Thread

  1. Using LDAP roles in PostgreSQL

    Lars Kanis <kanis@comcard.de> — 2011-07-13T13:59:02Z

    Hi,
    
    LDAP is often used to do a centralized user and role management in an enterprise environment. PostgreSQL offers different 
    authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for any of these methods the user must already exist in the 
    database, before the authentication can be used. There is currently no authorization of database users directly based on LDAP.
    
    Unfortunately, I couldn't find a programm for synchronizing users, groups and their memberships from LDAP to PostgreSQL. So I wrote 
    my own and just released v0.1.0.
    
    Access to LDAP is used read-only. pg_ldap_sync issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to 
    synchronize users and groups. It is meant to be started as a cron job.
    
    FEATURES:
    * Configurable per YAML config file
    * Can use Active Directory as LDAP-Server
    * Nested groups/roles supported
    * Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
    * Test mode which doesn’t do any changes to the DBMS
    
    Homepage: https://github.com/larskanis/pg-ldap-sync
    
    Is it something useful for someone apart of mine?
    
    --
    Kind regards,
    Lars Kanis
    
    
  2. Re: Using LDAP roles in PostgreSQL

    Chris Travers <chris.travers@gmail.com> — 2011-07-13T17:19:37Z

    On Wed, Jul 13, 2011 at 6:59 AM, Lars Kanis <kanis@comcard.de> wrote:
    
    > Homepage: https://github.com/larskanis/pg-ldap-sync
    >
    > Is it something useful for someone apart of mine?
    
    Hi Lars;
    
    While I don't have an immediate use for it, it is very nice to know
    such a tool exists, and I think it is likely that at some unspecified
    point in the future, something like this might be helpful to my own
    customers.
    
    I do have a question though.  Does your application allow for creating
    only users and groups in part of the LDAP tree?  Or does it have that
    possibility yet?  Also can it be configured to ignore grants of
    specific Pg roles to users?  I am not saying these are must-haves.
    If I need them at some point I could probably add the features and
    contribute the change back.  But it would be nice to know.
    
    Just as an example of where I am going with this.  One of my main
    projects (LedgerSMB) uses database roles to enforce permissions.  One
    of the nice things is that password authentication could passed
    through to an LDAP server to provide SSO for an organization.  I plan
    to forward this announcement to the list there as well as a
    potentially useful tool.  I figure it is worth noting this on the list
    because I can't imagine I am the only one doing this.
    
    Best Wishes,
    Chris Travers
    
    
  3. Re: Using LDAP roles in PostgreSQL

    Lars Kanis <lars@greiz-reinsdorf.de> — 2011-07-13T19:53:09Z

    Hi Chris,
    
    > I do have a question though.  Does your application allow for creating
    > only users and groups in part of the LDAP tree?  Or does it have that
    > possibility yet? Also can it be configured to ignore grants of
    > specific Pg roles to users?
    Yes, filters on both sides can be set and they can be different for users and 
    groups. The LDAP filter is according to RFC 2254 and the PG filter is plain SQL. 
    You may also collect all synchronized roles into a PG-group, so that you can 
    catch them easily. That's shown in https://github.com/larskanis/pg-ldap-
    sync/blob/master/config/sample-config2.yaml
    
    I just updated the README.txt according to your question.
    
    > Just as an example of where I am going with this.  One of my main
    > projects (LedgerSMB) uses database roles to enforce permissions.  One
    > of the nice things is that password authentication could passed
    > through to an LDAP server to provide SSO for an organization.
    I use it together with Kerberos and with SSL-certificate authentication. Since 
    there are default privilegs in Postgres 9.0, it is practicable to use fine 
    graded privileges now.
    
    > I plan
    > to forward this announcement to the list there as well as a
    > potentially useful tool.  I figure it is worth noting this on the list
    > because I can't imagine I am the only one doing this.
    
    Yes, thanks. I could announce it too, in case the list is writeable for me.
    
    --
    Regards,
    Lars Kanis