/ldap-pg

LDAP server with PostgreSQL as the backend

Primary LanguageGoGNU General Public License v2.0GPL-2.0

ldap-pg

GoDoc

This repository is heavily under development.

ldap-pg is a LDAP server implementation which uses PostgreSQL as the backend database.

Features

  • Basic LDAP operations
    • Bind
      • PLAIN
      • SSHA
      • SSHA256
      • SSHA512
      • Pass-through authentication (Support {SASL}foo@domain format)
    • Search
      • base
      • one
      • sub
      • children
    • Add
    • Modify
    • Delete
    • ModifyDN
      • Rename RDN
      • Support deleteoldrdn
      • Support newsuperior
    • Compare
    • Extended
  • LDAP Controls
    • Simple Paged Results Control
    • Sort Control
  • Support association (like OpenLDAP memberOf overlay)
    • Return memberOf attribute as operational attribute
    • Maintain member uniqueMember / memberOf
    • Search filter using memberOf
  • Schema
    • Basic schema processing
    • More schema processing
    • User defined schema
    • Multiple RDNs
  • Password Policy
    • Account lock
    • More policy controls
  • Authorization
    • Simple ACL
  • Last bind
    • Record the timestamp of the last successful bind
  • Network
    • SSL/StartTLS
  • Prometheus metrics
  • Auto create table for PostgreSQL
  • Auto migrate table for PostgreSQL

Requirement

PostgreSQL 12 or later.

Install

From binary

Please download it from release page.

From source

ldap-pg is written by Go. Install Go then build ldap-pg:

make

You can find the binary in ./bin/ directory.

Usage

Start ldap-pg

ldap-pg.

Usage:

  ldap-pg [options]

Options:

  -acl value
        Simple ACL: the format is <DN(User, Group or empty(everyone))>:<Scope(R, W or RW)>:<Invisible Attributes> (e.g. cn=reader,dc=example,dc=com:R:userPassword,telephoneNumber)
  -b string
        Bind address (default "127.0.0.1:8389")
  -d string
        DB Name
  -db-max-idle-conns int
        DB max idle connections (default 2)
  -db-max-open-conns int
        DB max open connections (default 5)
  -default-ppolicy-dn string
        DN of the default password policy entry (e.g. cn=standard-policy,ou=Policies,dc=example,dc=com)
  -gomaxprocs int
        GOMAXPROCS (Use CPU num with default)
  -h string
        DB Hostname (default "localhost")
  -log-level string
        Log level, on of: debug, info, warn, error, alert (default "info")
  -migration
        Enable migration mode which means LDAP server accepts add/modify operational attributes (default false)
  -p int
        DB Port (default 5432)
  -pass-through-ldap-bind-dn string
        Pass-through/LDAP: Bind DN
  -pass-through-ldap-domain string
        Pass-through/LDAP: Domain for pass-through/LDAP
  -pass-through-ldap-filter string
        Pass-through/LDAP: Filter for finding an user (e.g. (cn=%u))
  -pass-through-ldap-password string
        Pass-through/LDAP: Bind password
  -pass-through-ldap-scope string
        Pass-through/LDAP: Search scope, on of: base, one, sub (default "sub")
  -pass-through-ldap-search-base string
        Pass-through/LDAP: Search base
  -pass-through-ldap-server string
        Pass-through/LDAP: Server address and port (e.g. myldap:389)
  -pass-through-ldap-timeout int
        Pass-through/LDAP: Timeout seconds (default 10)
  -pprof string
        Bind address of pprof server (Don't start the server with default)
  -root-dn string
        Root dn for the LDAP
  -root-pw string
        Root password for the LDAP
  -s string
        DB Schema
  -schema value
        Additional/overwriting custom schema
  -suffix string
        Suffix for the LDAP
  -u string
        DB User
  -w string
        DB Password

Example

Start PostgreSQL server.

docker run --rm -d \
  -e POSTGRES_DB=testdb \
  -e POSTGRES_USER=testuser \
  -e POSTGRES_PASSWORD=testpass \
  -p 35432:5432 \
  postgres:13-alpine \
  -c log_destination=stderr \
  -c log_statement=all \
  -c log_connections=on \
  -c log_disconnections=on \
  -c jit=off

Start ldap-pg server.

ldap-pg -h localhost -u testuser -w testpass -d testdb -s public \
 -suffix dc=example,dc=com -root-dn cn=Manager,dc=example,dc=com -root-pw secret \
 -log-level info

[  info ] 2019/10/03 15:13:37 main.go:169: Setup GOMAXPROCS with NumCPU: 8
[  info ] 2019/10/03 15:13:37 main.go:234: Starting ldap-pg on 127.0.0.1:8389

ldap-pg creates required tables and indexes into the PostgreSQL if not exists. You can import your LDIF file by using standard LDAP tools like ldapadd command.

$ cat << EOS > base.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example

dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Group

EOS

$ ldapadd -H ldap://localhost:8389 -x -D cn=manager,dc=example,dc=com -w secret -f base.ldif
adding new entry "dc=example,dc=com"

adding new entry "ou=Users,dc=example,dc=com"

adding new entry "ou=Groups,dc=example,dc=com"

Integration Test

Start PostgreSQL server.

docker run --rm -d \
  -e POSTGRES_DB=testdb \
  -e POSTGRES_USER=testuser \
  -e POSTGRES_PASSWORD=testpass \
  -p 35432:5432 \
  postgres:13-alpine \
  -c log_destination=stderr \
  -c log_statement=all \
  -c log_connections=on \
  -c log_disconnections=on \
  -c jit=off

Run test cases.

make it

License

Licensed under the GPL license.