-
Notifications
You must be signed in to change notification settings - Fork 36
/
ldap2pg.yml
120 lines (109 loc) · 3.05 KB
/
ldap2pg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#
#
# L D A P 2 P G S A M P L E C O N F I G U R A T I O N
#
#
# This is a starting point configuration file for ldap2pg.yml. Including static
# roles, groups, privilege and LDAP search.
#
# This configuration assumes the following principles:
#
# - All LDAP users are grouped in `ldap_roles` group.
# - Read privileges are granted to `readers` group.
# - Write privileges are granted to `writers` group.
# - DDL privileges are granted to `owners` group.
# - We have one or more databases with public and maybe a schema.
# - Grants are not specific to a schema. Once you're writer in a database, you
# are writer to all schemas in it.
#
# The LDAP directory content is described in test/fixtures/openldap-data.ldif
#
# Adapt to your needs! See also full documentation on how to configure ldap2pg
# at https://ldap2pg.readthedocs.io/en/latest/config/.
#
# Don't hesitate to suggest improvements for this starting configuration at
# https://github.com/dalibo/ldap2pg/issues/new . Thanks for your contribution !
#
#
# File format version. Allows ldap2pg to check whether the file is supported.
#
version: 6
#
# 1. P O S T G R E S I N S P E C T I O N
#
# See https://ldap2pg.readthedocs.io/en/latest/postgres/
#
postgres:
roles_blacklist_query: [nominal, postgres, pg_*]
databases_query: [nominal]
#
# 2. P R I V I L E G E S D E F I N I T I O N
#
# See https://ldap2pg.readthedocs.io/en/latest/privileges/. Privileges wrapped
# in double underscores are builtin privilege profiles. See
# https://ldap2pg.readthedocs.io/en/latest/builtins/ for a documentation of
# each of them.
#
privileges:
# Define `ro` privilege group with read-only grants
ro:
- __connect__
- __select_on_tables__
- __select_on_sequences__
- __usage_on_schemas__
- __usage_on_types__
# `rw` privilege group lists write-only grants
rw:
- __temporary__
- __all_on_tables__
- __all_on_sequences__
# `ddl` privilege group lists DDL only grants.
ddl:
- __create_on_schemas__
#
# 3. S Y N C H R O N I S A T I O N M A P
#
# This list contains rules to declare roles and grants. Each role or grant rule
# can be templated with attributes from LDAP entries returned by a search
# query.
#
# Any role found in cluster and not generated by rules will be dropped. Any
# grant found in cluster and not generated by rules will be revoked.
#
rules:
- description: "Setup static roles and grants."
roles:
- names:
- readers
options: NOLOGIN
- name: writers
# Grant reading to writers
parent: readers
options: NOLOGIN
- name: owners
# Grant read/write to owners
parent: writers
options: NOLOGIN
grant:
- privilege: ro
role: readers
# Scope to a single schema
schemas: nominal
- privilege: rw
role: writers
- privilege: ddl
role: owners
- description: "Search LDAP to create readers, writers and owners."
ldapsearch:
base: cn=users,dc=bridoulou,dc=fr
filter: "
(|
(cn=owners)
(cn=readers)
(cn=writers)
)
"
role:
name: '{member.cn}'
options: LOGIN
parent: "{cn}"