pg-ldap-sync 0.1.1 → 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1fb003bb7920f52ed32b13515630a10149a56044c43dae3d131c6d2c5d2b42ba
+  data.tar.gz: 973f117c4b23f726ffba5a0fec75b9388318428da44729076df441c92b6ca618
+SHA512:
+  metadata.gz: 022c17d2bc330f6e07a09339e0e407078af90446faf0651fd1fffb62a8fb6b271acbec0c2e9e7bc9ac608535712be63c88f5cb7ef7b00b5ccc58dc9e878e9ff5
+  data.tar.gz: c992719c0f6dd535db928c92d5c6b7223e6f1268410a13193cbb102ecd56573aaf839e57563439cf08cc9404a7a6ec81595c4787a54784d5494e9b9c0e681c0e

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/temp/
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,17 @@
+sudo: required
+language: ruby
+rvm:
+  - "2.0.0"
+  - ruby-head
+env:
+  - "PGVERSION=10.0-1-linux-x64 PATH=\"/opt/PostgreSQL/10/bin:$PATH\""
+  - "PGVERSION=9.3.19-1-linux-x64 PATH=\"/opt/PostgreSQL/9.3/bin:$PATH\""
+before_install:
+  - gem install bundler
+  - bundle install
+  # Download and install postgresql version to test against in /opt
+  - |
+    wget http://get.enterprisedb.com/postgresql/postgresql-$PGVERSION.run && \
+      chmod +x postgresql-$PGVERSION.run && \
+      sudo ./postgresql-$PGVERSION.run --extract-only 1 --mode unattended
+script: rake test

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in pg_ldap_sync.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Lars Kanis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,87 @@
+[![Build Status](https://travis-ci.org/larskanis/pg-ldap-sync.svg?branch=master)](https://travis-ci.org/larskanis/pg-ldap-sync) [![Build status](https://ci.appveyor.com/api/projects/status/09xn9q5p64jbxtka/branch/master?svg=true)](https://ci.appveyor.com/project/larskanis/pg-ldap-sync/branch/master)
+
+# Use LDAP permissions in PostgreSQL
+
+* http://github.com/larskanis/pg-ldap-sync
+
+## DESCRIPTION:
+
+LDAP is often used for a centralized user and role management in an enterprise environment.
+PostgreSQL offers different authentication methods, like LDAP, SSPI, GSSAPI or SSL.
+However, for any method the user must already exist in the database, before the authentication can be used.
+There is currently no direct authorization of database users on LDAP.
+So roles and memberships has to be administered twice.
+
+This program helps to solve the issue by synchronizing users, groups and their memberships from LDAP to PostgreSQL.
+Access to LDAP is used read-only.
+`pg_ldap_sync` issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize users and groups.
+
+It is meant to be started as a cron job.
+
+## FEATURES:
+
+* Configurable per YAML config file
+* Can use Active Directory as LDAP-Server
+* Nested groups/roles supported
+* Set scope of considered users/groups on LDAP and PG side
+* Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
+* Test mode which doesn't do any changes to the DBMS
+* Both LDAP and PG connections can be secured by SSL/TLS
+
+## REQUIREMENTS:
+
+* Ruby-2.0+, JRuby-1.2, Rubinius-1.2 or better
+* LDAP-v3 server
+* PostgreSQL-server v9.0+
+
+## INSTALL:
+
+Install Ruby:
+
+* on Windows: http://rubyinstaller.org
+* on Debian/Ubuntu: `apt-get install ruby libpq-dev`
+
+Install pg-ldap-sync and required dependencies:
+```sh
+  gem install pg-ldap-sync
+```
+
+### Install from Git:
+```sh
+  git clone https://github.com/larskanis/pg-ldap-sync.git
+  cd pg-ldap-sync
+  bundle
+  rake install
+```
+
+## USAGE:
+
+Create a config file based on
+[config/sample-config.yaml](https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config.yaml)
+or even better
+[config/sample-config2.yaml](https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config2.yaml)
+
+Run in test-mode:
+```sh
+  pg_ldap_sync -c my_config.yaml -vv -t
+```
+Run in modify-mode:
+```sh
+  pg_ldap_sync -c my_config.yaml -vv
+```
+
+## TEST:
+There is a small test suite in the `test` directory that runs against an internal LDAP server and a PostgreSQL server. Ensure `pg_ctl`, `initdb` and `psql` commands are in the `PATH` like so:
+```sh
+  cd pg-ldap-sync
+  PATH=$PATH:/usr/lib/postgresql/10/bin/ rake test
+```
+
+## ISSUES:
+
+* There is currently no way to set certain user attributes in PG based on individual attributes in LDAP (expiration date etc.)
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -1,18 +1,11 @@
 # -*- ruby -*-
+require "bundler/gem_tasks"
+require "rake/testtask"
 
-require 'rubygems'
-require 'hoe'
-
-Hoe.spec 'pg-ldap-sync' do
-  developer('Lars Kanis', 'kanis@comcard.de')
-
-  extra_deps << ['net-ldap', '>= 0.2']
-  extra_deps << ['kwalify', '>= 0.7']
-  extra_dev_deps << ['ruby-ldapserver', '>= 0.3']
-
-  self.readme_file = 'README.rdoc'
-  spec_extras[:rdoc_options] = ['--main', readme_file, "--charset=UTF-8"]
-  self.extra_rdoc_files << self.readme_file
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
 end
 
-# vim: syntax=ruby
+task :gem => :build

data/appveyor.yml

@@ -0,0 +1,25 @@
+init:
+  - set PATH=C:/Ruby%ruby_version%/bin;c:/Program Files/Git/cmd;c:/Windows/system32;C:/Windows/System32/WindowsPowerShell/v1.0
+  - set RUBYOPT=--verbose
+
+install:
+  - ver
+  - ruby --version
+  - gem --version
+  - gem install bundler --conservative
+  - bundle install
+
+build_script:
+  - set PATH=C:/Program Files/PostgreSQL/%PGVER%/bin;%PATH%
+  - md temp
+  - icacls temp /grant Everyone:(OI)(CI)F /T
+
+test_script:
+  - bundle exec rake test
+
+environment:
+  matrix:
+    - ruby_version: "25-x64"
+      PGVER: 10
+    - ruby_version: "22"
+      PGVER: 10

data/config/sample-config2.yaml

@@ -7,11 +7,13 @@
 # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
 ldap_connection:
   host: ldapserver
-  port: 389
+  port: 636
   auth:
     method: :simple
     username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
     password: secret
+  encryption:
+    method: :simple_tls
 
 # Search parameters for LDAP users which should be synchronized
 ldap_users:

data/exe/pg_ldap_sync

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+require 'pg_ldap_sync'
+
+begin
+  PgLdapSync::Application.run(ARGV)
+rescue PgLdapSync::ApplicationExit => ex
+  exit ex.exitcode
+end

data/lib/pg_ldap_sync.rb

@@ -1,3 +1,21 @@
+require "pg_ldap_sync/application"
+require "pg_ldap_sync/version"
+
 module PgLdapSync
-  VERSION = '0.1.1'
+  class LdapError < RuntimeError
+  end
+
+  class ApplicationExit < RuntimeError
+    attr_reader :exitcode
+
+    def initialize(exitcode)
+      @exitcode = exitcode
+    end
+  end
+
+  class InvalidConfig < ApplicationExit
+  end
+
+  class ErrorExit < ApplicationExit
+  end
 end

data/lib/pg_ldap_sync/application.rb

@@ -1,38 +1,14 @@
 #!/usr/bin/env ruby
 
-require 'rubygems'
 require 'net/ldap'
 require 'optparse'
 require 'yaml'
-require 'logger'
 require 'kwalify'
-
-begin
-  require 'pg'
-rescue LoadError => e
-  begin
-    require 'postgres'
-    class PGconn
-      alias initialize_before_hash_change initialize
-      def initialize(*args)
-        arg = args.first
-        if args.length==1 && arg.kind_of?(Hash)
-          initialize_before_hash_change(arg[:host], arg[:port], nil, nil, arg[:dbname], arg[:user], arg[:password])
-        else
-          initialize_before_hash_change(*args)
-        end
-      end
-    end
-  rescue LoadError
-    raise e
-  end
-end
-
-require 'pg_ldap_sync'
+require 'pg'
+require "pg_ldap_sync/logger"
 
 module PgLdapSync
 class Application
-  class LdapError < RuntimeError; end
   attr_accessor :config_fname
   attr_accessor :log
   attr_accessor :test
@@ -58,7 +34,7 @@ class Application
       errors.each do |err|
         log.fatal "error in #{fname}: [#{err.path}] #{err.message}"
       end
-      exit(-1)
+      raise InvalidConfig, 78 # EX_CONFIG
     end
   end
 
@@ -130,6 +106,9 @@ class Application
 
   PgRole = Struct.new :name, :member_names
 
+  # List of default roles taken from https://www.postgresql.org/docs/current/static/default-roles.html
+  PG_BUILTIN_ROLES = %w[ pg_signal_backend pg_monitor pg_read_all_settings pg_read_all_stats pg_stat_scan_tables]
+
   def search_pg_users
     pg_users_conf = @config[:pg_users]
 
@@ -137,6 +116,7 @@ class Application
     res = pg_exec "SELECT rolname FROM pg_roles WHERE #{pg_users_conf[:filter]}"
     res.each do |tuple|
       user = PgRole.new tuple[0]
+      next if PG_BUILTIN_ROLES.include?(user.name)
       log.info{ "found pg-user: #{user.name.inspect}"}
       users << user
     end
@@ -149,9 +129,10 @@ class Application
     groups = []
     res = pg_exec "SELECT rolname, oid FROM pg_roles WHERE #{pg_groups_conf[:filter]}"
     res.each do |tuple|
-      res2 = pg_exec "SELECT pr.rolname FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.member WHERE pam.roleid=#{PGconn.escape(tuple[1])}"
+      res2 = pg_exec "SELECT pr.rolname FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.member WHERE pam.roleid=#{@pgconn.escape_string(tuple[1])}"
       member_names = res2.map{|row| row[0] }
       group = PgRole.new tuple[0], member_names
+      next if PG_BUILTIN_ROLES.include?(group.name)
       log.info{ "found pg-group: #{group.name.inspect} with members: #{member_names.inspect}"}
       groups << group
     end
@@ -211,10 +192,21 @@ class Application
     return roles
   end
 
+  def try_sql(text)
+    begin
+      @pgconn.exec "SAVEPOINT try_sql;"
+      @pgconn.exec text
+    rescue PG::Error => err
+      @pgconn.exec "ROLLBACK TO try_sql;"
+
+      log.error{ "#{err} (#{err.class})" }
+    end
+  end
+
   def pg_exec_modify(sql)
     log.info{ "SQL: #{sql}" }
     unless self.test
-      res = @pgconn.exec sql
+      try_sql sql
     end
   end
 
@@ -314,36 +306,46 @@ class Application
     ldap_groups = uniq_names search_ldap_groups
 
     # gather PGs users and groups
-    @pgconn = PGconn.connect @config[:pg_connection]
-    pg_users = uniq_names search_pg_users
-    pg_groups = uniq_names search_pg_groups
-
-    # compare LDAP to PG users and groups
-    mroles = match_roles(ldap_users, pg_users, :user)
-    mroles += match_roles(ldap_groups, pg_groups, :group)
-
-    # compare LDAP to PG memberships
-    mmemberships = match_memberships(ldap_users+ldap_groups, pg_users+pg_groups)
-
-    # drop/revoke roles/memberships first
-    sync_membership_to_pg(mmemberships, :revoke)
-    sync_roles_to_pg(mroles, :drop)
-    # create/grant roles/memberships
-    sync_roles_to_pg(mroles, :create)
-    sync_membership_to_pg(mmemberships, :grant)
+    @pgconn = PG.connect @config[:pg_connection]
+    begin
+      @pgconn.transaction do
+        pg_users = uniq_names search_pg_users
+        pg_groups = uniq_names search_pg_groups
+
+        # compare LDAP to PG users and groups
+        mroles = match_roles(ldap_users, pg_users, :user)
+        mroles += match_roles(ldap_groups, pg_groups, :group)
+
+        # compare LDAP to PG memberships
+        mmemberships = match_memberships(ldap_users+ldap_groups, pg_users+pg_groups)
+
+        # drop/revoke roles/memberships first
+        sync_membership_to_pg(mmemberships, :revoke)
+        sync_roles_to_pg(mroles, :drop)
+        # create/grant roles/memberships
+        sync_roles_to_pg(mroles, :create)
+        sync_membership_to_pg(mmemberships, :grant)
+      end
+    ensure
+      @pgconn.close
+    end
 
-    @pgconn.close
+    # Determine exitcode
+    if log.had_errors?
+      raise ErrorExit, 1
+    end
   end
 
   def self.run(argv)
     s = self.new
     s.config_fname = '/etc/pg_ldap_sync.yaml'
-    s.log = Logger.new(STDOUT)
+    s.log = Logger.new($stdout, @error_counters)
     s.log.level = Logger::ERROR
 
     OptionParser.new do |opts|
+      opts.version = VERSION
       opts.banner = "Usage: #{$0} [options]"
-      opts.on("-v", "--[no-]verbose", "Increase verbose level"){ s.log.level-=1 }
+      opts.on("-v", "--[no-]verbose", "Increase verbose level"){|v| s.log.level += v ? -1 : 1 }
       opts.on("-c", "--config FILE", "Config file [#{s.config_fname}]", &s.method(:config_fname=))
       opts.on("-t", "--[no-]test", "Don't do any change in the database", &s.method(:test=))
 

data/lib/pg_ldap_sync/logger.rb

@@ -0,0 +1,24 @@
+require 'logger'
+
+module PgLdapSync
+class Logger < ::Logger
+  def initialize(io, counters)
+    super(io)
+    @counters = {}
+  end
+
+  def add(severity, *args)
+    @counters[severity] ||= 0
+    @counters[severity] += 1
+    super
+  end
+
+  def had_logged?(severity)
+    @counters[severity] && @counters[severity] > 0
+  end
+
+  def had_errors?
+    had_logged?(Logger::FATAL) || had_logged?(Logger::ERROR)
+  end
+end
+end

data/lib/pg_ldap_sync/version.rb

@@ -0,0 +1,3 @@
+module PgLdapSync
+  VERSION = "0.2.0"
+end

data/pg-ldap-sync.gemspec

@@ -0,0 +1,31 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "pg_ldap_sync/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "pg-ldap-sync"
+  spec.version       = PgLdapSync::VERSION
+  spec.authors       = ["Lars Kanis"]
+  spec.email         = ["lars@greiz-reinsdorf.de"]
+
+  spec.summary       = %q{Use LDAP permissions in PostgreSQL}
+  spec.homepage      = "https://github.com/larskanis/pg-ldap-sync"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.rdoc_options = %w[--main README.md --charset=UTF-8]
+
+  spec.add_runtime_dependency "net-ldap", "~> 0.16"
+  spec.add_runtime_dependency "kwalify", "~> 0.7"
+  spec.add_runtime_dependency "pg", ">= 0.14", "< 2.0"
+  spec.add_development_dependency "ruby-ldapserver", "~> 0.3"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest-hooks", "~> 1.4"
+end

metadata

@@ -1,151 +1,206 @@
 --- !ruby/object:Gem::Specification
 name: pg-ldap-sync
 version: !ruby/object:Gem::Version
-  version: 0.1.1
-  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors:
 - Lars Kanis
 autorequire: 
-bindir: bin
-cert_chain: []
-date: 2012-11-15 00:00:00.000000000 Z
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDLjCCAhagAwIBAgIBBjANBgkqhkiG9w0BAQsFADA9MQ4wDAYDVQQDDAVrYW5p
+  czEXMBUGCgmSJomT8ixkARkWB2NvbWNhcmQxEjAQBgoJkiaJk/IsZAEZFgJkZTAe
+  Fw0xODAzMDUwOTEzNDdaFw0xOTAzMDUwOTEzNDdaMD0xDjAMBgNVBAMMBWthbmlz
+  MRcwFQYKCZImiZPyLGQBGRYHY29tY2FyZDESMBAGCgmSJomT8ixkARkWAmRlMIIB
+  IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApop+rNmg35bzRugZ21VMGqI6
+  HGzPLO4VHYncWn/xmgPU/ZMcZdfj6MzIaZJ/czXyt4eHpBk1r8QOV3gBXnRXEjVW
+  9xi+EdVOkTV2/AVFKThcbTAQGiF/bT1n2M+B1GTybRzMg6hyhOJeGPqIhLfJEpxn
+  lJi4+ENAVT4MpqHEAGB8yFoPC0GqiOHQsdHxQV3P3c2OZqG+yJey74QtwA2tLcLn
+  Q53c63+VLGsOjODl1yPn/2ejyq8qWu6ahfTxiIlSar2UbwtaQGBDFdb2CXgEufXT
+  L7oaPxlmj+Q2oLOfOnInd2Oxop59HoJCQPsg8f921J43NCQGA8VHK6paxIRDLQID
+  AQABozkwNzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUvgTdT7fe
+  x17ugO3IOsjEJwW7KP4wDQYJKoZIhvcNAQELBQADggEBAEr2BqIKipd4rQ++Qmxw
+  TU0prQzjlcDLxhQAX4JgmTMbSg8uO+cSvgsROcHfA1Cpo8VDDkZMoGISmfzmMegL
+  QvZJp0Fr1TpeVxexhZq+MnC6OgqJSBfbhHh6DCMX1QAy8fvNzcmEOwRA5d3BYmWK
+  bM8sBrAJGwrNRimekkTGTpYh5+gpiXm9JY07swwL2tR/faH/17IOXxJQ9sMXHNQU
+  In/Pt5lKfMn+h+Ts8GhM91pEJnfwmBc0ksG8tDXAKAAUWIeizjL73bwtiXXeRRlA
+  KtR70pH8rQHNxC2EvqVpBmRChJgWVMlfQofqhU2QK4s+5h52OHGZqMqCAeJ5taum
+  Lvw=
+  -----END CERTIFICATE-----
+date: 2018-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: net-ldap
-  requirement: &9786620 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '0.16'
   type: :runtime
   prerelease: false
-  version_requirements: *9786620
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
 - !ruby/object:Gem::Dependency
   name: kwalify
-  requirement: &9783100 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
   type: :runtime
   prerelease: false
-  version_requirements: *9783100
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
 - !ruby/object:Gem::Dependency
-  name: rdoc
-  requirement: &9781660 !ruby/object:Gem::Requirement
-    none: false
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.10'
-  type: :development
+        version: '0.14'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
   prerelease: false
-  version_requirements: *9781660
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.14'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: ruby-ldapserver
-  requirement: &9805140 !ruby/object:Gem::Requirement
-    none: false
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
   type: :development
   prerelease: false
-  version_requirements: *9805140
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
 - !ruby/object:Gem::Dependency
-  name: hoe
-  requirement: &9803940 !ruby/object:Gem::Requirement
-    none: false
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
   type: :development
   prerelease: false
-  version_requirements: *9803940
-description: ! 'LDAP is often used for a centralized user and role management
-
-  in an enterprise environment. PostgreSQL offers different
-
-  authentication methods, like LDAP, SSPI, GSSAPI or SSL.
-
-  However, for any method the user must already exist in the database,
-
-  before the authentication can be used. There is currently
-
-  no direct authorization of database users on LDAP. So roles
-
-  and memberships has to be administered twice.
-
-
-  This program helps to solve the issue by synchronizing users,
-
-  groups and their memberships from LDAP to PostgreSQL.
-
-  Access to LDAP is used read-only. <tt>pg_ldap_sync</tt> issues proper
-
-  CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
-
-  users and groups.
-
-
-  It is meant to be started as a cron job.'
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest-hooks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description: 
 email:
-- kanis@comcard.de
+- lars@greiz-reinsdorf.de
 executables:
 - pg_ldap_sync
 extensions: []
-extra_rdoc_files:
-- History.txt
-- Manifest.txt
-- README.rdoc
+extra_rdoc_files: []
 files:
-- .autotest
+- ".autotest"
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
 - History.txt
+- LICENSE.txt
 - Manifest.txt
-- README.rdoc
+- README.md
 - Rakefile
-- bin/pg_ldap_sync
+- appveyor.yml
 - config/sample-config.yaml
 - config/sample-config2.yaml
 - config/schema.yaml
+- exe/pg_ldap_sync
 - lib/pg_ldap_sync.rb
 - lib/pg_ldap_sync/application.rb
-- test/fixtures/config-ldapdb.yaml
-- test/fixtures/ldapdb.yaml
-- test/ldap_server.rb
-- test/test_pg_ldap_sync.rb
-- .gemtest
-homepage: http://github.com/larskanis/pg-ldap-sync
-licenses: []
+- lib/pg_ldap_sync/logger.rb
+- lib/pg_ldap_sync/version.rb
+- pg-ldap-sync.gemspec
+homepage: https://github.com/larskanis/pg-ldap-sync
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options:
-- --main
-- README.rdoc
-- --charset=UTF-8
+- "--main"
+- README.md
+- "--charset=UTF-8"
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: pg-ldap-sync
-rubygems_version: 1.8.10
+rubyforge_project: 
+rubygems_version: 2.7.3
 signing_key: 
-specification_version: 3
-summary: LDAP is often used for a centralized user and role management in an enterprise
-  environment
-test_files:
-- test/test_pg_ldap_sync.rb
+specification_version: 4
+summary: Use LDAP permissions in PostgreSQL
+test_files: []

data/README.rdoc

@@ -1,107 +0,0 @@
-= Use LDAP permissions in PostgreSQL
-
-* http://github.com/larskanis/pg-ldap-sync
-
-== DESCRIPTION:
-
-LDAP is often used for a centralized user and role management
-in an enterprise environment. PostgreSQL offers different
-authentication methods, like LDAP, SSPI, GSSAPI or SSL.
-However, for any method the user must already exist in the database,
-before the authentication can be used. There is currently
-no direct authorization of database users on LDAP. So roles
-and memberships has to be administered twice.
-
-This program helps to solve the issue by synchronizing users,
-groups and their memberships from LDAP to PostgreSQL.
-Access to LDAP is used read-only. <tt>pg_ldap_sync</tt> issues proper
-CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
-users and groups.
-
-It is meant to be started as a cron job.
-
-== FEATURES:
-
-* Configurable per YAML config file
-* Can use Active Directory as LDAP-Server
-* Nested groups/roles supported
-* Set scope of considered users/groups on LDAP and PG side
-* Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
-* Test mode which doesn't do any changes to the DBMS
-* Both LDAP and PG connections can be secured by SSL/TLS
-
-== REQUIREMENTS:
-
-* Ruby-1.8.7, Ruby-1.9.2, JRuby-1.2, Rubinius-1.2 or better
-* Rubygems-1.3.5+
-* LDAP-v3 server
-* PostgreSQL-server v8.1+
-
-== INSTALL:
-
-Install Ruby and rubygems:
-* on Windows: http://rubyinstaller.org
-* on Debian/Ubuntu: <tt>apt-get install ruby rubygems</tt>
-
-Install pg-ldap-sync and a database connector for PostgreSQL:
-  gem install pg-ldap-sync pg
-You may also use the pure ruby postgres-connector which is less mature,
-but doesn't need compilation:
-  gem install pg-ldap-sync postgres-pr
-
-=== Install from Git:
-  git clone https://github.com/larskanis/pg-ldap-sync.git
-  cd pg-ldap-sync
-  gem install hoe
-  rake install_gem
-
-== USAGE:
-
-Create a config file based on <tt>config/sample-config.yaml</tt> .
-Run in test-mode:
-
-  pg_ldap_sync -c my_config.yaml -vv -t
-
-Run in modify-mode:
-
-  pg_ldap_sync -c my_config.yaml -vv
-
-
-== TEST:
-There is a small test suite in the <tt>test</tt> directory that runs
-against an internal ruby-ldapserver and PostgreSQL server. Ensure gem
-<tt>ruby-ldapserver</tt> is installed and <tt>pg_ctl</tt>, <tt>initdb</tt> and <tt>psql</tt>
-commands are in the <tt>PATH</tt>. Then:
-
-  cd pg-ldap-sync
-  rake test
-
-== ISSUES:
-* There is currently no way to set certain user attributes in PG
-  based on individual attributes in LDAP (expiration date etc.)
-
-
-== LICENSE:
-
-(The MIT License)
-
-Copyright (c) 2011 FIX
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-'Software'), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/bin/pg_ldap_sync

@@ -1,6 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rubygems'
-require 'pg_ldap_sync/application'
-
-PgLdapSync::Application.run(ARGV)

data/test/fixtures/config-ldapdb.yaml

@@ -1,32 +0,0 @@
----
-ldap_connection:
-  host: localhost
-  port: 1389
-
-ldap_users:
-  base: dc=example,dc=com
-  filter: (&(cn=*)(sAMAccountName=*))
-  name_attribute: sAMAccountName
-
-ldap_groups:
-  base: dc=example,dc=com
-  filter: (member=*)
-  name_attribute: cn
-  member_attribute: member
-
-pg_connection:
-  dbname: postgres
-  host: localhost
-  port: 54321
-# needed for postgres-pr:
-#   user: insert_your_username_here
-#   password:
-
-pg_users:
-  filter: rolcanlogin AND NOT rolsuper
-  create_options: LOGIN
-
-pg_groups:
-  filter: NOT rolcanlogin
-  create_options: NOLOGIN
-  grant_options:

data/test/fixtures/ldapdb.yaml

@@ -1,38 +0,0 @@
----
-dc=example,dc=com:
-  cn:
-  - Top object
-cn=Fred Flintstone,dc=example,dc=com:
-  cn:
-  - Fred Flintstone
-  mail:
-  - fred@bedrock.org
-  - fred.flintstone@bedrock.org
-  sn:
-  - Flintstone
-  sAMAccountName:
-  - fred
-cn=Wilma Flintstone,dc=example,dc=com:
-  cn:
-  - Wilma Flintstone
-  mail:
-  - wilma@bedrock.org
-  sAMAccountName:
-  - wilma
-cn=Flintstones,dc=example,dc=com:
-  cn:
-  - Flintstones
-  member:
-  - cn=Fred Flintstone,dc=example,dc=com
-  - cn=Wilma Flintstone,dc=example,dc=com
-cn=Wilmas,dc=example,dc=com:
-  cn:
-  - Wilmas
-  member:
-  - cn=Wilma Flintstone,dc=example,dc=com
-cn=All Users,dc=example,dc=com:
-  cn:
-  - All Users
-  member:
-  - cn=Wilmas,dc=example,dc=com
-  - cn=Fred Flintstone,dc=example,dc=com

data/test/ldap_server.rb

@@ -1,41 +0,0 @@
-#!/usr/local/bin/ruby -w
-
-# This is a trivial LDAP server which just stores directory entries in RAM.
-# It does no validation or authentication. This is intended just to
-# demonstrate the API, it's not for real-world use!!
-
-require 'rubygems'
-require 'ldap/server'
-
-# We subclass the Operation class, overriding the methods to do what we need
-
-class HashOperation < LDAP::Server::Operation
-  def initialize(connection, messageID, hash)
-    super(connection, messageID)
-    @hash = hash   # an object reference to our directory data
-  end
-
-  def search(basedn, scope, deref, filter)
-    basedn.downcase!
-
-    case scope
-    when LDAP::Server::BaseObject
-      # client asked for single object by DN
-      obj = @hash[basedn]
-      raise LDAP::ResultError::NoSuchObject unless obj
-      send_SearchResultEntry(basedn, obj) if LDAP::Server::Filter.run(filter, obj)
-
-    when LDAP::Server::WholeSubtree
-      @hash.each do |dn, av|
-        next unless dn.index(basedn, -basedn.length)    # under basedn?
-        next unless LDAP::Server::Filter.run(filter, av)  # attribute filter?
-        send_SearchResultEntry(dn, av)
-      end
-
-    else
-      raise LDAP::ResultError::UnwillingToPerform, "OneLevel not implemented"
-
-    end
-  end
-end
-

data/test/test_pg_ldap_sync.rb

@@ -1,119 +0,0 @@
-#!/usr/bin/env ruby
-
-require "test/unit"
-require "pg_ldap_sync/application"
-require 'yaml'
-require 'test/ldap_server'
-require 'fileutils'
-
-class TestPgLdapSync < Test::Unit::TestCase
-  def log_and_run( *cmd )
-    puts cmd.join(' ')
-    system( *cmd )
-    raise "Command failed: [%s]" % [cmd.join(' ')] unless $?.success?
-  end
-
-  def start_ldap_server
-    yaml_fname = File.join(File.dirname(__FILE__), "fixtures/ldapdb.yaml")
-    @directory = File.open(yaml_fname){|f| YAML::load(f.read) }
-
-    # Listen for incoming LDAP connections. For each one, create a Connection
-    # object, which will invoke a HashOperation object for each request.
-
-    @ldap_server = LDAP::Server.new(
-      :port     => 1389,
-      :nodelay    => true,
-      :listen     => 10,
-    # :ssl_key_file   => "key.pem",
-    # :ssl_cert_file    => "cert.pem",
-    # :ssl_on_connect   => true,
-      :operation_class  => HashOperation,
-      :operation_args   => [@directory]
-    )
-    @ldap_server.run_tcpserver
-  end
-
-  def stop_ldap_server
-    @ldap_server.stop
-  end
-
-  def start_pg_server
-    @port = 54321
-    ENV['PGPORT'] = @port.to_s
-    ENV['PGHOST'] = 'localhost'
-    unless File.exist?('temp/pg_data/PG_VERSION')
-      FileUtils.mkdir_p 'temp/pg_data'
-      log_and_run 'initdb', '-D', 'temp/pg_data', '--no-locale'
-    end
-    log_and_run 'pg_ctl', '-w', '-o', "-k.", '-D', 'temp/pg_data', 'start'
-    log_and_run 'psql', '-e', '-c', "DROP ROLE IF EXISTS fred, wilma, \"Flintstones\", \"Wilmas\", \"All Users\"", 'postgres'
-  end
-
-  def stop_pg_server
-    log_and_run 'pg_ctl', '-w', '-o', "-k.", '-D', 'temp/pg_data', 'stop'
-  end
-
-  def setup
-    start_ldap_server
-    start_pg_server
-  end
-
-  def teardown
-    stop_ldap_server
-    stop_pg_server
-  end
-
-  def psqlre(*args)
-    /^\s*#{args[0]}[ |]*#{args[1]}[ |\{"]*#{args[2..-1].join('[", ]+')}["\}\s]*$/
-  end
-  
-  def exec_psql_du
-    text = if RUBY_PLATFORM=~/mingw|mswin/
-      `psql -c \\du postgres`
-    else
-      `psql -c \\\\du postgres`
-    end
-    puts text
-    return text
-  end
-
-  def test_sanity
-    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
-
-    ENV['LC_MESSAGES'] = 'C'
-    psql_du = exec_psql_du
-
-    assert_match(psqlre('All Users','Cannot login'), psql_du)
-    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
-    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
-    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
-    assert_match(psqlre('wilma','','Flintstones','Wilmas'), psql_du)
-
-    # revoke membership of 'wilma' to 'Flintstones'
-    @directory['cn=Flintstones,dc=example,dc=com']['member'].pop
-
-    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
-    psql_du = exec_psql_du
-
-    assert_match(psqlre('All Users','Cannot login'), psql_du)
-    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
-    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
-    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
-    assert_match(psqlre('wilma','','Wilmas'), psql_du)
-
-    # rename role 'wilma'
-    @directory['cn=Wilma Flintstone,dc=example,dc=com']['sAMAccountName'] = ['Wilma Flintstone']
-    # re-add 'Wilma' to 'Flintstones'
-    @directory['cn=Flintstones,dc=example,dc=com']['member'] << 'cn=Wilma Flintstone,dc=example,dc=com'
-
-    PgLdapSync::Application.run(%w[-c test/fixtures/config-ldapdb.yaml -vv])
-    psql_du = exec_psql_du
-
-    assert_match(psqlre('All Users','Cannot login'), psql_du)
-    assert_match(psqlre('Flintstones','Cannot login'), psql_du)
-    assert_match(psqlre('Wilmas','Cannot login','All Users'), psql_du)
-    assert_match(psqlre('fred','','All Users','Flintstones'), psql_du)
-    assert_no_match(/wilma/, psql_du)
-    assert_match(psqlre('Wilma Flintstone','','Flintstones','Wilmas'), psql_du)
-  end
-end