Thread: Using LDAP roles in PostgreSQL
Hi, LDAP is often used to do a centralized user and role management in an enterprise environment. PostgreSQL offers different authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for any of these methods the user must already exist inthe database, before the authentication can be used. There is currently no authorization of database users directly based onLDAP. Unfortunately, I couldn't find a programm for synchronizing users, groups and their memberships from LDAP to PostgreSQL.So I wrote my own and just released v0.1.0. Access to LDAP is used read-only. pg_ldap_sync issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize users and groups. It is meant to be started as a cron job. FEATURES: * Configurable per YAML config file * Can use Active Directory as LDAP-Server * Nested groups/roles supported * Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby) * Test mode which doesn’t do any changes to the DBMS Homepage: https://github.com/larskanis/pg-ldap-sync Is it something useful for someone apart of mine? -- Kind regards, Lars Kanis
On Wed, Jul 13, 2011 at 6:59 AM, Lars Kanis <kanis@comcard.de> wrote: > Homepage: https://github.com/larskanis/pg-ldap-sync > > Is it something useful for someone apart of mine? Hi Lars; While I don't have an immediate use for it, it is very nice to know such a tool exists, and I think it is likely that at some unspecified point in the future, something like this might be helpful to my own customers. I do have a question though. Does your application allow for creating only users and groups in part of the LDAP tree? Or does it have that possibility yet? Also can it be configured to ignore grants of specific Pg roles to users? I am not saying these are must-haves. If I need them at some point I could probably add the features and contribute the change back. But it would be nice to know. Just as an example of where I am going with this. One of my main projects (LedgerSMB) uses database roles to enforce permissions. One of the nice things is that password authentication could passed through to an LDAP server to provide SSO for an organization. I plan to forward this announcement to the list there as well as a potentially useful tool. I figure it is worth noting this on the list because I can't imagine I am the only one doing this. Best Wishes, Chris Travers
Hi Chris, > I do have a question though. Does your application allow for creating > only users and groups in part of the LDAP tree? Or does it have that > possibility yet? Also can it be configured to ignore grants of > specific Pg roles to users? Yes, filters on both sides can be set and they can be different for users and groups. The LDAP filter is according to RFC 2254 and the PG filter is plain SQL. You may also collect all synchronized roles into a PG-group, so that you can catch them easily. That's shown in https://github.com/larskanis/pg-ldap- sync/blob/master/config/sample-config2.yaml I just updated the README.txt according to your question. > Just as an example of where I am going with this. One of my main > projects (LedgerSMB) uses database roles to enforce permissions. One > of the nice things is that password authentication could passed > through to an LDAP server to provide SSO for an organization. I use it together with Kerberos and with SSL-certificate authentication. Since there are default privilegs in Postgres 9.0, it is practicable to use fine graded privileges now. > I plan > to forward this announcement to the list there as well as a > potentially useful tool. I figure it is worth noting this on the list > because I can't imagine I am the only one doing this. Yes, thanks. I could announce it too, in case the list is writeable for me. -- Regards, Lars Kanis -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Hi Chris, > I do have a question though. Does your application allow for creating > only users and groups in part of the LDAP tree? Or does it have that > possibility yet? Also can it be configured to ignore grants of > specific Pg roles to users? Yes, filters on both sides can be set and they can be different for users and groups. The LDAP filter is according to RFC 2254 and the PG filter is plain SQL. You may also collect all synchronized roles into a PG-group, so that you can catch them easily. That's shown in https://github.com/larskanis/pg-ldap- sync/blob/master/config/sample-config2.yaml I just updated the README.txt according to your question. > Just as an example of where I am going with this. One of my main > projects (LedgerSMB) uses database roles to enforce permissions. One > of the nice things is that password authentication could passed > through to an LDAP server to provide SSO for an organization. I use it together with Kerberos and with SSL-certificate authentication. Since there are default privilegs in Postgres 9.0, it is practicable to use fine graded privileges now. > I plan > to forward this announcement to the list there as well as a > potentially useful tool. I figure it is worth noting this on the list > because I can't imagine I am the only one doing this. Yes, thanks. I could announce it too, in case the list is writeable for me. -- Regards, Lars Kanis -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general