Issues when syncing AD groups

Question

Issues when syncing AD groups

danielwestermann opened this issue 6 years ago · 0 comments

Hi,

first of all thank you for this piece of software, it works great.
I have one questions: When we have a real AD group like this one:

PS C:\Users\dwe> get-adgroup admins

DistinguishedName : CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : admins
ObjectClass       : group
ObjectGUID        : 9375dfed-4889-498f-8398-b5cf6c521292
SamAccountName    : admins
SID               : S-1-5-21-1526535285-4293193832-2851663263-1765

... and have that in the yaml file:

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
  filter: (sAMAccountName=*)
  # this attribute is used as PG role name
  name_attribute: sAMAccountName
  # lowercase name for use as PG role name
  lowercase_name: true

Syncing results in these warnings for the users in that group:

W, [2018-10-11T08:48:52.138569 #2554]  WARN -- : ldap member with dn CN=dba4,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138587 #2554]  WARN -- : ldap member with dn CN=dba3,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138602 #2554]  WARN -- : ldap member with dn CN=dba1,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown

We managed to get it working by adjusting the filter to only return users of that group and setting the base to the real location of the users but we wonder if pg_ldap_sync could be improved to work with the groups directly? Or do we miss something?

Thanks for your help
Daniel