pgls 1.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.autotest +23 -0
- data/.github/workflows/ci.yml +81 -0
- data/.gitignore +10 -0
- data/.travis.yml +20 -0
- data/CHANGELOG.md +45 -0
- data/Gemfile +8 -0
- data/LICENSE.txt +21 -0
- data/Manifest.txt +16 -0
- data/README.md +93 -0
- data/Rakefile +13 -0
- data/appveyor.yml +27 -0
- data/config/krb5-cfg.yml +35 -0
- data/config/sample-config.yaml +68 -0
- data/config/sample-config2.yaml +76 -0
- data/config/schema.yaml +83 -0
- data/exe/pgls +9 -0
- data/lib/pgls/application.rb +497 -0
- data/lib/pgls/compat.rb +10 -0
- data/lib/pgls/logger.rb +28 -0
- data/lib/pgls/version.rb +3 -0
- data/lib/pgls.rb +23 -0
- data/pgls.gemspec +33 -0
- metadata +208 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 6f104a973e164b2aaba303b6fc06e5542e541e23c29055f019a44d75649609a5
|
4
|
+
data.tar.gz: 394a2949ea3b585bac7a4581cff6ab616a2b679cf141813aac63121a278d515e
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 662a763dcd1614efe14550b274f111329689d0103db1aead88a67c3da796edc6540000d3edf49a36c0016eba08e61c2079d1697aeeb2a4a5e4a01ff7af088059
|
7
|
+
data.tar.gz: c1fc847625ad14df078c7395f8702f634c2dc9fc49ed3a64b3fb79a9f712ea645dca69559849346b20f5c4353a2b12e60bb70ee456ef9c1c2446c605018eab9c
|
data/.autotest
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
# -*- ruby -*-
|
2
|
+
|
3
|
+
require 'autotest/restart'
|
4
|
+
|
5
|
+
# Autotest.add_hook :initialize do |at|
|
6
|
+
# at.extra_files << "../some/external/dependency.rb"
|
7
|
+
#
|
8
|
+
# at.libs << ":../some/external"
|
9
|
+
#
|
10
|
+
# at.add_exception 'vendor'
|
11
|
+
#
|
12
|
+
# at.add_mapping(/dependency.rb/) do |f, _|
|
13
|
+
# at.files_matching(/test_.*rb$/)
|
14
|
+
# end
|
15
|
+
#
|
16
|
+
# %w(TestA TestB).each do |klass|
|
17
|
+
# at.extra_class_map[klass] = "test/test_misc.rb"
|
18
|
+
# end
|
19
|
+
# end
|
20
|
+
|
21
|
+
# Autotest.add_hook :run_command do |at|
|
22
|
+
# system "rake build"
|
23
|
+
# end
|
@@ -0,0 +1,81 @@
|
|
1
|
+
name: CI
|
2
|
+
|
3
|
+
on: [push, pull_request]
|
4
|
+
|
5
|
+
jobs:
|
6
|
+
job_test_gem:
|
7
|
+
name: Test built gem
|
8
|
+
strategy:
|
9
|
+
fail-fast: false
|
10
|
+
matrix:
|
11
|
+
include:
|
12
|
+
- os: windows
|
13
|
+
ruby: "head"
|
14
|
+
PGVERSION: 15.1-1-windows-x64
|
15
|
+
PGVER: "15"
|
16
|
+
- os: windows
|
17
|
+
ruby: "2.4"
|
18
|
+
PGVERSION: 9.4.26-1-windows-x64
|
19
|
+
PGVER: "9.4"
|
20
|
+
- os: ubuntu
|
21
|
+
ruby: "head"
|
22
|
+
PGVER: "15"
|
23
|
+
- os: ubuntu
|
24
|
+
os_ver: "20.04"
|
25
|
+
ruby: "2.3"
|
26
|
+
PGVER: "9.3"
|
27
|
+
- os: macos
|
28
|
+
ruby: "head"
|
29
|
+
PGVERSION: 15.1-1-osx
|
30
|
+
PGVER: "15"
|
31
|
+
|
32
|
+
runs-on: ${{ matrix.os }}-${{ matrix.os_ver || 'latest' }}
|
33
|
+
env:
|
34
|
+
PGVERSION: ${{ matrix.PGVERSION }}
|
35
|
+
PGVER: ${{ matrix.PGVER }}
|
36
|
+
|
37
|
+
steps:
|
38
|
+
- uses: actions/checkout@v3
|
39
|
+
- name: Set up Ruby
|
40
|
+
uses: ruby/setup-ruby@v1
|
41
|
+
with:
|
42
|
+
ruby-version: ${{ matrix.ruby }}
|
43
|
+
|
44
|
+
- name: Download PostgreSQL Windows
|
45
|
+
if: matrix.os == 'windows'
|
46
|
+
run: |
|
47
|
+
Add-Type -AssemblyName System.IO.Compression.FileSystem
|
48
|
+
function Unzip {
|
49
|
+
param([string]$zipfile, [string]$outpath)
|
50
|
+
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
|
51
|
+
}
|
52
|
+
|
53
|
+
$(new-object net.webclient).DownloadFile("http://get.enterprisedb.com/postgresql/postgresql-$env:PGVERSION-binaries.zip", "postgresql-binaries.zip")
|
54
|
+
Unzip "postgresql-binaries.zip" "."
|
55
|
+
echo "$pwd/pgsql/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
|
56
|
+
echo "PGUSER=$env:USERNAME" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
57
|
+
echo "PGPASSWORD=" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
58
|
+
md temp
|
59
|
+
icacls temp /grant "Everyone:(OI)(CI)F" /T
|
60
|
+
|
61
|
+
- name: Download PostgreSQL Ubuntu
|
62
|
+
if: matrix.os == 'ubuntu'
|
63
|
+
run: |
|
64
|
+
echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main $PGVER" | sudo tee -a /etc/apt/sources.list.d/pgdg.list
|
65
|
+
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
66
|
+
sudo apt-get -y update
|
67
|
+
sudo apt-get -y --allow-downgrades install postgresql-$PGVER libpq5=$PGVER* libpq-dev=$PGVER*
|
68
|
+
echo /usr/lib/postgresql/$PGVER/bin >> $GITHUB_PATH
|
69
|
+
|
70
|
+
- name: Download PostgreSQL Macos
|
71
|
+
if: matrix.os == 'macos'
|
72
|
+
run: |
|
73
|
+
wget https://get.enterprisedb.com/postgresql/postgresql-$PGVERSION-binaries.zip && \
|
74
|
+
sudo mkdir -p /Library/PostgreSQL && \
|
75
|
+
sudo unzip postgresql-$PGVERSION-binaries.zip -d /Library/PostgreSQL/$PGVER && \
|
76
|
+
echo /Library/PostgreSQL/$PGVER/bin >> $GITHUB_PATH
|
77
|
+
|
78
|
+
- run: bundle install
|
79
|
+
|
80
|
+
- name: Run specs
|
81
|
+
run: bundle exec rake test
|
data/.gitignore
ADDED
data/.travis.yml
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
sudo: required
|
2
|
+
dist: focal
|
3
|
+
language: ruby
|
4
|
+
rvm:
|
5
|
+
- "2.4.0"
|
6
|
+
- ruby-head
|
7
|
+
env:
|
8
|
+
- "PGVERSION=14"
|
9
|
+
- "PGVERSION=9.6"
|
10
|
+
before_install:
|
11
|
+
- gem install bundler --no-doc --conservative
|
12
|
+
- bundle install
|
13
|
+
# Download and install postgresql version to test against in /opt (for non-cross compile only)
|
14
|
+
- echo "deb http://apt.postgresql.org/pub/repos/apt/ ${TRAVIS_DIST}-pgdg main $PGVERSION" | sudo tee -a /etc/apt/sources.list.d/pgdg.list
|
15
|
+
- wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
16
|
+
- sudo apt -y update
|
17
|
+
- sudo apt -y --allow-downgrades install postgresql-$PGVERSION libpq-dev
|
18
|
+
- export PATH=/usr/lib/postgresql/$PGVERSION/bin:$PATH
|
19
|
+
|
20
|
+
script: rake test
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,45 @@
|
|
1
|
+
## 0.5.0 / 2023-02-03
|
2
|
+
|
3
|
+
* Add Kerberos and NTLM authentication support
|
4
|
+
|
5
|
+
|
6
|
+
## 0.4.0 / 2022-12-02
|
7
|
+
|
8
|
+
* Support groups with over 1500 users in Active Directory server. #32
|
9
|
+
* Retrieve only necessary attributes from LDAP server.
|
10
|
+
* Add error text to exception, so that it's visible even if nothing is logged.
|
11
|
+
* Fix compatibility with PostgreSQL-15
|
12
|
+
* Require ruby-2.3+
|
13
|
+
|
14
|
+
|
15
|
+
## 0.3.0 / 2022-01-18
|
16
|
+
|
17
|
+
* Add config option :bothcase_name .
|
18
|
+
This adds both spellings "Fred_Flintstone" and "fred_flintstone" as PostgreSQL users/groups.
|
19
|
+
* Update gem dependencies
|
20
|
+
* Fix compatibility with PostgreSQL-14
|
21
|
+
* Require ruby-2.4+
|
22
|
+
|
23
|
+
|
24
|
+
## 0.2.0 / 2018-03-13
|
25
|
+
|
26
|
+
* Update gem dependencies
|
27
|
+
* Fix compatibility to pg-1.0 gem
|
28
|
+
* Add `pg_ldap_sync --version`
|
29
|
+
* Fix compatibility with PostgreSQL-10
|
30
|
+
* Don't abort on SQL errors, but print ERROR notice
|
31
|
+
* Run sync within a SQL transaction, so that no partial sync happens
|
32
|
+
* Lots of improvements to the test suite
|
33
|
+
* Run automated tests on Travis-CI and Appveyor
|
34
|
+
* Remove support for postgres-pr, since it's no longer maintained
|
35
|
+
|
36
|
+
|
37
|
+
## 0.1.1 / 2012-11-15
|
38
|
+
|
39
|
+
* Add ability to lowercase the LDAP name for use as PG role name
|
40
|
+
|
41
|
+
|
42
|
+
## 0.1.0 / 2011-07-13
|
43
|
+
|
44
|
+
* Birthday!
|
45
|
+
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2018 Lars Kanis
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/Manifest.txt
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
.autotest
|
2
|
+
History.txt
|
3
|
+
Manifest.txt
|
4
|
+
README.rdoc
|
5
|
+
Rakefile
|
6
|
+
bin/pgls
|
7
|
+
config/krb5-cfg.yml
|
8
|
+
config/sample-config.yaml
|
9
|
+
config/sample-config2.yaml
|
10
|
+
config/schema.yaml
|
11
|
+
lib/pgls.rb
|
12
|
+
lib/pgls/application.rb
|
13
|
+
test/fixtures/config-ldapdb.yaml
|
14
|
+
test/fixtures/ldapdb.yaml
|
15
|
+
test/ldap_server.rb
|
16
|
+
test/test_pgls.rb
|
data/README.md
ADDED
@@ -0,0 +1,93 @@
|
|
1
|
+
# Использование разрешений LDAP в PostgreSQL
|
2
|
+
|
3
|
+
* http://github.com/fruworg/pgls
|
4
|
+
|
5
|
+
## Описание:
|
6
|
+
|
7
|
+
LDAP часто используется для централизованного управления пользователями и ролями в корпоративной среде.
|
8
|
+
PostgreSQL предлагает различные методы аутентификации, такие как LDAP, SSPI, GSSAPI или SSL.
|
9
|
+
Однако при любом методе пользователь должен уже существовать в базе данных, прежде чем аутентификация может быть использована.
|
10
|
+
В настоящее время не существует прямой авторизации пользователей базы данных по LDAP.
|
11
|
+
Поэтому роли и членство приходится администрировать дважды.
|
12
|
+
|
13
|
+
Данная программа позволяет решить эту проблему путем синхронизации пользователей, групп и их членства из LDAP в PostgreSQL.
|
14
|
+
Доступ к LDAP используется только для чтения.
|
15
|
+
Для синхронизации пользователей и групп `pgls` выдает соответствующие команды CREATE ROLE, DROP ROLE, GRANT и REVOKE.
|
16
|
+
|
17
|
+
Она предназначена для запуска в качестве cron-задания.
|
18
|
+
|
19
|
+
## Возможности:
|
20
|
+
|
21
|
+
* Создание, удаление пользователей и групп, а также изменения в членстве синхронизируются из LDAP в PostgreSQL.
|
22
|
+
* Поддерживаются вложенные группы/роли
|
23
|
+
* Настраивается в конфигурационном файле YAML
|
24
|
+
* Возможность использования Active Directory в качестве LDAP-сервера
|
25
|
+
* Установка области видимости рассматриваемых пользователей/групп на стороне LDAP и PG
|
26
|
+
* Тестовый режим, не вносящий никаких изменений в СУБД
|
27
|
+
* Соединения между LDAP и PG могут быть защищены с помощью SSL/TLS
|
28
|
+
* NTLM и Kerberos аутентификация на LDAP-сервере
|
29
|
+
|
30
|
+
## Требования:
|
31
|
+
|
32
|
+
* Ruby-2.0+
|
33
|
+
* LDAP-v3-сервер
|
34
|
+
* PostgreSQL-сервер v9.0+
|
35
|
+
|
36
|
+
## Установка:
|
37
|
+
|
38
|
+
Установить Ruby:
|
39
|
+
|
40
|
+
* под Windows: http://rubyinstaller.org
|
41
|
+
* на Debian/Ubuntu: `apt-get install ruby libpq-dev`.
|
42
|
+
|
43
|
+
### Установка gem:
|
44
|
+
```
|
45
|
+
gem install pgls
|
46
|
+
```
|
47
|
+
|
48
|
+
### Установка из Git:
|
49
|
+
```sh
|
50
|
+
git clone https://github.com/fruworg/pgls.git
|
51
|
+
cd pgls
|
52
|
+
gem install bundler
|
53
|
+
bundle install
|
54
|
+
bundle exec rake install
|
55
|
+
```
|
56
|
+
|
57
|
+
## Использование:
|
58
|
+
|
59
|
+
Создать файл конфигурации на основе
|
60
|
+
[config/sample-config.yaml](https://github.com/fruworg/pgls/blob/master/config/sample-config.yaml)
|
61
|
+
или еще лучше
|
62
|
+
[config/sample-config2.yaml](https://github.com/fruworg/pgls/blob/master/config/sample-config2.yaml).
|
63
|
+
|
64
|
+
Запустить в тестовом режиме:
|
65
|
+
```sh
|
66
|
+
pgls -c my_config.yaml -vv -t
|
67
|
+
```
|
68
|
+
Запуск в режиме модификации:
|
69
|
+
```sh
|
70
|
+
pgls -c my_config.yaml -vv
|
71
|
+
```
|
72
|
+
|
73
|
+
Рекомендуется не предоставлять права синхронизируемым пользователям на сервере PostgreSQL, а предоставлять права группам.
|
74
|
+
Это связано с тем, что операторы `DROP USER`, вызываемые при уходе пользователя, в противном случае терпят неудачу из-за наличия зависимых объектов.
|
75
|
+
Оператор `DROP GROUP` также не работает при наличии зависимых объектов, но группы, как правило, более стабильны и удаляются редко.
|
76
|
+
|
77
|
+
|
78
|
+
## Тестирование:
|
79
|
+
В каталоге `test` находится небольшой тестовый набор, который работает с внутренним LDAP-сервером и сервером PostgreSQL. Убедитесь, что команды `pg_ctl`, `initdb` и `psql` находятся в `PATH` следующим образом:
|
80
|
+
```sh
|
81
|
+
cd pgls
|
82
|
+
установить пакет
|
83
|
+
PATH=$PATH:/usr/lib/postgresql/10/bin/ bundle exec rake test
|
84
|
+
```
|
85
|
+
|
86
|
+
## Проблемы:
|
87
|
+
|
88
|
+
* В настоящее время нет возможности установить определенные атрибуты пользователя в PG на основе индивидуальных атрибутов в LDAP (срок действия и т.д.).
|
89
|
+
|
90
|
+
|
91
|
+
## Лицензия
|
92
|
+
|
93
|
+
Гем доступен с открытым исходным кодом на условиях [MIT License](https://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
data/appveyor.yml
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
image: Visual Studio 2019
|
2
|
+
|
3
|
+
init:
|
4
|
+
- set PATH=C:/Ruby%ruby_version%/bin;c:/Program Files/Git/cmd;c:/Windows/system32;C:/Windows/System32/WindowsPowerShell/v1.0
|
5
|
+
- set RUBYOPT=--verbose
|
6
|
+
|
7
|
+
install:
|
8
|
+
- ver
|
9
|
+
- ruby --version
|
10
|
+
- gem --version
|
11
|
+
- gem install bundler --no-doc --conservative
|
12
|
+
- bundle install
|
13
|
+
|
14
|
+
build_script:
|
15
|
+
- set PATH=C:/Program Files/PostgreSQL/%PGVER%/bin;%PATH%
|
16
|
+
- md temp
|
17
|
+
- icacls temp /grant Everyone:(OI)(CI)F /T
|
18
|
+
|
19
|
+
test_script:
|
20
|
+
- bundle exec rake test
|
21
|
+
|
22
|
+
environment:
|
23
|
+
matrix:
|
24
|
+
- ruby_version: "27-x64"
|
25
|
+
PGVER: 13
|
26
|
+
- ruby_version: "24"
|
27
|
+
PGVER: 10
|
data/config/krb5-cfg.yml
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
ldap_connection:
|
2
|
+
host: <dc>
|
3
|
+
port: 636
|
4
|
+
auth:
|
5
|
+
method: :gssapi
|
6
|
+
hostname: <dc.doma.in>
|
7
|
+
encryption:
|
8
|
+
method: :simple_tls
|
9
|
+
|
10
|
+
ldap_users:
|
11
|
+
base: DC=<doma>,DC=<in>
|
12
|
+
filter: CN=Users,DC=<doma>,DC=<in>
|
13
|
+
name_attribute: sAMAccountName
|
14
|
+
uppercase_name: true
|
15
|
+
|
16
|
+
ldap_groups:
|
17
|
+
base: DC=<doma>,DC=<in>
|
18
|
+
filter: fruw.org
|
19
|
+
name_attribute: cn
|
20
|
+
uppercase_name: true
|
21
|
+
member_attribute: "memberuid"
|
22
|
+
|
23
|
+
pg_connection:
|
24
|
+
host: <db.doma.in>
|
25
|
+
dbname: postgres
|
26
|
+
user: <db-username>
|
27
|
+
|
28
|
+
pg_users:
|
29
|
+
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
|
30
|
+
create_options: LOGIN IN ROLE ldap_users
|
31
|
+
|
32
|
+
pg_groups:
|
33
|
+
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
|
34
|
+
create_options: NOLOGIN IN ROLE ldap_groups
|
35
|
+
grant_options:
|
@@ -0,0 +1,68 @@
|
|
1
|
+
# With this sample config the distinction between PG groups and users is
|
2
|
+
# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
|
3
|
+
# is considered as LDAP-synchronized.
|
4
|
+
|
5
|
+
# Connection parameters to LDAP server
|
6
|
+
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
|
7
|
+
ldap_connection:
|
8
|
+
host: ldapserver
|
9
|
+
port: 389
|
10
|
+
auth:
|
11
|
+
method: :simple
|
12
|
+
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
|
13
|
+
password: secret
|
14
|
+
|
15
|
+
# or GSSAPI / Kerberos authentication:
|
16
|
+
auth:
|
17
|
+
method: :gssapi
|
18
|
+
hostname: ldapserver.company.de
|
19
|
+
servicename: ldap # optional, defaults to "ldap"
|
20
|
+
|
21
|
+
# or GSS-SPNEGO / NTLM authentication
|
22
|
+
auth:
|
23
|
+
method: :gss_spnego
|
24
|
+
username: 'myuser'
|
25
|
+
password: 'secret'
|
26
|
+
domain: 'company.de' # optional
|
27
|
+
|
28
|
+
# Search parameters for LDAP users which should be synchronized
|
29
|
+
ldap_users:
|
30
|
+
base: OU=company,OU=company,DC=company,DC=de
|
31
|
+
# LDAP filter (according to RFC 2254)
|
32
|
+
# defines to users in LDAP to be synchronized
|
33
|
+
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
|
34
|
+
# this attribute is used as PG role name
|
35
|
+
name_attribute: sAMAccountName
|
36
|
+
|
37
|
+
# Search parameters for LDAP groups which should be synchronized
|
38
|
+
ldap_groups:
|
39
|
+
base: OU=company,OU=company,DC=company,DC=de
|
40
|
+
filter: (|(cn=group1)(cn=group2)(cn=group3))
|
41
|
+
# this attribute is used as PG role name
|
42
|
+
name_attribute: cn
|
43
|
+
# this attribute must reference to all member DN's of the given group
|
44
|
+
member_attribute: member
|
45
|
+
|
46
|
+
# Connection parameters to PostgreSQL server
|
47
|
+
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
|
48
|
+
pg_connection:
|
49
|
+
host:
|
50
|
+
dbname: postgres
|
51
|
+
user: db-username
|
52
|
+
password:
|
53
|
+
|
54
|
+
pg_users:
|
55
|
+
# Filter for identifying LDAP generated users in the database.
|
56
|
+
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
57
|
+
filter: rolcanlogin AND NOT rolsuper
|
58
|
+
# Options for CREATE RULE statements
|
59
|
+
create_options: LOGIN
|
60
|
+
|
61
|
+
pg_groups:
|
62
|
+
# Filter for identifying LDAP generated groups in the database.
|
63
|
+
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
64
|
+
filter: NOT rolcanlogin AND NOT rolsuper
|
65
|
+
# Options for CREATE RULE statements
|
66
|
+
create_options: NOLOGIN
|
67
|
+
# Options for GRANT <role> TO <group> statements
|
68
|
+
grant_options:
|
@@ -0,0 +1,76 @@
|
|
1
|
+
# With this sample config the distinction between LDAP-synchronized
|
2
|
+
# groups/users from manually created PostgreSQL users is done by the
|
3
|
+
# membership in ldap_user and ldap_group.
|
4
|
+
# These two roles have to be defined manally before pg_ldap_sync can
|
5
|
+
# run and all synchronized users/groups will become member of them
|
6
|
+
# later on:
|
7
|
+
# CREATE GROUP ldap_groups;
|
8
|
+
# CREATE USER ldap_users;
|
9
|
+
#
|
10
|
+
|
11
|
+
# Connection parameters to LDAP server
|
12
|
+
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
|
13
|
+
ldap_connection:
|
14
|
+
host: ldapserver
|
15
|
+
port: 636
|
16
|
+
auth:
|
17
|
+
method: :simple
|
18
|
+
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
|
19
|
+
password: secret
|
20
|
+
encryption:
|
21
|
+
method: :simple_tls
|
22
|
+
|
23
|
+
# Search parameters for LDAP users which should be synchronized
|
24
|
+
ldap_users:
|
25
|
+
base: OU=company,DC=company,DC=prod
|
26
|
+
# LDAP filter (according to RFC 2254)
|
27
|
+
# defines to users in LDAP to be synchronized
|
28
|
+
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
|
29
|
+
# this attribute is used as PG role name
|
30
|
+
name_attribute: sAMAccountName
|
31
|
+
# lowercase name for use as PG role name
|
32
|
+
lowercase_name: true
|
33
|
+
# uppercase name for use as PG role name
|
34
|
+
uppercase_name: false
|
35
|
+
# Add lowercase name *and* original name for use as PG role names (useful for migrating between case types)
|
36
|
+
bothcase_name: false
|
37
|
+
|
38
|
+
# Search parameters for LDAP groups which should be synchronized
|
39
|
+
ldap_groups:
|
40
|
+
base: OU=company,DC=company,DC=prod
|
41
|
+
filter: (cn=company.*)
|
42
|
+
# this attribute is used as PG role name
|
43
|
+
name_attribute: cn
|
44
|
+
# lowercase name for use as PG role name
|
45
|
+
lowercase_name: false
|
46
|
+
# uppercase name for use as PG role name
|
47
|
+
uppercase_name: false
|
48
|
+
# this attribute must reference to all member DN's of the given group
|
49
|
+
member_attribute: "memberuid"
|
50
|
+
# True if use Astra Linux Domain
|
51
|
+
ald_domain: true
|
52
|
+
|
53
|
+
|
54
|
+
# Connection parameters to PostgreSQL server
|
55
|
+
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
|
56
|
+
pg_connection:
|
57
|
+
host:
|
58
|
+
dbname: postgres
|
59
|
+
user:
|
60
|
+
password:
|
61
|
+
|
62
|
+
pg_users:
|
63
|
+
# Filter for identifying LDAP generated users in the database.
|
64
|
+
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
65
|
+
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
|
66
|
+
# Options for CREATE RULE statements
|
67
|
+
create_options: LOGIN IN ROLE ldap_users
|
68
|
+
|
69
|
+
pg_groups:
|
70
|
+
# Filter for identifying LDAP generated groups in the database.
|
71
|
+
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
72
|
+
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
|
73
|
+
# Options for CREATE RULE statements
|
74
|
+
create_options: NOLOGIN IN ROLE ldap_groups
|
75
|
+
# Options for GRANT <role> TO <group> statements
|
76
|
+
grant_options:
|
data/config/schema.yaml
ADDED
@@ -0,0 +1,83 @@
|
|
1
|
+
type: map
|
2
|
+
mapping:
|
3
|
+
"ldap_connection":
|
4
|
+
type: any
|
5
|
+
required: yes
|
6
|
+
|
7
|
+
"ldap_users":
|
8
|
+
type: map
|
9
|
+
required: yes
|
10
|
+
mapping:
|
11
|
+
"base":
|
12
|
+
type: str
|
13
|
+
required: yes
|
14
|
+
"filter":
|
15
|
+
type: str
|
16
|
+
required: yes
|
17
|
+
"name_attribute":
|
18
|
+
type: str
|
19
|
+
required: yes
|
20
|
+
"lowercase_name":
|
21
|
+
type: bool
|
22
|
+
required: no
|
23
|
+
"bothcase_name":
|
24
|
+
type: bool
|
25
|
+
required: no
|
26
|
+
"uppercase_name":
|
27
|
+
type: bool
|
28
|
+
required: no
|
29
|
+
|
30
|
+
"ldap_groups":
|
31
|
+
type: map
|
32
|
+
required: yes
|
33
|
+
mapping:
|
34
|
+
"base":
|
35
|
+
type: str
|
36
|
+
required: yes
|
37
|
+
"filter":
|
38
|
+
type: str
|
39
|
+
required: yes
|
40
|
+
"name_attribute":
|
41
|
+
type: str
|
42
|
+
required: yes
|
43
|
+
"lowercase_name":
|
44
|
+
type: bool
|
45
|
+
required: no
|
46
|
+
"bothcase_name":
|
47
|
+
type: bool
|
48
|
+
required: no
|
49
|
+
"uppercase_name":
|
50
|
+
type: bool
|
51
|
+
required: no
|
52
|
+
"member_attribute":
|
53
|
+
type: str
|
54
|
+
required: yes
|
55
|
+
"ald_domain":
|
56
|
+
type: bool
|
57
|
+
required: no
|
58
|
+
|
59
|
+
"pg_connection":
|
60
|
+
type: any
|
61
|
+
required: yes
|
62
|
+
|
63
|
+
"pg_users":
|
64
|
+
type: map
|
65
|
+
required: yes
|
66
|
+
mapping:
|
67
|
+
"filter":
|
68
|
+
type: str
|
69
|
+
required: yes
|
70
|
+
"create_options":
|
71
|
+
type: str
|
72
|
+
|
73
|
+
"pg_groups":
|
74
|
+
type: map
|
75
|
+
required: yes
|
76
|
+
mapping:
|
77
|
+
"filter":
|
78
|
+
type: str
|
79
|
+
required: yes
|
80
|
+
"create_options":
|
81
|
+
type: str
|
82
|
+
"grant_options":
|
83
|
+
type: str
|