ldap2pg synchronizes Postgres roles in three steps:
- Inspect Postgres for existing roles, their options and their membership.
sync_mapand generate wanted roles list from
- Compare the two roles sets and apply to the Postgres cluster using
Each role entry in
sync_map is a rule to generate zero or more roles with
the corresponding parameters. A
role rule is like a template.
allows to deduplicate membership and options by setting a list of names.
You can mix static roles and roles generated with LDAP attributes in the same file.
ldap2pg totally ignores roles matching one of the glob pattern defined in roles_blacklist_query:
The role blacklist is also applied to grants. ldap2pg will never apply
REVOKE on a role matching one of the blacklist patterns.
ldap2pg never drop its connecting role.
Disabling Role Management¶
You can tell ldap2pg to manage only privileges and never
role. Set roles_query to
null and never define a
role rule in