fruworg/pgls: Use LDAP permissions in PostgreSQL - pgls

Archived

Use LDAP permissions in PostgreSQL

This repository has been archived on 2023-12-11. You can view files and clone it, but cannot push or open issues or pull requests.

Go to file

Lars Kanis be9a5a7531 Update net-ldap dependency to get rid of the github vulnerability message		2018-02-06 23:09:21 +01:00
config	Use sample-config2 to show simple_tls parameters	2013-08-29 11:19:28 +02:00
exe	Move from Hoe to Bundler	2018-02-06 21:56:53 +01:00
lib	Exclude default roles of PostgreSQL-10	2018-02-06 22:31:06 +01:00
test	Add CI tests on Travis-ci and Appveyor	2018-02-06 23:03:32 +01:00
.autotest	Sync roles works, sync membership not yet	2011-05-18 15:45:08 +02:00
.gitignore	Move from Hoe to Bundler	2018-02-06 21:56:53 +01:00
.travis.yml	Add CI tests on Travis-ci and Appveyor	2018-02-06 23:03:32 +01:00
appveyor.yml	Add CI tests on Travis-ci and Appveyor	2018-02-06 23:03:32 +01:00
Gemfile	Remove possibility to use postgres-pr	2018-02-06 22:29:48 +01:00
History.txt	Prepare for release	2012-11-15 17:02:55 +01:00
LICENSE.txt	Move from Hoe to Bundler	2018-02-06 21:56:53 +01:00
Manifest.txt	Update Manifest.txt	2011-07-13 15:00:31 +02:00
pg-ldap-sync.gemspec	Update net-ldap dependency to get rid of the github vulnerability message	2018-02-06 23:09:21 +01:00
Rakefile	Move from Hoe to Bundler	2018-02-06 21:56:53 +01:00
README.rdoc	Remove possibility to use postgres-pr	2018-02-06 22:29:48 +01:00

README.rdoc

= Use LDAP permissions in PostgreSQL

* http://github.com/larskanis/pg-ldap-sync

== DESCRIPTION:

LDAP is often used for a centralized user and role management
in an enterprise environment. PostgreSQL offers different
authentication methods, like LDAP, SSPI, GSSAPI or SSL.
However, for any method the user must already exist in the database,
before the authentication can be used. There is currently
no direct authorization of database users on LDAP. So roles
and memberships has to be administered twice.

This program helps to solve the issue by synchronizing users,
groups and their memberships from LDAP to PostgreSQL.
Access to LDAP is used read-only. <tt>pg_ldap_sync</tt> issues proper
CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize
users and groups.

It is meant to be started as a cron job.

== FEATURES:

* Configurable per YAML config file
* Can use Active Directory as LDAP-Server
* Nested groups/roles supported
* Set scope of considered users/groups on LDAP and PG side
* Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
* Test mode which doesn't do any changes to the DBMS
* Both LDAP and PG connections can be secured by SSL/TLS

== REQUIREMENTS:

* Ruby-2.0+, JRuby-1.2, Rubinius-1.2 or better
* LDAP-v3 server
* PostgreSQL-server v9.0+

== INSTALL:

Install Ruby:
* on Windows: http://rubyinstaller.org
* on Debian/Ubuntu: <tt>apt-get install ruby libpq-dev</tt>

Install pg-ldap-sync and required dependencies:
  gem install pg-ldap-sync

=== Install from Git:
  git clone https://github.com/larskanis/pg-ldap-sync.git
  cd pg-ldap-sync
  bundle
  rake install

== USAGE:

Create a config file based on
{config/sample-config.yaml}[https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config.yaml]
or even better
{config/sample-config2.yaml}[https://github.com/larskanis/pg-ldap-sync/blob/master/config/sample-config2.yaml]

Run in test-mode:

  pg_ldap_sync -c my_config.yaml -vv -t

Run in modify-mode:

  pg_ldap_sync -c my_config.yaml -vv


== TEST:
There is a small test suite in the <tt>test</tt> directory that runs
against an internal ruby-ldapserver and PostgreSQL server. Ensure gem
<tt>ruby-ldapserver</tt> is installed and <tt>pg_ctl</tt>, <tt>initdb</tt> and <tt>psql</tt>
commands are in the <tt>PATH</tt>. Then:

  cd pg-ldap-sync
  rake test

== ISSUES:
* There is currently no way to set certain user attributes in PG
  based on individual attributes in LDAP (expiration date etc.)


== License

The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).