2022-03-17 09:00:06 +01:00
|
|
|
---
|
|
|
|
|
|
2023-10-13 15:00:23 +02:00
|
|
|
# The version of ldap2pg to deploy
|
2024-05-27 17:01:00 +02:00
|
|
|
ldap2pg_version: 6.1
|
2023-10-13 15:00:23 +02:00
|
|
|
|
|
|
|
|
# The URL where the ldap2pg archive can be fetched
|
|
|
|
|
ldap2pg_archive_url: https://github.com/dalibo/ldap2pg/releases/download/v{{ ldap2pg_version }}/ldap2pg_{{ ldap2pg_version }}_linux_amd64.tar.gz
|
|
|
|
|
|
|
|
|
|
# The expected sha256 checksum of the archive
|
2024-05-27 17:01:00 +02:00
|
|
|
ldap2pg_archive_sha256: 887bf2a247273e18597ccb949d9500faba24a150cfb403967a5d93d185c450e3
|
2023-10-13 15:00:23 +02:00
|
|
|
|
2022-03-17 09:00:06 +01:00
|
|
|
# How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
|
2022-03-17 19:00:06 +01:00
|
|
|
ldap2pg_sync_freq: hourly
|
2022-03-17 09:00:06 +01:00
|
|
|
|
|
|
|
|
# Under which account will ldap2pg run
|
|
|
|
|
# Default is under the local postgres account which is fine for managing a local postgres instance
|
|
|
|
|
ldap2pg_user: postgres
|
|
|
|
|
|
2022-03-17 19:00:06 +01:00
|
|
|
# Set dry mode to False to actually do the sync
|
|
|
|
|
ldap2pg_dry_mode: True
|
|
|
|
|
|
2023-10-13 15:00:23 +02:00
|
|
|
ldap2pg_env:
|
|
|
|
|
PGHOST: /var/run/postgresql
|
|
|
|
|
LDAPTLS_REQCERT: hard
|
|
|
|
|
# LDAPURI: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
|
|
|
|
|
# LDAPBINDDN: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
|
|
|
|
|
# LDAPPASSWORD: XXX
|
|
|
|
|
|
2022-03-17 09:00:06 +01:00
|
|
|
ldap2pg_base_conf:
|
2023-10-13 15:00:23 +02:00
|
|
|
version: 6
|
2022-03-17 09:00:06 +01:00
|
|
|
postgres:
|
|
|
|
|
databases_query: |
|
|
|
|
|
SELECT datname
|
|
|
|
|
FROM pg_catalog.pg_database
|
2023-10-13 15:00:23 +02:00
|
|
|
WHERE datallowconn IS TRUE AND datname NOT IN ('template0', 'template1');
|
|
|
|
|
|
|
|
|
|
# Only roles member of the special managed_roles group can be dropped
|
2022-03-17 09:00:06 +01:00
|
|
|
# other role (created manually or outside of ldap2pg scope) will never be dropped
|
|
|
|
|
managed_roles_query: |
|
2023-10-13 15:00:23 +02:00
|
|
|
VALUES
|
|
|
|
|
('managed_roles')
|
|
|
|
|
UNION
|
|
|
|
|
SELECT DISTINCT role.rolname
|
|
|
|
|
FROM pg_roles AS role
|
|
|
|
|
JOIN pg_auth_members AS ms
|
|
|
|
|
ON ms.member = role.oid
|
|
|
|
|
JOIN pg_roles AS parent
|
|
|
|
|
ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
|
2022-03-17 09:00:06 +01:00
|
|
|
ORDER BY 1;
|
|
|
|
|
|
|
|
|
|
privileges:
|
|
|
|
|
ro:
|
|
|
|
|
- __connect__
|
|
|
|
|
- __select_on_tables__
|
|
|
|
|
- __select_on_sequences__
|
|
|
|
|
- __usage_on_schemas__
|
2023-10-13 15:00:23 +02:00
|
|
|
- __usage_on_sequences__
|
|
|
|
|
|
2022-03-17 09:00:06 +01:00
|
|
|
rw:
|
2023-10-13 15:00:23 +02:00
|
|
|
- ro
|
2022-03-17 09:00:06 +01:00
|
|
|
- __temporary__
|
2023-10-13 15:00:23 +02:00
|
|
|
- __insert_on_tables__
|
|
|
|
|
- __update_on_tables__
|
2024-03-04 15:00:58 +01:00
|
|
|
- __delete_on_tables__
|
2023-10-13 15:00:23 +02:00
|
|
|
- __update_on_sequences__
|
|
|
|
|
- __execute_on_functions__
|
|
|
|
|
- __trigger_on_tables__
|
2022-03-17 09:00:06 +01:00
|
|
|
|
2022-10-27 14:00:08 +02:00
|
|
|
full:
|
|
|
|
|
- rw
|
2023-10-13 15:00:23 +02:00
|
|
|
- __create_on_schemas__
|
|
|
|
|
- __truncate_on_tables__
|
2022-10-27 14:00:08 +02:00
|
|
|
|
2023-10-13 15:00:23 +02:00
|
|
|
rules:
|
|
|
|
|
- description: "Create static roles"
|
2022-03-17 09:00:06 +01:00
|
|
|
roles:
|
2023-10-13 15:00:23 +02:00
|
|
|
- name: managed_roles
|
2022-03-17 09:00:06 +01:00
|
|
|
options: NOLOGIN
|
|
|
|
|
|
|
|
|
|
# - description: "Query LDAP to populate support_ro role"
|
|
|
|
|
# ldapsearch:
|
|
|
|
|
# base: OU=People,DC=example,DC=org
|
|
|
|
|
# filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RO,OU=Roles,DC=example,DC=org))"
|
|
|
|
|
# role:
|
|
|
|
|
# name: '{sAMAccountName}'
|
|
|
|
|
# options: LOGIN
|
|
|
|
|
# parent:
|
|
|
|
|
# - support_ro
|
2023-10-13 15:00:23 +02:00
|
|
|
# - managed_roles
|
2022-03-17 09:00:06 +01:00
|
|
|
# comment: "From LDAP account {dn}"
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# - description: "Query LDAP to populate support_rw role"
|
|
|
|
|
# ldapsearch:
|
2022-03-17 10:00:06 +01:00
|
|
|
# base: OU=People,DC=example,DC=org
|
2022-03-17 09:00:06 +01:00
|
|
|
# filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RW,OU=Roles,DC=example,DC=org))"
|
|
|
|
|
# role:
|
|
|
|
|
# name: '{sAMAccountName}'
|
|
|
|
|
# options: LOGIN
|
|
|
|
|
# parent:
|
|
|
|
|
# - support_rw
|
2023-10-13 15:00:23 +02:00
|
|
|
# - managed_roles
|
2022-03-17 09:00:06 +01:00
|
|
|
# comment: 'From LDAP account {dn}'
|
|
|
|
|
|
|
|
|
|
ldap2pg_extra_conf: {}
|
|
|
|
|
ldap2pg_conf: "{{ ldap2pg_base_conf | combine(ldap2pg_extra_conf, recursive=True) }}"
|
