-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathsample-config.yaml
68 lines (60 loc) · 2.2 KB
/
sample-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# With this sample config the distinction between PG groups and users is
# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
# is considered as LDAP-synchronized.
# Connection parameters to LDAP server
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
ldap_connection:
host: ldapserver
port: 389
auth:
method: :simple
username: CN=username,OU=!Serviceaccounts,OU=company,DC=company,DC=de
password: secret
# or GSSAPI / Kerberos authentication:
auth:
method: :gssapi
hostname: ldapserver.company.de
servicename: ldap # optional, defaults to "ldap"
# or GSS-SPNEGO / NTLM authentication
auth:
method: :gss_spnego
username: 'myuser'
password: 'secret'
domain: 'company.de' # optional
# Search parameters for LDAP users which should be synchronized
ldap_users:
base: OU=company,OU=company,DC=company,DC=de
# LDAP filter (according to RFC 2254)
# defines to users in LDAP to be synchronized
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*))
# this attribute is used as PG role name
name_attribute: sAMAccountName
# Search parameters for LDAP groups which should be synchronized
ldap_groups:
base: OU=company,OU=company,DC=company,DC=de
filter: (|(cn=group1)(cn=group2)(cn=group3))
# this attribute is used as PG role name
name_attribute: cn
# this attribute must reference to all member DN's of the given group
member_attribute: member
# Connection parameters to PostgreSQL server
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
pg_connection:
host:
dbname: postgres
user: db-username
password:
pg_users:
# Filter for identifying LDAP generated users in the database.
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
filter: rolcanlogin AND NOT rolsuper
# Options for CREATE RULE statements
create_options: LOGIN
pg_groups:
# Filter for identifying LDAP generated groups in the database.
# It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
filter: NOT rolcanlogin AND NOT rolsuper
# Options for CREATE RULE statements
create_options: NOLOGIN
# Options for GRANT <role> TO <group> statements
grant_options: