---

# The version of ldap2pg to deploy
ldap2pg_version: 6.1

# The URL where the ldap2pg archive can be fetched
ldap2pg_archive_url: https://github.com/dalibo/ldap2pg/releases/download/v{{ ldap2pg_version }}/ldap2pg_{{ ldap2pg_version }}_linux_amd64.tar.gz

# The expected sha256 checksum of the archive
ldap2pg_archive_sha256: 887bf2a247273e18597ccb949d9500faba24a150cfb403967a5d93d185c450e3

# How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
ldap2pg_sync_freq: hourly

# Under which account will ldap2pg run
# Default is under the local postgres account which is fine for managing a local postgres instance
ldap2pg_user: postgres

# Set dry mode to False to actually do the sync
ldap2pg_dry_mode: True

ldap2pg_env:
  PGHOST: /var/run/postgresql
  LDAPTLS_REQCERT: hard
#  LDAPURI: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
#  LDAPBINDDN: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
#  LDAPPASSWORD: XXX

ldap2pg_base_conf:
  version: 6
  postgres:
    databases_query: |
      SELECT datname
      FROM pg_catalog.pg_database
      WHERE datallowconn IS TRUE AND datname NOT IN ('template0', 'template1');

    # Only roles member of the special managed_roles group can be dropped
    # other role (created manually or outside of ldap2pg scope) will never be dropped
    managed_roles_query: |
      VALUES
        ('managed_roles')
      UNION
        SELECT DISTINCT role.rolname
          FROM pg_roles AS role
          JOIN pg_auth_members AS ms
            ON ms.member = role.oid
          JOIN pg_roles AS parent
            ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
      ORDER BY 1;
  
  privileges:
    ro:
      - __connect__
      - __select_on_tables__
      - __select_on_sequences__
      - __usage_on_schemas__
      - __usage_on_sequences__

    rw:
      - ro
      - __temporary__
      - __insert_on_tables__
      - __update_on_tables__
      - __delete_on_tables__
      - __update_on_sequences__
      - __execute_on_functions__
      - __trigger_on_tables__

    full:
      - rw
      - __create_on_schemas__
      - __truncate_on_tables__

  rules:
    - description: "Create static roles"
      roles:
        - name: managed_roles
          options: NOLOGIN
  
#    - description: "Query LDAP to populate support_ro role"
#      ldapsearch:
#        base: OU=People,DC=example,DC=org
#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RO,OU=Roles,DC=example,DC=org))"
#      role:
#        name: '{sAMAccountName}'
#        options: LOGIN
#        parent:
#          - support_ro
#          - managed_roles
#        comment: "From LDAP account {dn}"
#  
#  
#    - description: "Query LDAP to populate support_rw role"
#      ldapsearch:
#        base: OU=People,DC=example,DC=org
#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RW,OU=Roles,DC=example,DC=org))"
#      role:
#        name: '{sAMAccountName}'
#        options: LOGIN
#        parent:
#          - support_rw
#          - managed_roles
#        comment: 'From LDAP account {dn}'

ldap2pg_extra_conf: {}
ldap2pg_conf: "{{ ldap2pg_base_conf | combine(ldap2pg_extra_conf, recursive=True) }}"