# With this sample config the distinction between LDAP-synchronized # groups/users from is done by the membership to ldap_user and # ldap_group. These two roles has to be defined manally. # Connection parameters to LDAP server # see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new ldap_connection: host: ldapserver port: 389 auth: method: :simple username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de password: secret # Search parameters for LDAP users which should be synchronized ldap_users: base: OU=company,DC=company,DC=prod # LDAP filter (according to RFC 2254) # defines to users in LDAP to be synchronized filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*)) # this attribute is used as PG role name name_attribute: sAMAccountName # Search parameters for LDAP groups which should be synchronized ldap_groups: base: OU=company,DC=company,DC=prod filter: (cn=company.*) # this attribute is used as PG role name name_attribute: cn # this attribute must reference to all member DN's of the given group member_attribute: member # Connection parameters to PostgreSQL server # see also: http://rubydoc.info/gems/pg/0.11.0/PGconn#initialize-instance_method pg_connection: host: dbname: postgres user: password: pg_users: # Filter for identifying LDAP generated users in the database. # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles" filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users') # Options for CREATE RULE statements create_options: LOGIN IN ROLE ldap_users pg_groups: # Filter for identifying LDAP generated groups in the database. # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles" filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups') # Options for CREATE RULE statements create_options: NOLOGIN IN ROLE ldap_groups grant_options: