Use LDAP permissions in PostgreSQL
This repository has been archived on 2023-12-11. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
2018-03-14 08:34:27 +01:00
config Use sample-config2 to show simple_tls parameters 2013-08-29 11:19:28 +02:00
exe Whole bunch of changes 2018-03-13 16:34:50 +01:00
lib Whole bunch of changes 2018-03-13 16:34:50 +01:00
test Fix tests on Windows 2018-03-13 16:56:14 +01:00
.autotest Sync roles works, sync membership not yet 2011-05-18 15:45:08 +02:00
.gitignore Move from Hoe to Bundler 2018-02-06 21:56:53 +01:00
.travis.yml Add CI tests on Travis-ci and Appveyor 2018-02-06 23:03:32 +01:00
appveyor.yml Add CI tests on Travis-ci and Appveyor 2018-02-06 23:03:32 +01:00
Gemfile Remove possibility to use postgres-pr 2018-02-06 22:29:48 +01:00
History.txt Prepare for release 2012-11-15 17:02:55 +01:00
LICENSE.txt Move from Hoe to Bundler 2018-02-06 21:56:53 +01:00
Manifest.txt Update Manifest.txt 2011-07-13 15:00:31 +02:00
pg-ldap-sync.gemspec Separate tests into one operation per test 2018-02-12 22:09:00 +01:00
Rakefile Move from Hoe to Bundler 2018-02-06 21:56:53 +01:00
README.md Remove feature of using postgres-pr gem from README 2018-03-14 08:34:27 +01:00

Build Status Build status

Use LDAP permissions in PostgreSQL

DESCRIPTION:

LDAP is often used for a centralized user and role management in an enterprise environment. PostgreSQL offers different authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for any method the user must already exist in the database, before the authentication can be used. There is currently no direct authorization of database users on LDAP. So roles and memberships has to be administered twice.

This program helps to solve the issue by synchronizing users, groups and their memberships from LDAP to PostgreSQL. Access to LDAP is used read-only. pg_ldap_sync issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize users and groups.

It is meant to be started as a cron job.

FEATURES:

  • Configurable per YAML config file
  • Can use Active Directory as LDAP-Server
  • Nested groups/roles supported
  • Set scope of considered users/groups on LDAP and PG side
  • Test mode which doesn't do any changes to the DBMS
  • Both LDAP and PG connections can be secured by SSL/TLS

REQUIREMENTS:

  • Ruby-2.0+, JRuby-1.2, Rubinius-1.2 or better
  • LDAP-v3 server
  • PostgreSQL-server v9.0+

INSTALL:

Install Ruby:

Install pg-ldap-sync and required dependencies:

  gem install pg-ldap-sync

Install from Git:

  git clone https://github.com/larskanis/pg-ldap-sync.git
  cd pg-ldap-sync
  bundle
  rake install

USAGE:

Create a config file based on config/sample-config.yaml or even better config/sample-config2.yaml

Run in test-mode:

  pg_ldap_sync -c my_config.yaml -vv -t

Run in modify-mode:

  pg_ldap_sync -c my_config.yaml -vv

TEST:

There is a small test suite in the test directory that runs against an internal LDAP server and a PostgreSQL server. Ensure pg_ctl, initdb and psql commands are in the PATH like so:

  cd pg-ldap-sync
  PATH=$PATH:/usr/lib/postgresql/10/bin/ rake test

ISSUES:

  • There is currently no way to set certain user attributes in PG based on individual attributes in LDAP (expiration date etc.)

License

The gem is available as open source under the terms of the MIT License.