Re: LDAP: Auto user creation and role membership

On Wed, May 5, 2010 at 22:49, Daniel Scott <djscott(at)mit(dot)edu> wrote:
> Hi,
>
> I have Postgres 8.4.3 running with gss authentication against Fedora's
> FreeIPA (Integrated Kerberos, LDAP and some other services).
>
> I would like to auto-create users and auto-map postgres roles with
> users and groups within the FreeIPA LDAP directory. Can anyone tell me
> if this is available in Postgres? Looking through the docs, it appears
> that it is not, and I have to manage user creation and role membership
> manually.
>
> I found this post from 5 years ago:
>
> http://www.mail-archive.com/pgsql-hackers(at)postgresql(dot)org/msg58156.html
>
> But I haven't found anything mentioning this functionality since.
>
> Is anyone else attempting to do this? I could probably write a script
> or something to auto create postgres users from the LDAP directory
> (and remove users who have been deleted from LDAP) and then
> synchronise the roles with LDAP groups, but I don't want to repeat
> this work if someone's already done it.
>
> I'd also appreciate any hints or suggestions for ways to do this.

I've written scripts to do this several times using both python and
perl. It's pretty simple. I haven't made them generic though, so it's
not something I can share. But just a tool that compares the list of
users and issues the appropriate CREATE USER or DROP USER commands is
pretty trivial. Granting role permissions adds a bit of complexity,
but not much. Trying to do them generic will make it a lot more
complex though, so if you jus tneed it for this one case, a quick
one-off script is probably the easiest way to go.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/