do
+  developer('Lars Kanis', 'kanis@comcard.de')
+
+  extra_deps << ['net-ldap', '>= 0.2']
+  extra_deps << ['kwalify', '>= 0.7']
+  extra_dev_deps << ['ruby-ldapserver', '>= 0.3']
+
+  self.readme_file = 'README.rdoc'
+  spec_extras[:rdoc_options] = ['--main', readme_file, "--charset=UTF-8"]
+  self.extra_rdoc_files << self.readme_file
+end
+
+# vim: syntax=ruby

data/bin/pg_ldap_sync

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'pg_ldap_sync/application'
+
+PgLdapSync::Application.run(ARGV)

data/config/sample-config.yaml

@@ -0,0 +1,54 @@
+# With this sample config the distinction between PG groups and users is
+# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
+# is considered as LDAP-synchronized.
+
+# Connection parameters to LDAP server
+# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
+ldap_connection:
+  host: localhost
+  port: 389
+  auth:
+    method: :simple
+    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
+    password: secret
+
+# Search parameters for LDAP users which should be synchronized
+ldap_users:
+  base: OU=company,OU=company,DC=company,DC=de
+  # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
+  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
+  # this attribute is used as PG role name
+  name_attribute: sAMAccountName
+
+# Search parameters for LDAP groups which should be synchronized
+ldap_groups:
+  base: OU=company,OU=company,DC=company,DC=de
+  filter: (|(cn=group1)(cn=group2)(cn=group3))
+  # this attribute is used as PG role name
+  name_attribute: cn
+  # this attribute must reference to all member DN's of the given group
+  member_attribute: member
+
+# Connection parameters to PostgreSQL server
+# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
+pg_connection:
+  host:
+  dbname: postgres
+  user: db-username
+  password:
+
+pg_users:
+  # Filter for identifying LDAP generated users in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: rolcanlogin AND NOT rolsuper
+  # Options for CREATE RULE statements
+  create_options: LOGIN
+
+pg_groups:
+  # Filter for identifying LDAP generated groups in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: NOT rolcanlogin AND NOT rolsuper
+  # Options for CREATE RULE statements
+  create_options: NOLOGIN
+  grant_options:

data/config/sample-config2.yaml

@@ -0,0 +1,54 @@
+# With this sample config the distinction between LDAP-synchronized
+# groups/users from is done by the membership to ldap_user and
+# ldap_group. These two roles has to be defined manally.
+
+# Connection parameters to LDAP server
+# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
+ldap_connection:
+  host: ldapserver
+  port: 389
+  auth:
+    method: :simple
+    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
+    password: secret
+
+# Search parameters for LDAP users which should be synchronized
+ldap_users:
+  base: OU=company,DC=company,DC=prod
+  # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
+  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
+  # this attribute is used as PG role name
+  name_attribute: sAMAccountName
+
+# Search parameters for LDAP groups which should be synchronized
+ldap_groups:
+  base: OU=company,DC=company,DC=prod
+  filter: (cn=company.*)
+  # this attribute is used as PG role name
+  name_attribute: cn
+  # this attribute must reference to all member DN's of the given group
+  member_attribute: member
+
+# Connection parameters to PostgreSQL server
+# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
+pg_connection:
+  host:
+  dbname: postgres
+  user:
+  password:
+
+pg_users:
+  # Filter for identifying LDAP generated users in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
+  # Options for CREATE RULE statements
+  create_options: LOGIN IN ROLE ldap_users
+
+pg_groups:
+  # Filter for identifying LDAP generated groups in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
+  # Options for CREATE RULE statements
+  create_options: NOLOGIN IN ROLE ldap_groups
+  grant_options:

data/config/schema.yaml

@@ -0,0 +1,62 @@
+type:       map
+mapping:
+  "ldap_connection":
+    type:      any
+    required:  yes
+
+  "ldap_users":
+    type: map
+    required: yes
+    mapping:
+      "base":
+        type: str
+        required:  yes
+      "filter":
+        type: str
+        required:  yes
+      "name_attribute":
+        type: str
+        required:  yes
+
+  "ldap_groups":
+    type: map
+    required: yes
+    mapping:
+      "base":
+        type: str
+        required:  yes
+      "filter":
+        type: str
+        required:  yes
+      "name_attribute":
+        type: str
+        required:  yes
+      "member_attribute":
+        type: str
+        required:  yes
+
+  "pg_connection":
+    type:      any
+    required:  yes
+
+  "pg_users":
+    type: map
+    required: yes
+    mapping:
+      "filter":
+        type: str
+        required:  yes
+      "create_options":
+        type: str
+
+  "pg_groups":
+    type: map
+    required: yes
+    mapping:
+      "filter":
+        type: str
+        required:  yes
+      "create_options":
+        type: str
+      "grant_options":
+        type: str

data/lib/pg_ldap_sync.rb

@@ -0,0 +1,3 @@
+module PgLdapSync
+  VERSION = '0.1.0'
+end

data/lib/pg_ldap_sync/application.rb

@@ -0,0 +1,354 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'net/ldap'
+require 'optparse'
+require 'yaml'
+require 'logger'
+require 'kwalify'
+
+begin
+  require 'pg'
+rescue LoadError => e
+  begin
+    require 'postgres'
+    class PGconn
+      alias initialize_before_hash_change initialize
+      def initialize(*args)
+        arg = args.first
+        if args.length==1 && arg.kind_of?(Hash)
+          initialize_before_hash_change(arg[:host], arg[:port], nil, nil, arg[:dbname], arg[:user], arg[:password])
+        else
+          initialize_before_hash_change(*args)
+        end
+      end
+    end
+  rescue LoadError
+    raise e
+  end
+end
+
+require 'pg_ldap_sync'
+
+module PgLdapSync
+class Application
+  class LdapError < RuntimeError; end
+  attr_accessor :config_fname
+  attr_accessor :log
+  attr_accessor :test
+
+  def string_to_symbol(hash)
+    if hash.kind_of?(Hash)
+      return hash.inject({}){|h, v|
+        raise "expected String instead of #{h.inspect}" unless v[0].kind_of?(String)
+        h[v[0].intern] = string_to_symbol(v[1])
+        h
+      }
+    else
+      return hash
+    end
+  end
+
+
+  def validate_config(config, schema, fname)
+    schema = YAML.load_file(schema)
+    validator = Kwalify::Validator.new(schema)
+    errors = validator.validate(config)
+    if errors && !errors.empty?
+      errors.each do |err|
+        log.fatal "error in #{fname}: [#{err.path}] #{err.message}"
+      end
+      exit(-1)
+    end
+  end
+
+  def read_config_file(fname)
+    raise "Config file #{fname.inspect} does not exist" unless File.exist?(fname)
+    config = YAML.load(File.read(fname))
+
+    schema_fname = File.join(File.dirname(__FILE__), '../../config/schema.yaml')
+    validate_config(config, schema_fname, fname)
+
+    @config = string_to_symbol(config)
+  end
+
+  LdapRole = Struct.new :name, :dn, :member_dns
+
+  def search_ldap_users
+    ldap_user_conf = @config[:ldap_users]
+
+    users = []
+    res = @ldap.search(:base => ldap_user_conf[:base], :filter => ldap_user_conf[:filter]) do |entry|
+      name = entry[ldap_user_conf[:name_attribute]].first
+
+      unless name
+        log.warn "user attribute #{ldap_user_conf[:name_attribute].inspect} not defined for #{entry.dn}"
+        next
+      end
+
+      log.info "found user-dn: #{entry.dn}"
+      user = LdapRole.new name, entry.dn
+      users << user
+      entry.each do |attribute, values|
+        log.debug "   #{attribute}:"
+        values.each do |value|
+          log.debug "      --->#{value.inspect}"
+        end
+      end
+    end
+    raise LdapError, "LDAP: #{@ldap.get_operation_result.message}" unless res
+    return users
+  end
+
+  def search_ldap_groups
+    ldap_group_conf = @config[:ldap_groups]
+
+    groups = []
+    res = @ldap.search(:base => ldap_group_conf[:base], :filter => ldap_group_conf[:filter]) do |entry|
+      name = entry[ldap_group_conf[:name_attribute]].first
+
+      unless name
+        log.warn "user attribute #{ldap_group_conf[:name_attribute].inspect} not defined for #{entry.dn}"
+        next
+      end
+
+      log.info "found group-dn: #{entry.dn}"
+      group = LdapRole.new name, entry.dn, entry[ldap_group_conf[:member_attribute]]
+      groups << group
+      entry.each do |attribute, values|
+        log.debug "   #{attribute}:"
+        values.each do |value|
+          log.debug "      --->#{value.inspect}"
+        end
+      end
+    end
+    raise LdapError, "LDAP: #{@ldap.get_operation_result.message}" unless res
+    return groups
+  end
+
+  PgRole = Struct.new :name, :member_names
+
+  def search_pg_users
+    pg_users_conf = @config[:pg_users]
+
+    users = []
+    res = pg_exec "SELECT rolname FROM pg_roles WHERE #{pg_users_conf[:filter]}"
+    res.each do |tuple|
+      user = PgRole.new tuple[0]
+      log.info{ "found pg-user: #{user.name.inspect}"}
+      users << user
+    end
+    return users
+  end
+
+  def search_pg_groups
+    pg_groups_conf = @config[:pg_groups]
+
+    groups = []
+    res = pg_exec "SELECT rolname, oid FROM pg_roles WHERE #{pg_groups_conf[:filter]}"
+    res.each do |tuple|
+      res2 = pg_exec "SELECT pr.rolname FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.member WHERE pam.roleid=#{PGconn.escape(tuple[1])}"
+      member_names = res2.map{|row| row[0] }
+      group = PgRole.new tuple[0], member_names
+      log.info{ "found pg-group: #{group.name.inspect} with members: #{member_names.inspect}"}
+      groups << group
+    end
+    return groups
+  end
+
+  def uniq_names(list)
+    names = {}
+    new_list = list.select do |entry|
+      name = entry.name
+      if names[name]
+        log.warn{ "duplicated group/user #{name.inspect} (#{entry.inspect})" }
+        next false
+      else
+        names[name] = true
+        next true
+      end
+    end
+    return new_list
+  end
+
+  MatchedRole = Struct.new :ldap, :pg, :name, :state, :type
+
+  def match_roles(ldaps, pgs, type)
+    ldap_by_name = ldaps.inject({}){|h,u| h[u.name] = u; h }
+    pg_by_name = pgs.inject({}){|h,u| h[u.name] = u; h }
+
+    roles = []
+    ldaps.each do |ld|
+      pg = pg_by_name[ld.name]
+      role = MatchedRole.new ld, pg, ld.name
+      roles << role
+    end
+    pgs.each do |pg|
+      ld = ldap_by_name[pg.name]
+      next if ld
+      role = MatchedRole.new ld, pg, pg.name
+      roles << role
+    end
+
+    roles.each do |r|
+      r.state = case
+        when r.ldap && !r.pg then :create
+        when !r.ldap && r.pg then :drop
+        when r.pg && r.ldap then :keep
+        else raise "invalid user #{r.inspect}"
+      end
+      r.type = type
+    end
+
+    log.info{
+      roles.each do |role|
+        log.debug{ "#{role.state} #{role.type}: #{role.name}" }
+      end
+      "#{type} stat: create: #{roles.count{|r| r.state==:create }} drop: #{roles.count{|r| r.state==:drop }} keep: #{roles.count{|r| r.state==:keep }}"
+    }
+    return roles
+  end
+
+  def pg_exec_modify(sql)
+    log.info{ "SQL: #{sql}" }
+    unless self.test
+      res = @pgconn.exec sql
+    end
+  end
+
+  def pg_exec(sql)
+    res = @pgconn.exec sql
+    (0...res.num_tuples).map{|t| (0...res.num_fields).map{|i| res.getvalue(t, i) } }
+  end
+
+  def create_pg_role(role)
+    pg_conf = @config[role.type==:user ? :pg_users : :pg_groups]
+    pg_exec_modify "CREATE ROLE \"#{role.name}\" #{pg_conf[:create_options]}"
+  end
+
+  def drop_pg_role(role)
+    pg_exec_modify "DROP ROLE \"#{role.name}\""
+  end
+
+  def sync_roles_to_pg(roles, for_state)
+    roles.sort{|a,b| a.name<=>b.name }.each do |role|
+      create_pg_role(role) if role.state==:create && for_state==:create
+      drop_pg_role(role) if role.state==:drop && for_state==:drop
+    end
+  end
+
+  MatchedMembership = Struct.new :role_name, :has_member, :state
+
+  def match_memberships(ldap_roles, pg_roles)
+    ldap_by_dn = ldap_roles.inject({}){|h,r| h[r.dn] = r; h }
+    ldap_by_m2m = ldap_roles.inject([]){|a,r|
+      next a unless r.member_dns
+      a + r.member_dns.map{|dn|
+        if has_member=ldap_by_dn[dn]
+          [r.name, has_member.name]
+        else
+          log.warn{"ldap member with dn #{dn} is unknown"}
+          nil
+        end
+      }.compact
+    }
+
+    pg_by_name = pg_roles.inject({}){|h,r| h[r.name] = r; h }
+    pg_by_m2m = pg_roles.inject([]){|a,r|
+      next a unless r.member_names
+      a + r.member_names.map{|name|
+        if has_member=pg_by_name[name]
+          [r.name, has_member.name]
+        else
+          log.warn{"pg member with name #{name} is unknown"}
+          nil
+        end
+      }.compact
+    }
+
+    memberships  = (ldap_by_m2m & pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :keep }
+    memberships += (ldap_by_m2m - pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :grant }
+    memberships += (pg_by_m2m - ldap_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :revoke }
+
+    log.info{
+      memberships.each do |membership|
+        log.debug{ "#{membership.state} #{membership.role_name} to #{membership.has_member}" }
+      end
+      "membership stat: grant: #{memberships.count{|u| u.state==:grant }} revoke: #{memberships.count{|u| u.state==:revoke }} keep: #{memberships.count{|u| u.state==:keep }}"
+    }
+    return memberships
+  end
+
+  def grant_membership(role_name, add_members)
+    pg_conf = @config[:pg_groups]
+    add_members_escaped = add_members.map{|m| "\"#{m}\"" }.join(",")
+    pg_exec_modify "GRANT \"#{role_name}\" TO #{add_members_escaped} #{pg_conf[:grant_options]}"
+  end
+
+  def revoke_membership(role_name, rm_members)
+    rm_members_escaped = rm_members.map{|m| "\"#{m}\"" }.join(",")
+    pg_exec_modify "REVOKE \"#{role_name}\" FROM #{rm_members_escaped}"
+  end
+
+  def sync_membership_to_pg(memberships, for_state)
+    grants = {}
+    memberships.select{|ms| ms.state==for_state }.each do |ms|
+      grants[ms.role_name] ||= []
+      grants[ms.role_name] << ms.has_member
+    end
+
+    grants.each do |role_name, members|
+      grant_membership(role_name, members) if for_state==:grant
+      revoke_membership(role_name, members) if for_state==:revoke
+    end
+  end
+
+  def start!
+    read_config_file(@config_fname)
+
+    # gather LDAP users and groups
+    @ldap = Net::LDAP.new @config[:ldap_connection]
+    ldap_users = uniq_names search_ldap_users
+    ldap_groups = uniq_names search_ldap_groups
+
+    # gather PGs users and groups
+    @pgconn = PGconn.connect @config[:pg_connection]
+    pg_users = uniq_names search_pg_users
+    pg_groups = uniq_names search_pg_groups
+
+    # compare LDAP to PG users and groups
+    mroles = match_roles(ldap_users, pg_users, :user)
+    mroles += match_roles(ldap_groups, pg_groups, :group)
+
+    # compare LDAP to PG memberships
+    mmemberships = match_memberships(ldap_users+ldap_groups, pg_users+pg_groups)
+
+    # drop/revoke roles/memberships first
+    sync_membership_to_pg(mmemberships, :revoke)
+    sync_roles_to_pg(mroles, :drop)
+    # create/grant roles/memberships
+    sync_roles_to_pg(mroles, :create)
+    sync_membership_to_pg(mmemberships, :grant)
+
+    @pgconn.close
+  end
+
+  def self.run(argv)
+    s = self.new
+    s.config_fname = '/etc/pg_ldap_sync.yaml'
+    s.log = Logger.new(STDOUT)
+    s.log.level = Logger::ERROR
+
+    OptionParser.new do |opts|
+      opts.banner = "Usage: #{$0} [options]"
+      opts.on("-v", "--[no-]verbose", "Increase verbose level"){ s.log.level-=1 }
+      opts.on("-c", "--config FILE", "Config file [#{s.config_fname}]", &s.method(:config_fname=))
+      opts.on("-t", "--[no-]test", "Don't do any change in the database", &s.method(:test=))
+
+      opts.parse!(argv)
+    end
+
+    s.start!
+  end
+end
+end

data/test/fixtures/config-ldapdb.yaml

@@ -0,0 +1,32 @@
+---
+ldap_connection:
+  host: localhost
+  port: 1389
+
+ldap_users:
+  base: dc=example,dc=com
+  filter: (&(cn=*)(sAMAccountName=*))
+  name_attribute: sAMAccountName
+
+ldap_groups:
+  base: dc=example,dc=com
+  filter: (member=*)
+  name_attribute: cn
+  member_attribute: member
+
+pg_connection:
+  dbname: postgres
+# needed for postgres-pr:
+#   host: localhost
+#   port: 54321
+#   user: insert_your_username_here
+#   password:
+
+pg_users:
+  filter: rolcanlogin AND NOT rolsuper
+  create_options: LOGIN
+
+pg_groups:
+  filter: NOT rolcanlogin
+  create_options: NOLOGIN
+  grant_options:

data/test/fixtures/ldapdb.yaml

@@ -0,0 +1,38 @@
+---
+dc=example,dc=com:
+  cn:
+  - Top object
+cn=Fred Flintstone,dc=example,dc=com:
+  cn:
+  - Fred Flintstone
+  mail:
+  - fred@bedrock.org
+  - fred.flintstone@bedrock.org
+  sn:
+  - Flintstone
+  sAMAccountName:
+  - fred
+cn=Wilma Flintstone,dc=example,dc=com:
+  cn:
+  - Wilma Flintstone
+  mail:
+  - wilma@bedrock.org
+  sAMAccountName:
+  - wilma
+cn=Flintstones,dc=example,dc=com:
+  cn:
+  - Flintstones
+  member:
+  - cn=Fred Flintstone,dc=example,dc=com
+  - cn=Wilma Flintstone,dc=example,dc=com
+cn=Wilmas,dc=example,dc=com:
+  cn:
+  - Wilmas
+  member:
+  - cn=Wilma Flintstone,dc=example,dc=com
+cn=All Users,dc=example,dc=com:
+  cn:
+  - All Users
+  member:
+  - cn=Wilmas,dc=example,dc=com
+  - cn=Fred Flintstone,dc=example,dc=com

data/test/ldap_server.rb

@@ -0,0 +1,41 @@
+#!/usr/local/bin/ruby -w
+
+# This is a trivial LDAP server which just stores directory entries in RAM.
+# It does no validation or authentication. This is intended just to
+# demonstrate the API, it's not for real-world use!!
+
+require 'rubygems'
+require 'ldap/server'
+
+# We subclass the Operation class, overriding the methods to do what we need
+
+class HashOperation < LDAP::Server::Operation
+  def initialize(connection, messageID, hash)
+    super(connection, messageID)
+    @hash = hash   # an object reference to our directory data
+  end
+
+  def search(basedn, scope, deref, filter)
+    basedn.downcase!
+
+    case scope
+    when LDAP::Server::BaseObject
+      # client asked for single object by DN
+      obj = @hash[basedn]
+      raise LDAP::ResultError::NoSuchObject unless obj
+      send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
+
+    when LDAP::Server::WholeSubtree
+      @hash.each do |dn, av|
+        next unless dn.index(basedn, -basedn.length)    # under basedn?
+        next unless LDAP::Server::Filter.run(filter, av)  # attribute filter?
+        send_SearchResultEntry(dn, av)
+      end
+
+    else
+      raise LDAP::ResultError::UnwillingToPerform, "OneLevel not implemented"
+
+    end
+  end
+end
+

data/test/test_pg_ldap_sync.rb

@@ -0,0 +1,112 @@
+#!/usr/bin/env ruby
+
+require "test/unit"
+require "pg_ldap_sync/application"
+require 'yaml'
+require 'test/ldap_server'
+require 'fileutils'
+
+class TestPgLdapSync < Test::Unit::TestCase
+  def log_and_run( *cmd )
+    puts cmd.join(' ')
+    system( *cmd )
+    raise "Command failed: [%s]" % [cmd.join(' ')] unless $?.success?
+  end
+
+  def start_ldap_server
+    yaml_fname = File.join(File.dirname(__FILE__), "fixtures/ldapdb.yaml")
+    @directory = File.open(yaml_fname){|f| YAML::load(f.read) }
+
+    # Listen for incoming LDAP connections. For each one, create a Connection
+    # object, which will invoke a HashOperation object for each request.
+
+    @ldap_server = LDAP::Server.new(
+      :port     => 1389,
+      :nodelay    => true,
+      :listen     => 10,
+    # :ssl_key_file   => "key.pem",
+    # :ssl_cert_file    => "cert.pem",
+    # :ssl_on_connect   => true,
+      :operation_class  => HashOperation,
+      :operation_args   => [@directory]
+    )
+    @ldap_server.run_tcpserver
+  end
+
+  def stop_ldap_server
+    @ldap_server.stop
+  end
+
+  def start_pg_server
+    @port = 54321
+    ENV['PGPORT'] = @port.to_s
+    ENV['PGHOST'] = 'localhost'
+    unless File.exist?('temp/pg_data')
+      FileUtils.mkdir_p 'temp/pg_data'
+      log_and_run 'initdb', '-D', 'temp/pg_data'
+    end
+    log_and_run 'pg_ctl', '-w', '-o', "-k.", '-D', 'temp/pg_data', 'start'
+    log_and_run 'psql', '-e', '-c', "DROP ROLE IF EXISTS fred, wilma, \"Flintstones\", \"Wilmas\", \"All Users\"", 'postgres'
+  end
+
+  def stop_pg_server
+    log_and_run 'pg_ctl', '-w', '-o', "-k.", '-D', 'temp/pg_data', 'stop'
+  end
+
+  def setup
+    start_ldap_server
+    start_pg_server
+  end
+
+  def teardown
+    stop_ldap_server
+    stop_pg_server
+  end
+
+  def psqlre(*args)
+    /^\s*#{args[0]}[ |]*#{args[1]}[ |\{"]*#{args[2..-1].join('[", ]+')}["\}\s]*$/
+  end
+
+  def test_sanity
+    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
+
+    ENV['LC_MESSAGES'] = 'C'
+    psql_du = `psql -c \\\\du postgres`
+    puts psql_du
+
+    assert_match(psqlre('All Users','Cannot login'), psql_du)
+    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
+    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
+    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
+    assert_match(psqlre('wilma','','Flintstones','Wilmas'), psql_du)
+
+    # revoke membership of 'wilma' to 'Flintstones'
+    @directory['cn=Flintstones,dc=example,dc=com']['member'].pop
+
+    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
+    psql_du = `psql -c \\\\du postgres`
+    puts psql_du
+
+    assert_match(psqlre('All Users','Cannot login'), psql_du)
+    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
+    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
+    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
+    assert_match(psqlre('wilma','','Wilmas'), psql_du)
+
+    # rename role 'wilma'
+    @directory['cn=Wilma Flintstone,dc=example,dc=com']['sAMAccountName'] = ['Wilma Flintstone']
+    # re-add 'Wilma' to 'Flintstones'
+    @directory['cn=Flintstones,dc=example,dc=com']['member'] << 'cn=Wilma Flintstone,dc=example,dc=com'
+
+    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
+    psql_du = `psql -c \\\\du postgres`
+    puts psql_du
+
+    assert_match(psqlre('All Users','Cannot login'), psql_du)
+    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
+    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
+    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
+    assert_no_match(/wilma/, psql_du)
+    assert_match(psqlre('Wilma Flintstone','','Flintstones','Wilmas'), psql_du)
+  end
+end

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification 
+name: pg-ldap-sync
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Lars Kanis
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-07-13 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: net-ldap
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 0
+        - 2
+        version: "0.2"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: kwalify
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 0
+        - 7
+        version: "0.7"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: ruby-ldapserver
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 0
+        - 3
+        version: "0.3"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 47
+        segments: 
+        - 2
+        - 8
+        - 0
+        version: 2.8.0
+  type: :development
+  version_requirements: *id004
+description: |-
+  LDAP is often used to do a centralized user and role management
+  in an enterprise environment. PostgreSQL offers different
+  authentication methods, like LDAP, SSPI, GSSAPI or SSL.
+  However, for any method the user must already exist in the database,
+  before the authentication can be used. There is currently
+  no authorization of database users directly based on LDAP.
+  
+  This program helps to solve the issue by synchronizing users,
+  groups and their memberships from LDAP to PostgreSQL.
+  Access to LDAP is read-only. <tt>pg_ldap_sync</tt> issues proper
+  CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
+  users and groups.
+  
+  It is meant to be started as a cron job.
+email: 
+- kanis@comcard.de
+executables: 
+- pg_ldap_sync
+extensions: []
+
+extra_rdoc_files: 
+- History.txt
+- Manifest.txt
+- README.rdoc
+files: 
+- .autotest
+- History.txt
+- Manifest.txt
+- README.rdoc
+- Rakefile
+- bin/pg_ldap_sync
+- config/sample-config.yaml
+- config/sample-config2.yaml
+- config/schema.yaml
+- lib/pg_ldap_sync.rb
+- lib/pg_ldap_sync/application.rb
+- test/fixtures/config-ldapdb.yaml
+- test/fixtures/ldapdb.yaml
+- test/ldap_server.rb
+- test/test_pg_ldap_sync.rb
+has_rdoc: true
+homepage: http://github.com/larskanis/pg-ldap-sync
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --main
+- README.rdoc
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: pg-ldap-sync
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: LDAP is often used to do a centralized user and role management in an enterprise environment
+test_files: 
+- test/test_pg_ldap_sync.rb