LDAP is often used for a centralized user and role management in an enterprise environment. PostgreSQL offers different authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for any method the user must already exist in the database, before the authentication can be used. There is currently no direct authorization of database users on LDAP. So roles and memberships has to be administered twice.
This program helps to solve the issue by synchronizing users, groups and their memberships from LDAP to PostgreSQL. Access to LDAP is used read-only.
pg_ldap_sync issues proper CREATE ROLE, DROP ROLE, GRANT and REVOKE commands to synchronize users and groups.
It is meant to be started as a cron job.
Configurable per YAML config file
Can use Active Directory as LDAP-Server
Nested groups/roles supported
Set scope of considered users/groups on LDAP and PG side
Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
Test mode which doesn't do any changes to the DBMS
Both LDAP and PG connections can be secured by SSL/TLS
Supports LDAP users and groups with the same names
Ability to have ldap groups and users with the same name merge into a single Postgres role
Ruby-1.8.7, Ruby-1.9.2, JRuby-1.2, Rubinius-1.2 or better
Install Ruby and rubygems:
on Windows: rubyinstaller.org
apt-get install ruby libpq-dev
Install pg-ldap-sync and a database connector for PostgreSQL:
gem install pg-ldap-sync pg
You may also use the pure ruby postgres-connector which is less mature, but doesn't need compilation:
gem install pg-ldap-sync postgres-pr
git clone https://github.com/larskanis/pg-ldap-sync.git cd pg-ldap-sync gem install bundler bundle install bundle exec rake install
Run in test-mode:
pg_ldap_sync -c my_config.yaml -vv -t
Run in modify-mode:
pg_ldap_sync -c my_config.yaml -vv
There is a small test suite in the
test directory that runs against an internal ruby-ldapserver and PostgreSQL server. Ensure gem
ruby-ldapserver is installed and
psql commands are in the
cd pg-ldap-sync rake test
There is currently no way to set certain user attributes in PG based on individual attributes in LDAP (expiration date etc.)
The gem is available as open source under the terms of the MIT License.