| From: | Hans Schou <hans(dot)schou(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Grant to a group defined in Windows AD |
| Date: | 2018-04-10 08:36:28 |
| Message-ID: | CAApBw35nUeJmVNhCLnF1-Ee6rXepY_pgDwAMvWbx8-SGS28cqQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi
Can I have a advise on how to handle groups?
In my Windows AD (Active Directory) I have two groups named:
readers
writers
In Postgresql I have these databases:
d1
d2
The "writers" should have NOCREATEDB etc but ALL PRIVILEGES to d1 and d2.
The "readers" should have SELECT to all tables in d1 and no access at all
to d2.
It seems like I can either use a group ROLE or a SCHEME to accomplish my
goal. Which one will be the most best/simple to administer for me and my
colleagues? Or is there another approach we can use?
Here is my draft for a daily-run Powershell script which will get all the
users in the group "readers" in the Windows AD and create them in
Postgresql:
$LdapCon = "LDAP://CN=readers,OU=specimen,DC=example,DC=org"
Write-Host "-- Get group members from: $($LdapCon)"
$Group = [ADSI]$LdapCon
$Group.Member | ForEach-Object {
$Searcher = [adsisearcher]"(distinguishedname=$_)"
$u = $($searcher.FindOne().Properties.samaccountname).ToLower()
Write-Host "CREATE ROLE `"$u`";"
Write-Host " ALTER ROLE `"$u`" WITH LOGIN;"
Write-Host " GRANT SELECT ... readers ...;"
}
And then I pipe the output to psql.exe.
The output looks like:
CREATE ROLE "joe";
ALTER ROLE "joe" WITH LOGIN;
GRANT SELECT ... readers ...;
PS: To get a list of your own groups use Powershell:
([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof
| From | Date | Subject | |
|---|---|---|---|
| Next Message | hmidi slim | 2018-04-10 10:24:49 | Using enum instead of join tables |
| Previous Message | Peter Geoghegan | 2018-04-10 03:08:02 | Re: ERROR: found multixact from before relminmxid |