add new sample-config and comments

config/sample-config.yaml

@@ -1,3 +1,6 @@
+# With this sample config the distinction between PG groups and users is
+# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
+# is considered as LDAP-synchronized.
 
 # Connection parameters to LDAP server
 # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
@@ -13,6 +16,7 @@ ldap_connection:
 ldap_users:
   base: OU=company,OU=company,DC=company,DC=de
   # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
   filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
   # this attribute is used as PG role name
   name_attribute: sAMAccountName
@@ -20,7 +24,7 @@ ldap_users:
 # Search parameters for LDAP groups which should be synchronized
 ldap_groups:
   base: OU=company,OU=company,DC=company,DC=de
-  filter: (|(cn=cc.group1)(cn=group2)(cn=group3))
+  filter: (|(cn=group1)(cn=group2)(cn=group3))
   # this attribute is used as PG role name
   name_attribute: cn
   # this attribute must reference to all member DN's of the given group
@@ -44,7 +48,7 @@ pg_users:
 pg_groups:
   # Filter for identifying LDAP generated groups in the database.
   # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
-  filter: NOT rolcanlogin
+  filter: NOT rolcanlogin AND NOT rolsuper
   # Options for CREATE RULE statements
   create_options: NOLOGIN
   grant_options:

config/sample-config2.yaml

@@ -0,0 +1,54 @@
+# With this sample config the distinction between LDAP-synchronized
+# groups/users from is done by the membership to ldap_user and
+# ldap_group. These two roles has to be defined manally.
+
+# Connection parameters to LDAP server
+# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
+ldap_connection:
+  host: ldapserver
+  port: 389
+  auth:
+    method: :simple
+    username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
+    password: secret
+
+# Search parameters for LDAP users which should be synchronized
+ldap_users:
+  base: OU=company,DC=company,DC=prod
+  # LDAP filter (according to RFC 2254)
+  # defines to users in LDAP to be synchronized
+  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
+  # this attribute is used as PG role name
+  name_attribute: sAMAccountName
+
+# Search parameters for LDAP groups which should be synchronized
+ldap_groups:
+  base: OU=company,DC=company,DC=prod
+  filter: (cn=company.*)
+  # this attribute is used as PG role name
+  name_attribute: cn
+  # this attribute must reference to all member DN's of the given group
+  member_attribute: member
+
+# Connection parameters to PostgreSQL server
+# see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method
+pg_connection:
+  host:
+  dbname: postgres
+  user:
+  password:
+
+pg_users:
+  # Filter for identifying LDAP generated users in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
+  # Options for CREATE RULE statements
+  create_options: LOGIN IN ROLE ldap_users
+
+pg_groups:
+  # Filter for identifying LDAP generated groups in the database.
+  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
+  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
+  # Options for CREATE RULE statements
+  create_options: NOLOGIN IN ROLE ldap_groups
+  grant_options: