[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: [GENERAL] Using LDAP roles in PostgreSQL
- Subject: Fwd: [GENERAL] Using LDAP roles in PostgreSQL
- From: Chris Travers <..hidden..>
- Date: Wed, 13 Jul 2011 10:27:33 -0700
I normally don't forward announcements from other lists, but this
seems like it may be useful with 1.3 so I figured I would send it. I
don't know whether it will provide all the features needed out of the
box but one can always add features needed and contribute changes
The features I have asked the author about include:
* The ability to ignore application-specific roles in PostgreSQL.
* The ability to import users only from part of the LDAP tree
I don't know of these features exist, but if not I don't think they
would likely be that hard to add.
Lars Kanis has created a tool to synchronize LDAP roles with
PostgreSQL roles, seeing the LDAP tree as authoritative. This is
helpful because PostgreSQL can authenticate against an LDAP database,
and this sort of authentication is supported in 1.3 as it is. If your
organization (or if you are a consultant, your customers'
organizations) could use single sign on, this is a helpful step
---------- Forwarded message ----------
From: Lars Kanis <..hidden..>
Date: Wed, Jul 13, 2011 at 6:59 AM
Subject: [GENERAL] Using LDAP roles in PostgreSQL
LDAP is often used to do a centralized user and role management in an
enterprise environment. PostgreSQL offers different
authentication methods, like LDAP, SSPI, GSSAPI or SSL. However, for
any of these methods the user must already exist in the
database, before the authentication can be used. There is currently no
authorization of database users directly based on LDAP.
Unfortunately, I couldn't find a programm for synchronizing users,
groups and their memberships from LDAP to PostgreSQL. So I wrote
my own and just released v0.1.0.
Access to LDAP is used read-only. pg_ldap_sync issues proper CREATE
ROLE, DROP ROLE, GRANT and REVOKE commands to
synchronize users and groups. It is meant to be started as a cron job.
* Configurable per YAML config file
* Can use Active Directory as LDAP-Server
* Nested groups/roles supported
* Runs with pg.gem (C-library) or postgres-pr.gem (pure Ruby)
* Test mode which doesn’t do any changes to the DBMS
Is it something useful for someone apart of mine?
Sent via pgsql-general mailing list (..hidden..)
To make changes to your subscription: