Managing roles
ldap2pg synchronizes Postgres roles in three steps:
- Inspect Postgres for existing roles, their options and their membership.
- Loop
sync_map
and generate wanted roles list fromrole
rules. - Compare the two roles sets and apply to the Postgres cluster using
CREATE
,DROP
andALTER
.
Each role entry in sync_map
is a rule to generate zero or more roles with
the corresponding parameters. A role
rule is like a template. role
rules
allows to deduplicate membership and options by setting a list of names.
You can mix static roles and roles generated with LDAP attributes in the same file.
Ignoring roles¶
ldap2pg totally ignores roles matching one of the glob pattern defined in roles_blacklist_query:
The role blacklist is also applied to grants. ldap2pg will never apply GRANT
or REVOKE
on a role matching one of the blacklist patterns.
ldap2pg never drop its connecting role.
Disabling Role Management¶
You can tell ldap2pg to manage only privileges and never CREATE
or DROP
a
role. Set roles_query to null
and never define a role
rule in sync_map
.