bersace
commented
1 year ago Hi @jschmidwgit thanks for reaching.
Did you read master ldap2pg.yml ?
Closed jschmidwgit closed 7 months ago
bersace
commented
1 year ago Hi @jschmidwgit thanks for reaching.
Did you read master ldap2pg.yml ?
jschmidwgit
commented
1 year ago Yes, but i don't really understand it. Maybe it is because it is the first time that i work with ldap.
I see this part:
- description: "Search LDAP to create readers, writers and owners."
ldapsearch:
base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker
filter: "
(|
(cn=owners)
(cn=readers)
(cn=writers)
)
"
role:
name: '{member.cn}'
options: LOGIN
parent: "{cn}"What i understand is that this ldap search looks in ou=groups,dc=ldap,dc=ldap2pg,dc=docker for users. But the username is for example user1 so i don't understand what this cn=owners, cn=readers, and cn=writers mean, I thought i get a list of users and would like to add them to a postgresql group. So from what i understand your script creates the role with login for the usernames found in ldap. So does this role that i want (for example dba) has to exist in ldap for this to work? I thought i get a list of names and do something like this with it:
role:
name: '{member.cn}'
options: LOGIN
parent: "{cn}"
role dbathen i would understand it, if i can assign a role to the user. But where is the role assigned in this sample configuration?
and about the privilege part: i don't understand where this connects to the LDAP entries.
grant:
- privilege: ro
role: readers
# Scope to a single schema
schemas: nominal
- privilege: rw
role: writers
- privilege: ddl
role: ownersOk, the role owners has the ddl privilege. But where do these roles "owners" and "writers" get assigned to a user? I just don't get the connection between the ldap users and the roles that i want to assign.
rules:
- description: "Setup static roles and grants."
roles:
- names:
- readers
options: NOLOGIN
- name: writers
# Grant reading to writers
parent: readers
options: NOLOGIN
- name: owners
# Grant read/write to owners
parent: writers
options: NOLOGIN
Set parent: dba to the role rule creating your DBA. This will make them member of dba role.
jschmidwgit
commented
1 year ago Hello, ok now i am beginning to understand. I did not understand that the value parent represents the role.
thank you very much for your patience.
This helps me a lot. I have just one last question. I planned to make ldap groups for each instance.
For example e032pg
so i want all users in group
"e032pg
so if i use the values in the search, i get the ldap entries for all 3 roles. But how can i assign the roles to the users then? I would need to set the parent role according to the ldap group in which the user is in. Is this possible with ldap2pg or does this only work if i use one group for all instances/clusters? i wrote what i meant in a "pseudolanguage" down below.
- description: "Search LDAP to create readers, writers and owners."
ldapsearch:
base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker
filter: "
(|
(cn=e032_instancd1_read)
(cn=e032_instance1_write)
(cn=e032_instance1_admin)
)
"
role:
name: '{member.cn}'
options: LOGIN
parent: if "{cn}" = e032_instance1_read ; parent=myreadrole
parent: if "{cn}" = e032_instance2_write; parent=mywriterole
parent: if "{cn}" = e032_instance3_admin ; parent=myadminroleor can i specify multiple ldap-searches and split this up to 3 separate entries like:
- description: "Search LDAP to create readers, writers and owners."
ldapsearch:
base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker
filter: "
(|
(cn=e032_instancd1_read)
)
"
role:
name: '{member.cn}'
options: LOGIN
parent: =myreadrole
- description: "Search LDAP to create readers, writers and owners."
ldapsearch:
base: ou=groups,dc=ldap,dc=ldap2pg,dc=docker
filter: "
(|
(cn=e032_instancd1_write)
)
"
role:
name: '{member.cn}'
options: LOGIN
parent: =mywriteroleHello, ok now i am beginning to understand. I did not understand that the value parent represents the role.
Would memberof be more explicit/evident than parent ?
bersace
commented
1 year ago I'm thinking of a client side if.
But I'm not sure about the design.
The best solution is to simply use an attribute with the right value:
- ldapsearch: ...
role:
parent: "{parent}"I'm also wondering of a feature like `{attribute.match('_(write|read|admin')}' to extract a value from an attribute.
Tell me what you think would be the best solution.
jschmidwgit
commented
1 year ago Hello, ok now i am beginning to understand. I did not understand that the value parent represents the role.
Would
memberofbe more explicit/evident thanparent?
For me this was the main point why i misunderstood the configuration. However it would be enough, if it is mentioned somewhere in the documentation that parent stands for the assigned role of the user. But maybe only i had a problem with this.
thanks for your quick support.
bersace
commented
1 year ago Hello, ok now i am beginning to understand. I did not understand that the value parent represents the role.
Would
memberofbe more explicit/evident thanparent?For me this was the main point why i misunderstood the configuration. However it would be enough, if it is mentioned somewhere in the documentation that parent stands for the assigned role of the user. But maybe only i had a problem with this.
What did you think parent was for ?
bersace
commented
7 months ago Closing stale issue.
Hello,
i want to add all members of an ad/ldap group which contains dba-Accounts to the database. From this group all members should become dbas on the database and i want them to be in a postgresql-role named 'dba'.
I understand, how individual users can be created, but not how i can add the new users from the ldap-directory to a postgresql group. I did not find any matching example in the documentation.
Jan