Update to 2022-03-19 00:00

roles/postgresql_server/defaults/main.yml

@@ -80,3 +80,27 @@ pg_roles_to_remove: []
 
 # If defined, a Let's Encrypt cert will be obtained and used
 # pg_letsencrypt_cert: postgres.example.org
+
+# LDAP authentication
+# You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html
+# Note that only the search+bind mode is supported
+# Turn on or off ldap auth
+pg_ldap_auth: False
+# LDAP server to query. You can enter several servers separated by space
+pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | join(' '), (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
+# port of the ldap server
+pg_ldap_port: 389
+# Should starttls be used
+pg_ldap_starttls: True
+# Base DN where postgres will lookup your users
+pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base, (ldap_base is defined) | ternary(ldap_base, ansible_domain | regex_replace('\\.', ',DC='))) }}"
+# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
+# pg_ldap_binddn: postgres@{{ ansible_domain }}
+# pg_ldap_bindpasswd: S3cr3t.
+# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
+pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
+# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
+# to be sent unencrypted over between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
+pg_ldap_conn_type: hostssl
+# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
+pg_ldap_roles: '+ldap_roles'