search

dalibo / ldap2pg

:elephant: :busts_in_silhouette: Manage PostgreSQL roles and privileges from YAML or LDAP
https://labs.dalibo.com/ldap2pg
PostgreSQL License
211 stars 34 forks source link

WARN Unexpected DN #640

Closed pc-dok closed 6 months ago

pc-dok commented 6 months ago

Hi ldap2pg Team

i have configured my ldap i think correct, but when i want to read out my 2 test users from ldap i have this error:

12:37:21 DEBUG LDAP search done. duration=1.859295ms entries=1 12:37:21 DEBUG Got LDAP entry. dn="cn=test,cn=groups,l=world,o=example,dc=local,dc=domain" 12:37:21 WARN Unexpected DN. dn="uid=test1,ou=user,l=world,o=example,dc=local,dc=domain" rdn=cn 12:37:21 WARN Unexpected DN. dn="uid=test2,ou=user,l=world,o=example,dc=local,dc=domain" rdn=cn

I dont see this test users in my postgres instance, so i think it did not make here correct. did you know what is here wrong?

regards franco

pc-dok commented 6 months ago

the ldapsearch cmd from debug show me this 2 users correct

pc-dok commented 6 months ago

test, groups, world, example, local.domain

dn: cn=test,cn=groups,l=world,o=example,dc=local,dc=domain uniquemember: uid=test1,ou=user,l=world,o=example,dc=local,dc=domain uniquemember: uid=test2,ou=user,l=world,o=example,dc=local,dc=domain objectclass: top objectclass: groupOfUniquenames cn: test

bersace commented 6 months ago

Hi @pc-dok . Please share the ldap2pg.yml rule.

pc-dok commented 6 months ago 
version: 6

postgres:
  roles_blacklist_query: [postgres, pg_*]

privileges:
  ### Define `ro` privilege group with read-only grants
  ro:
  - __connect__
  - __select_on_tables__
  - __select_on_sequences__
  - __usage_on_schemas__
  - __usage_on_types__

rules:
- description: "Setup static roles and grants."
  roles:
  - names:
    - PG01_dba
    options: NOLOGIN
  grant:
  - privilege: ro
    role: PG01_dba

- description: "Search LDAP to create readers, writers and owners."
  ldapsearch:
    base: cn=groups,l=world,o=example,dc=local,dc=domain
    filter: "
    (|
      (cn=PG01_dba)
    )
    "
  role:
    name: '{uniquemember.cn}'
    options: LOGIN
    parent: "{cn}"
pc-dok commented 6 months ago

so i go right in my mind, that when i have 2 members in this PG01_dba ldap group, that ldap2pg will create a role with PG01_dba, and also 2 roles more for my 2 users, or am i wrong?

bersace commented 6 months ago

so i go right in my mind, that when i have 2 members in this PG01_dba ldap group, that ldap2pg will create a role with PG01_dba, and also 2 roles more for my 2 users, or am i wrong?

Hmm, I guess you hit a weird behaviour. ldap2pg does not sub-search cn and tries to read it from Distinguished Name. However, your Distinguished Name has uid.

ldap2pg should trigger a sub-search to get each cn. This can be costy. Can you use {uniquemember.sAMAccountName} ?

pc-dok commented 6 months ago 
version: 6

postgres:
  roles_blacklist_query: [postgres, pg_*]

privileges:
  # Define `ro` privilege group with read-only grants
  ro:
  - __connect__
  - __select_on_tables__
  - __select_on_sequences__
  - __usage_on_schemas__
  - __usage_on_types__

rules:
- description: "Setup static roles and grants."
  roles:
  - names:
    - PG01_dba
    options: NOLOGIN
  grant:
  - privilege: ro
    role: PG01_dba

- description: "Search LDAP to create readers, writers and owners."
  ldapsearch:
    base: cn=groups,l=world,o=example,dc=local,dc=domain
    filter: "
    (|
      (cn=PG01_dba)
    )
    "
  role:
    name: '{uniquemember.uid}'
    options: LOGIN
pc-dok commented 6 months ago

so it works

pc-dok commented 6 months ago

for all that is a Oracle Universal Directory - OUD

bersace commented 6 months ago

Ok. I think a better message would help. Something like Missing RDN cn from DN uid=... ?

bersace commented 6 months ago

Fixed in #642