mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-12 00:03:17 +02:00
122 lines
3.6 KiB
YAML
122 lines
3.6 KiB
YAML
---
|
|
|
|
# How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
|
|
ldap2pg_sync_freq: hourly
|
|
|
|
# Under which account will ldap2pg run
|
|
# Default is under the local postgres account which is fine for managing a local postgres instance
|
|
ldap2pg_user: postgres
|
|
|
|
# Set dry mode to False to actually do the sync
|
|
ldap2pg_dry_mode: True
|
|
|
|
ldap2pg_base_conf:
|
|
version: 5
|
|
ldap:
|
|
uri: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
|
|
binddn: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
|
|
password: XXX
|
|
starttls: True
|
|
postgres:
|
|
dsn: postgres://%2Fvar%2Frun%2Fpostgresql/
|
|
databases_query: |
|
|
SELECT datname
|
|
FROM pg_catalog.pg_database
|
|
WHERE datallowconn IS TRUE AND datname NOT IN ('postgres', 'template0', 'template1');
|
|
|
|
# Only roles member of the special ldap_roles group can be dropped
|
|
# other role (created manually or outside of ldap2pg scope) will never be dropped
|
|
managed_roles_query: |
|
|
SELECT DISTINCT role.rolname
|
|
FROM pg_roles AS role
|
|
LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
|
|
LEFT OUTER JOIN pg_roles AS ldap_roles
|
|
ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
|
|
WHERE ldap_roles.oid IS NOT NULL
|
|
ORDER BY 1;
|
|
|
|
# Exclude information_schema, pg_catalog, pg_toast, and other system schemas
|
|
# from privilege management.
|
|
schemas_query: |
|
|
SELECT nspname FROM pg_catalog.pg_namespace
|
|
WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
|
|
ORDER BY 1;
|
|
|
|
privileges:
|
|
ro:
|
|
- __connect__
|
|
- __select_on_tables__
|
|
- __select_on_sequences__
|
|
- __usage_on_schemas__
|
|
- __usage_on_types__
|
|
|
|
rw:
|
|
- __temporary__
|
|
- __all_on_tables__
|
|
- __all_on_sequences__
|
|
|
|
ddl:
|
|
- __create_on_schemas__
|
|
|
|
full:
|
|
- rw
|
|
- __all_on_schemas__
|
|
|
|
sync_map:
|
|
- description: "Create the ldap_roles group"
|
|
roles:
|
|
- name: ldap_roles
|
|
options: NOLOGIN
|
|
|
|
- description: "Create static ldap groups"
|
|
roles:
|
|
- names:
|
|
- support_ro
|
|
- support_rw
|
|
parent:
|
|
- ldap_roles
|
|
options: NOLOGIN
|
|
|
|
grant:
|
|
- privilege: ro
|
|
roles:
|
|
- support_ro
|
|
- support_rw
|
|
|
|
- privilege: rw
|
|
roles:
|
|
- support_rw
|
|
|
|
- privilege: ddl
|
|
roles:
|
|
- support_rw
|
|
|
|
|
|
# - description: "Query LDAP to populate support_ro role"
|
|
# ldapsearch:
|
|
# base: OU=People,DC=example,DC=org
|
|
# filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RO,OU=Roles,DC=example,DC=org))"
|
|
# role:
|
|
# name: '{sAMAccountName}'
|
|
# options: LOGIN
|
|
# parent:
|
|
# - support_ro
|
|
# - ldap_roles
|
|
# comment: "From LDAP account {dn}"
|
|
#
|
|
#
|
|
# - description: "Query LDAP to populate support_rw role"
|
|
# ldapsearch:
|
|
# base: OU=People,DC=example,DC=org
|
|
# filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RW,OU=Roles,DC=example,DC=org))"
|
|
# role:
|
|
# name: '{sAMAccountName}'
|
|
# options: LOGIN
|
|
# parent:
|
|
# - support_rw
|
|
# - ldap_roles
|
|
# comment: 'From LDAP account {dn}'
|
|
|
|
ldap2pg_extra_conf: {}
|
|
ldap2pg_conf: "{{ ldap2pg_base_conf | combine(ldap2pg_extra_conf, recursive=True) }}"
|