pg-ldap-sync 0.1.0 → 0.1.1

data/History.txt

@@ -1,3 +1,7 @@
+=== 0.1.1 / 2012-11-15
+
+* Add ability to lowercase the LDAP name for use as PG role name
+
 === 0.1.0 / 2011-07-13
 
 * Birthday!

data/README.rdoc

@@ -4,16 +4,17 @@
 
 == DESCRIPTION:
 
-LDAP is often used to do a centralized user and role management
+LDAP is often used for a centralized user and role management
 in an enterprise environment. PostgreSQL offers different
 authentication methods, like LDAP, SSPI, GSSAPI or SSL.
 However, for any method the user must already exist in the database,
 before the authentication can be used. There is currently
-no authorization of database users directly based on LDAP.
+no direct authorization of database users on LDAP. So roles
+and memberships has to be administered twice.
 
 This program helps to solve the issue by synchronizing users,
 groups and their memberships from LDAP to PostgreSQL.
-Access to LDAP is read-only. <tt>pg_ldap_sync</tt> issues proper
+Access to LDAP is used read-only. <tt>pg_ldap_sync</tt> issues proper
 CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
 users and groups.
 
@@ -24,13 +25,17 @@ It is meant to be started as a cron job.
 * Configurable per YAML config file
 * Can use Active Directory as LDAP-Server
 * Nested groups/roles supported
+* Set scope of considered users/groups on LDAP and PG side
 * Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
 * Test mode which doesn't do any changes to the DBMS
+* Both LDAP and PG connections can be secured by SSL/TLS
 
 == REQUIREMENTS:
 
-* Installed Ruby and rubygems
-* LDAP- and PostgreSQL-Server
+* Ruby-1.8.7, Ruby-1.9.2, JRuby-1.2, Rubinius-1.2 or better
+* Rubygems-1.3.5+
+* LDAP-v3 server
+* PostgreSQL-server v8.1+
 
 == INSTALL:
 

data/config/sample-config.yaml

@@ -31,7 +31,7 @@ ldap_groups:
   member_attribute: member
 
 # Connection parameters to PostgreSQL server
-# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
+# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
 pg_connection:
   host:
   dbname: postgres

data/config/sample-config2.yaml

@@ -1,6 +1,7 @@
 # With this sample config the distinction between LDAP-synchronized
 # groups/users from is done by the membership to ldap_user and
-# ldap_group. These two roles has to be defined manally.
+# ldap_group. These two roles has to be defined manally before
+# pg_ldap_sync can run.
 
 # Connection parameters to LDAP server
 # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
@@ -20,6 +21,8 @@ ldap_users:
   filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
   # this attribute is used as PG role name
   name_attribute: sAMAccountName
+  # lowercase name for use as PG role name
+  lowercase_name: true
 
 # Search parameters for LDAP groups which should be synchronized
 ldap_groups:
@@ -27,11 +30,13 @@ ldap_groups:
   filter: (cn=company.*)
   # this attribute is used as PG role name
   name_attribute: cn
+  # lowercase name for use as PG role name
+  lowercase_name: false
   # this attribute must reference to all member DN's of the given group
   member_attribute: member
 
 # Connection parameters to PostgreSQL server
-# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
+# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
 pg_connection:
   host:
   dbname: postgres

data/config/schema.yaml

@@ -17,6 +17,9 @@ mapping:
       "name_attribute":
         type: str
         required:  yes
+      "lowercase_name":
+        type: bool
+        required:  no
 
   "ldap_groups":
     type: map
@@ -31,6 +34,9 @@ mapping:
       "name_attribute":
         type: str
         required:  yes
+      "lowercase_name":
+        type: bool
+        required:  no
       "member_attribute":
         type: str
         required:  yes

data/lib/pg_ldap_sync.rb

@@ -1,3 +1,3 @@
 module PgLdapSync
-  VERSION = '0.1.0'
+  VERSION = '0.1.1'
 end

data/lib/pg_ldap_sync/application.rb

@@ -85,6 +85,7 @@ class Application
         log.warn "user attribute #{ldap_user_conf[:name_attribute].inspect} not defined for #{entry.dn}"
         next
       end
+      name.downcase! if ldap_user_conf[:lowercase_name]
 
       log.info "found user-dn: #{entry.dn}"
       user = LdapRole.new name, entry.dn
@@ -111,6 +112,7 @@ class Application
         log.warn "user attribute #{ldap_group_conf[:name_attribute].inspect} not defined for #{entry.dn}"
         next
       end
+      name.downcase! if ldap_group_conf[:lowercase_name]
 
       log.info "found group-dn: #{entry.dn}"
       group = LdapRole.new name, entry.dn, entry[ldap_group_conf[:member_attribute]]

data/test/fixtures/config-ldapdb.yaml

@@ -16,9 +16,9 @@ ldap_groups:
 
 pg_connection:
   dbname: postgres
+  host: localhost
+  port: 54321
 # needed for postgres-pr:
-#   host: localhost
-#   port: 54321
 #   user: insert_your_username_here
 #   password:
 

data/test/test_pg_ldap_sync.rb

@@ -41,9 +41,9 @@ class TestPgLdapSync < Test::Unit::TestCase
     @port = 54321
     ENV['PGPORT'] = @port.to_s
     ENV['PGHOST'] = 'localhost'
-    unless File.exist?('temp/pg_data')
+    unless File.exist?('temp/pg_data/PG_VERSION')
       FileUtils.mkdir_p 'temp/pg_data'
-      log_and_run 'initdb', '-D', 'temp/pg_data'
+      log_and_run 'initdb', '-D', 'temp/pg_data', '--no-locale'
     end
     log_and_run 'pg_ctl', '-w', '-o', "-k.", '-D', 'temp/pg_data', 'start'
     log_and_run 'psql', '-e', '-c', "DROP ROLE IF EXISTS fred, wilma, \"Flintstones\", \"Wilmas\", \"All Users\"", 'postgres'
@@ -66,13 +66,22 @@ class TestPgLdapSync < Test::Unit::TestCase
   def psqlre(*args)
     /^\s*#{args[0]}[ |]*#{args[1]}[ |\{"]*#{args[2..-1].join('[", ]+')}["\}\s]*$/
   end
+  
+  def exec_psql_du
+    text = if RUBY_PLATFORM=~/mingw|mswin/
+      `psql -c \\du postgres`
+    else
+      `psql -c \\\\du postgres`
+    end
+    puts text
+    return text
+  end
 
   def test_sanity
     PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
 
     ENV['LC_MESSAGES'] = 'C'
-    psql_du = `psql -c \\\\du postgres`
-    puts psql_du
+    psql_du = exec_psql_du
 
     assert_match(psqlre('All Users','Cannot login'), psql_du)
     assert_match(psqlre('Flintstones','Cannot login'), psql_du)
@@ -84,8 +93,7 @@ class TestPgLdapSync < Test::Unit::TestCase
     @directory['cn=Flintstones,dc=example,dc=com']['member'].pop
 
     PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
-    psql_du = `psql -c \\\\du postgres`
-    puts psql_du
+    psql_du = exec_psql_du
 
     assert_match(psqlre('All Users','Cannot login'), psql_du)
     assert_match(psqlre('Flintstones','Cannot login'), psql_du)
@@ -99,8 +107,7 @@ class TestPgLdapSync < Test::Unit::TestCase
     @directory['cn=Flintstones,dc=example,dc=com']['member'] << 'cn=Wilma Flintstone,dc=example,dc=com'
 
     PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
-    psql_du = `psql -c \\\\du postgres`
-    puts psql_du
+    psql_du = exec_psql_du
 
     assert_match(psqlre('All Users','Cannot login'), psql_du)
     assert_match(psqlre('Flintstones','Cannot login'), psql_du)

metadata

@@ -1,110 +1,108 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: pg-ldap-sync
-version: !ruby/object:Gem::Version 
-  hash: 27
-  prerelease: false
-  segments: 
-  - 0
-  - 1
-  - 0
-  version: 0.1.0
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+  prerelease: 
 platform: ruby
-authors: 
+authors:
 - Lars Kanis
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2011-07-13 00:00:00 +02:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2012-11-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: net-ldap
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &9786620 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 0
-        - 2
-        version: "0.2"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0.2'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: kwalify
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *9786620
+- !ruby/object:Gem::Dependency
+  name: kwalify
+  requirement: &9783100 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 5
-        segments: 
-        - 0
-        - 7
-        version: "0.7"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0.7'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: ruby-ldapserver
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: *9783100
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: &9781660 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 13
-        segments: 
-        - 0
-        - 3
-        version: "0.3"
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.10'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: hoe
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: *9781660
+- !ruby/object:Gem::Dependency
+  name: ruby-ldapserver
+  requirement: &9805140 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 47
-        segments: 
-        - 2
-        - 8
-        - 0
-        version: 2.8.0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0.3'
   type: :development
-  version_requirements: *id004
-description: |-
-  LDAP is often used to do a centralized user and role management
+  prerelease: false
+  version_requirements: *9805140
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: &9803940 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: *9803940
+description: ! 'LDAP is often used for a centralized user and role management
+
   in an enterprise environment. PostgreSQL offers different
+
   authentication methods, like LDAP, SSPI, GSSAPI or SSL.
+
   However, for any method the user must already exist in the database,
+
   before the authentication can be used. There is currently
-  no authorization of database users directly based on LDAP.
-  
+
+  no direct authorization of database users on LDAP. So roles
+
+  and memberships has to be administered twice.
+
+
   This program helps to solve the issue by synchronizing users,
+
   groups and their memberships from LDAP to PostgreSQL.
-  Access to LDAP is read-only. <tt>pg_ldap_sync</tt> issues proper
+
+  Access to LDAP is used read-only. <tt>pg_ldap_sync</tt> issues proper
+
   CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
+
   users and groups.
-  
-  It is meant to be started as a cron job.
-email: 
+
+
+  It is meant to be started as a cron job.'
+email:
 - kanis@comcard.de
-executables: 
+executables:
 - pg_ldap_sync
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - History.txt
 - Manifest.txt
 - README.rdoc
-files: 
+files:
 - .autotest
 - History.txt
 - Manifest.txt
@@ -120,41 +118,34 @@ files:
 - test/fixtures/ldapdb.yaml
 - test/ldap_server.rb
 - test/test_pg_ldap_sync.rb
-has_rdoc: true
+- .gemtest
 homepage: http://github.com/larskanis/pg-ldap-sync
 licenses: []
-
 post_install_message: 
-rdoc_options: 
+rdoc_options:
 - --main
 - README.rdoc
 - --charset=UTF-8
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: pg-ldap-sync
-rubygems_version: 1.3.7
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
-summary: LDAP is often used to do a centralized user and role management in an enterprise environment
-test_files: 
+summary: LDAP is often used for a centralized user and role management in an enterprise
+  environment
+test_files:
 - test/test_pg_ldap_sync.rb