2011-07-08 14:18:10 +04:00
|
|
|
# With this sample config the distinction between LDAP-synchronized
|
2023-04-01 16:09:45 +03:00
|
|
|
# groups/users from manually created PostgreSQL users is done by the
|
|
|
|
# membership in ldap_user and ldap_group.
|
|
|
|
# These two roles have to be defined manally before pg_ldap_sync can
|
|
|
|
# run and all synchronized users/groups will become member of them
|
|
|
|
# later on:
|
2023-02-03 21:42:18 +03:00
|
|
|
# CREATE GROUP ldap_groups;
|
|
|
|
# CREATE USER ldap_users;
|
2022-12-02 16:04:14 +03:00
|
|
|
#
|
2011-07-08 14:18:10 +04:00
|
|
|
|
|
|
|
# Connection parameters to LDAP server
|
|
|
|
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
|
|
|
|
ldap_connection:
|
|
|
|
host: ldapserver
|
2013-08-29 13:19:28 +04:00
|
|
|
port: 636
|
2011-07-08 14:18:10 +04:00
|
|
|
auth:
|
|
|
|
method: :simple
|
|
|
|
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
|
|
|
|
password: secret
|
2013-08-29 13:19:28 +04:00
|
|
|
encryption:
|
|
|
|
method: :simple_tls
|
2011-07-08 14:18:10 +04:00
|
|
|
|
|
|
|
# Search parameters for LDAP users which should be synchronized
|
|
|
|
ldap_users:
|
|
|
|
base: OU=company,DC=company,DC=prod
|
|
|
|
# LDAP filter (according to RFC 2254)
|
|
|
|
# defines to users in LDAP to be synchronized
|
|
|
|
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
|
|
|
|
# this attribute is used as PG role name
|
|
|
|
name_attribute: sAMAccountName
|
2012-11-14 14:03:50 +04:00
|
|
|
# lowercase name for use as PG role name
|
|
|
|
lowercase_name: true
|
2022-01-17 16:48:49 +03:00
|
|
|
# Add lowercase name *and* original name for use as PG role names (useful for migrating between case types)
|
|
|
|
bothcase_name: false
|
2011-07-08 14:18:10 +04:00
|
|
|
|
|
|
|
# Search parameters for LDAP groups which should be synchronized
|
|
|
|
ldap_groups:
|
|
|
|
base: OU=company,DC=company,DC=prod
|
|
|
|
filter: (cn=company.*)
|
|
|
|
# this attribute is used as PG role name
|
|
|
|
name_attribute: cn
|
2012-11-14 14:03:50 +04:00
|
|
|
# lowercase name for use as PG role name
|
|
|
|
lowercase_name: false
|
2011-07-08 14:18:10 +04:00
|
|
|
# this attribute must reference to all member DN's of the given group
|
|
|
|
member_attribute: member
|
|
|
|
|
|
|
|
# Connection parameters to PostgreSQL server
|
2012-11-14 13:10:45 +04:00
|
|
|
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
|
2011-07-08 14:18:10 +04:00
|
|
|
pg_connection:
|
|
|
|
host:
|
|
|
|
dbname: postgres
|
|
|
|
user:
|
|
|
|
password:
|
|
|
|
|
|
|
|
pg_users:
|
|
|
|
# Filter for identifying LDAP generated users in the database.
|
|
|
|
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
|
|
|
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
|
|
|
|
# Options for CREATE RULE statements
|
|
|
|
create_options: LOGIN IN ROLE ldap_users
|
|
|
|
|
|
|
|
pg_groups:
|
|
|
|
# Filter for identifying LDAP generated groups in the database.
|
|
|
|
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
|
|
|
|
filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
|
|
|
|
# Options for CREATE RULE statements
|
|
|
|
create_options: NOLOGIN IN ROLE ldap_groups
|
2022-12-22 20:30:18 +03:00
|
|
|
# Options for GRANT <role> TO <group> statements
|
2011-07-08 14:18:10 +04:00
|
|
|
grant_options:
|