Can you please give an example for the ldap side?
danielwestermann opened this issue · 2 comments
danielwestermann commented
Hi,
I just installed this and the connection to the AD is fine. Executing pg-ldap-sync is not create any users on the postgres side, so probably I am missing something:
# Search parameters for LDAP users which should be synchronized
ldap_users:
base: OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
# LDAP filter (according to RFC 2254)
# defines to users in LDAP to be synchronized
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
# this attribute is used as PG role name
name_attribute: sAMAccountName
# lowercase name for use as PG role name
lowercase_name: true
Testing this it returns the three test users:
[postgres@pgadsync ~]$ ldapsearch -x -h 172.22.30.1 -D "xxxxxxxxx" -W -b "OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com" | grep sAMAccountName
Enter LDAP Password:
sAMAccountName: dba1
sAMAccountName: dba2
sAMAccountName: dba3
Same for the groups:
# Search parameters for LDAP groups which should be synchronized
ldap_groups:
base: OU=pggroups,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
filter: (cn=company.*)
# this attribute is used as PG role name
name_attribute: cn
# lowercase name for use as PG role name
lowercase_name: false
# this attribute must reference to all member DN's of the given group
member_attribute: member
ldapsearch against that:
[postgres@pgadsync ~]$ ldapsearch -x -h 172.22.30.1 -D "xxxxx" -W -b "OU=pggroups,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com" | grep member
Enter LDAP Password:
member: CN=dba3,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
member: CN=dba2,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
member: CN=dba1,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
What am I missing here?
[postgres@pgadsync ~]$ bin/pg_ldap_sync -c etc/pg_ldap_sync.yaml -vv -t
I, [2018-07-23T11:26:53.775372 #28962] INFO -- : user stat: create: 0 drop: 0 keep: 0
I, [2018-07-23T11:26:53.775695 #28962] INFO -- : group stat: create: 0 drop: 0 keep: 0
I, [2018-07-23T11:26:53.783104 #28962] INFO -- : membership stat: grant: 0 revoke: 0 keep: 0
Thanks,
Daniel
danielwestermann commented
... of course I have these roles defined in postgres:
postgres=# \du
List of roles
Role name | Attributes | Member of
-------------+------------------------------------------------------------+-----------
ldap_groups | Cannot login | {}
ldap_users | Cannot login | {}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}
Manually create a user in the ldap_users group results in pg_ldap_sync to delete that user in postgres, so this direction is fine:
[postgres@pgadsync ~]$ bin/pg_ldap_sync -c etc/pg_ldap_sync.yaml -vv
I, [2018-07-23T11:42:38.642067 #28995] INFO -- : found pg-user: "dba1"
I, [2018-07-23T11:42:38.644278 #28995] INFO -- : user stat: create: 0 drop: 1 keep: 0
I, [2018-07-23T11:42:38.648154 #28995] INFO -- : group stat: create: 0 drop: 0 keep: 0
I, [2018-07-23T11:42:38.648285 #28995] INFO -- : membership stat: grant: 0 revoke: 0 keep: 0
I, [2018-07-23T11:42:38.648335 #28995] INFO -- : SQL: DROP ROLE "dba1"
danielwestermann commented
Forget it, I had an issue with the ldap filter
Thanks anyway
Daniel