pgls/config/sample-config2.yaml

# With this sample config the distinction between LDAP-synchronized
# groups/users from is done by the membership to ldap_user and
# ldap_group. These two roles has to be defined manally.

# Connection parameters to LDAP server
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
ldap_connection:
  host: ldapserver
  port: 389
  auth:
    method: :simple
    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
    password: secret

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: OU=company,DC=company,DC=prod
  # LDAP filter (according to RFC 2254)
  # defines to users in LDAP to be synchronized
  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
  # this attribute is used as PG role name
  name_attribute: sAMAccountName

# Search parameters for LDAP groups which should be synchronized
ldap_groups:
  base: OU=company,DC=company,DC=prod
  filter: (cn=company.*)
  # this attribute is used as PG role name
  name_attribute: cn
  # this attribute must reference to all member DN's of the given group
  member_attribute: member

# Connection parameters to PostgreSQL server
# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
pg_connection:
  host:
  dbname: postgres
  user:
  password:

pg_users:
  # Filter for identifying LDAP generated users in the database.
  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
  # Options for CREATE RULE statements
  create_options: LOGIN IN ROLE ldap_users

pg_groups:
  # Filter for identifying LDAP generated groups in the database.
  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
  # Options for CREATE RULE statements
  create_options: NOLOGIN IN ROLE ldap_groups
  grant_options:
add new sample-config and comments 2011-07-08 14:18:10 +04:00			`# With this sample config the distinction between LDAP-synchronized`
			`# groups/users from is done by the membership to ldap_user and`
			`# ldap_group. These two roles has to be defined manally.`

			`# Connection parameters to LDAP server`
			`# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new`
			`ldap_connection:`
			`host: ldapserver`
			`port: 389`
			`auth:`
			`method: :simple`
			`username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de`
			`password: secret`

			`# Search parameters for LDAP users which should be synchronized`
			`ldap_users:`
			`base: OU=company,DC=company,DC=prod`
			`# LDAP filter (according to RFC 2254)`
			`# defines to users in LDAP to be synchronized`
			`filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=)(sn=)(sAMAccountName=*))`
			`# this attribute is used as PG role name`
			`name_attribute: sAMAccountName`

			`# Search parameters for LDAP groups which should be synchronized`
			`ldap_groups:`
			`base: OU=company,DC=company,DC=prod`
			`filter: (cn=company.*)`
			`# this attribute is used as PG role name`
			`name_attribute: cn`
			`# this attribute must reference to all member DN's of the given group`
			`member_attribute: member`

			`# Connection parameters to PostgreSQL server`
			`# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method`
			`pg_connection:`
			`host:`
			`dbname: postgres`
			`user:`
			`password:`

			`pg_users:`
			`# Filter for identifying LDAP generated users in the database.`
			`# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"`
			`filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')`
			`# Options for CREATE RULE statements`
			`create_options: LOGIN IN ROLE ldap_users`

			`pg_groups:`
			`# Filter for identifying LDAP generated groups in the database.`
			`# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"`
			`filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')`
			`# Options for CREATE RULE statements`
			`create_options: NOLOGIN IN ROLE ldap_groups`
			`grant_options:`