Update to 2023-10-13 15:00

2025-07-27 00:05:44 +02:00 · 2023-10-13 15:00:23 +02:00
parent 5956dad4fd
commit e823a08de2
32 changed files with 163 additions and 142 deletions
--- a/roles/ldap2pg/defaults/main.yml
+++ b/roles/ldap2pg/defaults/main.yml
@@ -1,5 +1,14 @@
 ---

+# The version of ldap2pg to deploy
+ldap2pg_version: 6.0
+
+# The URL where the ldap2pg archive can be fetched
+ldap2pg_archive_url: https://github.com/dalibo/ldap2pg/releases/download/v{{ ldap2pg_version }}/ldap2pg_{{ ldap2pg_version }}_linux_amd64.tar.gz
+
+# The expected sha256 checksum of the archive
+ldap2pg_archive_sha256: 0f587cb6a6e4953820fabcaba46bbfbe9acdffe79c42b1f53e789f5d7215d26b
+
 # How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
 ldap2pg_sync_freq: hourly

@@ -10,88 +19,64 @@ ldap2pg_user: postgres
 # Set dry mode to False to actually do the sync
 ldap2pg_dry_mode: True

+ldap2pg_env:
+  PGHOST: /var/run/postgresql
+  LDAPTLS_REQCERT: hard
+#  LDAPURI: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
+#  LDAPBINDDN: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
+#  LDAPPASSWORD: XXX
+
 ldap2pg_base_conf:
-  version: 5  
-  ldap:
-    uri: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
-    binddn: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
-    password: XXX
-    starttls: True
+  version: 6
  postgres:
-    dsn: postgres://%2Fvar%2Frun%2Fpostgresql/
    databases_query: |
      SELECT datname
      FROM pg_catalog.pg_database
-      WHERE datallowconn IS TRUE AND datname NOT IN ('postgres', 'template0', 'template1');
-  
-    # Only roles member of the special ldap_roles group can be dropped
+      WHERE datallowconn IS TRUE AND datname NOT IN ('template0', 'template1');
+
+    # Only roles member of the special managed_roles group can be dropped
    # other role (created manually or outside of ldap2pg scope) will never be dropped
    managed_roles_query: |
-      SELECT DISTINCT role.rolname
-      FROM pg_roles AS role
-      LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
-      LEFT OUTER JOIN pg_roles AS ldap_roles
-        ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
-      WHERE ldap_roles.oid IS NOT NULL
+      VALUES
+        ('managed_roles')
+      UNION
+        SELECT DISTINCT role.rolname
+          FROM pg_roles AS role
+          JOIN pg_auth_members AS ms
+            ON ms.member = role.oid
+          JOIN pg_roles AS parent
+            ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
      ORDER BY 1;
  
-    # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
-    # from privilege management.
-    schemas_query: |
-      SELECT nspname FROM pg_catalog.pg_namespace
-      WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
-      ORDER BY 1;
-
  privileges:
    ro:
      - __connect__
      - __select_on_tables__
      - __select_on_sequences__
      - __usage_on_schemas__
-      - __usage_on_types__
-  
+      - __usage_on_sequences__
+
    rw:
+      - ro
      - __temporary__
-      - __all_on_tables__
-      - __all_on_sequences__
-  
-    ddl:
-      - __create_on_schemas__
+      - __insert_on_tables__
+      - __update_on_tables__
+      - __delete__on_tables__
+      - __update_on_sequences__
+      - __execute_on_functions__
+      - __trigger_on_tables__

    full:
      - rw
-      - __all_on_schemas__
+      - __create_on_schemas__
+      - __truncate_on_tables__

-  sync_map:
-    - description: "Create the ldap_roles group"
+  rules:
+    - description: "Create static roles"
      roles:
-        - name: ldap_roles
+        - name: managed_roles
          options: NOLOGIN
  
-    - description: "Create static ldap groups"
-      roles:
-        - names:
-            - support_ro
-            - support_rw
-          parent:
-            - ldap_roles
-          options: NOLOGIN
-  
-      grant:
-        - privilege: ro
-          roles:
-            - support_ro
-            - support_rw
-  
-        - privilege: rw
-          roles:
-            - support_rw
-  
-        - privilege: ddl
-          roles:
-            - support_rw
-  
-  
 #    - description: "Query LDAP to populate support_ro role"
 #      ldapsearch:
 #        base: OU=People,DC=example,DC=org
@@ -101,7 +86,7 @@ ldap2pg_base_conf:
 #        options: LOGIN
 #        parent:
 #          - support_ro
-#          - ldap_roles
+#          - managed_roles
 #        comment: "From LDAP account {dn}"
 #  
 #  
@@ -114,7 +99,7 @@ ldap2pg_base_conf:
 #        options: LOGIN
 #        parent:
 #          - support_rw
-#          - ldap_roles
+#          - managed_roles
 #        comment: 'From LDAP account {dn}'

 ldap2pg_extra_conf: {}