Skip to content

ipoval/pg-ldap-sync

 
 

Repository files navigation

Use LDAP permissions in PostgreSQL

DESCRIPTION:

LDAP is often used for a centralized user and role management in an enterprise environment. PostgreSQL offers different authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for any method the user must already exist in the database, before the authentication can be used. There is currently no direct authorization of database users on LDAP. So roles and memberships has to be administered twice.

This program helps to solve the issue by synchronizing users, groups and their memberships from LDAP to PostgreSQL. Access to LDAP is used read-only. pg_ldap_sync issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize users and groups.

It is meant to be started as a cron job.

FEATURES:

  • Configurable per YAML config file

  • Can use Active Directory as LDAP-Server

  • Nested groups/roles supported

  • Set scope of considered users/groups on LDAP and PG side

  • Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)

  • Test mode which doesn’t do any changes to the DBMS

  • Both LDAP and PG connections can be secured by SSL/TLS

REQUIREMENTS:

  • Ruby-1.8.7, Ruby-1.9.2, JRuby-1.2, Rubinius-1.2 or better

  • Rubygems-1.3.5+

  • LDAP-v3 server

  • PostgreSQL-server v8.1+

INSTALL:

Install Ruby and rubygems:

Install pg-ldap-sync and a database connector for PostgreSQL:

gem install pg-ldap-sync pg

You may also use the pure ruby postgres-connector which is less mature, but doesn’t need compilation:

gem install pg-ldap-sync postgres-pr

Install from Git:

git clone https://github.com/larskanis/pg-ldap-sync.git
cd pg-ldap-sync
gem install hoe
rake install_gem

Build gem

gem uninstall pg-ldap-sync
[ -f pg-ldap-sync-0.1.3.gem ] && rm pg-ldap-sync-0.1.3.gem
gem build pg-ldap-sync.gemspec
gem install --no-rdoc --no-ri --local pg-ldap-sync-0.1.3.gem

USAGE:

DEV ENV DRY-RUN

source env.dev.secret
pg_ldap_sync_bin -c config/pg_ldap_sync_config.yaml -vv -t # runs in dry-run mode

Create a config file based on config/sample-config.yaml or even better config/sample-config2.yaml

Run in test-mode:

pg_ldap_sync -c my_config.yaml -vv -t

Run in modify-mode:

pg_ldap_sync -c my_config.yaml -vv

TEST:

There is a small test suite in the test directory that runs against an internal ruby-ldapserver and PostgreSQL server. Ensure gem ruby-ldapserver is installed and pg_ctl, initdb and psql commands are in the PATH. Then:

cd pg-ldap-sync
rake test

ISSUES:

  • There is currently no way to set certain user attributes in PG based on individual attributes in LDAP (expiration date etc.)

LICENSE:

(The MIT License)

Copyright © 2011 FIX

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ‘Software’), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About

Use LDAP permissions in PostgreSQL

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 100.0%