From 5b994514c9f4d0ae1abe602e58becf3e2ad05f5e Mon Sep 17 00:00:00 2001
From: Lars Kanis <lars@greiz-reinsdorf.de>
Date: Sat, 1 Apr 2023 15:09:45 +0200
Subject: [PATCH] Improve documentation in README and config file

---
 README.md                  | 10 ++++++++--
 config/sample-config2.yaml |  8 +++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 0a96955..a522060 100644
--- a/README.md
+++ b/README.md
@@ -20,9 +20,10 @@ It is meant to be started as a cron job.
 
 ## FEATURES:
 
+* User+group creation, deletion and changes in memberships are synchronized from LDAP to PostgreSQL
+* Nested groups/roles supported
 * Configurable per YAML config file
 * Can use Active Directory as LDAP-Server
-* Nested groups/roles supported
 * Set scope of considered users/groups on LDAP and PG side
 * Test mode which doesn't do any changes to the DBMS
 * Both LDAP and PG connections can be secured by SSL/TLS
@@ -30,7 +31,7 @@ It is meant to be started as a cron job.
 
 ## REQUIREMENTS:
 
-* Ruby-2.0+, JRuby-1.2+
+* Ruby-2.0+
 * LDAP-v3 server
 * PostgreSQL-server v9.0+
 
@@ -71,6 +72,11 @@ Run in modify-mode:
   pg_ldap_sync -c my_config.yaml -vv
 ```
 
+It is recommended to avoid granting permissions to synchronized users on the PostgreSQL server, but to grant permissions to groups instead.
+This is because `DROP USER` statements invoked when a user leaves otherwise fail due to depending objects.
+`DROP GROUP` equally fails if there are depending objects, but groups are typically more stable and removed rarely.
+
+
 ## TEST:
 There is a small test suite in the `test` directory that runs against an internal LDAP server and a PostgreSQL server. Ensure `pg_ctl`, `initdb` and `psql` commands are in the `PATH` like so:
 ```sh
diff --git a/config/sample-config2.yaml b/config/sample-config2.yaml
index ef5b310..d18acab 100644
--- a/config/sample-config2.yaml
+++ b/config/sample-config2.yaml
@@ -1,7 +1,9 @@
 # With this sample config the distinction between LDAP-synchronized
-# groups/users from is done by the membership to ldap_user and
-# ldap_group. These two roles have to be defined manally before
-# pg_ldap_sync can run:
+# groups/users from manually created PostgreSQL users is done by the
+# membership in ldap_user and ldap_group.
+# These two roles have to be defined manally before pg_ldap_sync can
+# run and all synchronized users/groups will become member of them
+# later on:
 #     CREATE GROUP ldap_groups;
 #     CREATE USER ldap_users;
 #