ldap2pg.yml

ldap2pg accepts a YAML configuration file usually named ldap2pg.yml and put in working directory. Everything can be configured from the YAML file: LDAP and Postgres credentials, LDAP queries, privileges and mappings.

Warning

ldap2pg requires a config file where the synchronization map is described.

ldap2pg.yml is splitted in several sections, unordered :

  • postgres : setup Postgres connexion and queries.
  • ldap : setup LDAP connexion.
  • privileges : the definition of privileges.
  • sync_map : the list of LDAP queries and associated mapping to roles and grants.
  • finally some global parameters (verbosity, etc.).

If the file is a YAML list, ldap2pg puts the list as sync_map. The two following configurations are strictly equivalent:

$ ldap2pg -c -
- role: admin
$ ldap2pg -c -
sync_map:
- roles:
  - names:
    - admin
$

We provide a simple well commented ldap2pg.yml, tested on CI. If you don’t know how to begin, it can be a goot starting point.

Note

If you have trouble finding the right configuration for your needs, feel free to file an issue to get help.

About YAML

YAML is a superset of JSON. A JSON document is a valid YAML document. YAML very permissive format where indentation is meaningful. See this YAML cheatsheet for some example.

Postgres Parameters

The postgres section defines connection parameters and queries for Postgres.

postgres:
  dsn: postgres://user@%2Fvar%2Frun%2Fpostgresql:port/

Warning

ldap2pg refuses to read a password from a group readable or world readable ldap2pg.yml.

LDAP Parameters

The ldap section defines libldap parameters.

ldap:
  uri: ldap://ldap2pg.local:389
  binddn: cn=admin,dc=ldap2pg,dc=local
  user: saslusername
  password: SECRET

LDAP parameters in YAML are lowercased. You can define values as YAML literal or ldap.conf string as well. Only a subset of libldap parameters are supported in ldap2pg.yml:

  • uri
  • host
  • port
  • binddn
  • user
  • password, ldap2pg accepts LDAPPASSWORD env var, not supported by openldap.
  • referrals, which defaults to false, unlike openldap default.

ldap2pg supports an extra starttls option maps the -Z CLI switch of ldapsearch. Setting it to true triggers a STARTTLS command before any other operation on the connection to LDAP server. ldap2pg accepts STARTTLS option in ldaprc file.

sync_map

The synchronization map is a YAML list. We call each item a mapping. Three sections compose a mapping:

  • A description entry with a string logged before this mapping is processed.
  • A ldapsearch section describing a LDAP search.
  • A role or roles section describing on or more rules to create Postgres role from LDAP entries.
  • A grant section describing on or more grant from LDAP entries.

ldapsearch entry is optional, however either one of roles or grant is required.

Tip

Defining the right sync map can be tedious. Start with is simple sync map to setup Postgres and LDAP connexion first and then define detailed synchronisation steps. Here is the simplest sync map:

sync_map:
- role: toto

It just means you want a role named toto in the cluster.

File Location

ldap2pg searches for files in the following order :

  1. ldap2pg.yml in current working directory.
  2. ~/.config/ldap2pg.yml.
  3. /etc/ldap2pg.yml.

If LDAP2PG_CONFIG or --config is set, ldap2pg skip searching the standard file locations. You can specify - to read configuration from standard input. This is helpful to feed ldap2pg with dynamic configuration.