#
#
#       L D A P 2 P G   S A M P L E   C O N F I G U R A T I O N
#
#
# This is a starting point configuration file for ldap2pg.yml. Including static
# roles, groups, privilege and LDAP search.
#
# This configuration assumes the following principles:
#
# - All LDAP users are grouped in `ldap_roles` group.
# - Read privileges are granted to `readers` group.
# - Write privileges are granted to `writers` group.
# - DDL privileges are granted to `owners` group.
# - We have one or more databases with public and maybe a schema.
# - Grants are not specific to a schema. Once you're writer in a database, you
#   are writer to all schemas in it.
#
# The LDAP directory content is described in fixtures/openldap-data.ldif
#
# Adapt to your needs! See also full documentation on how to configure ldap2pg
# at https://ldap2pg.readthedocs.io/en/latest/config/.
#
# Don't hesitate to suggest improvements for this starting configuration at
# https://github.com/dalibo/ldap2pg/issues/new . Thanks for your contribution !
#

#
# File format version. Allows ldap2pg to check whether the file is supported.
#
version: 5

ldap:
  uri: ldaps://jcolebrand.info
  binddn: cn=postgres,ou=services,dc=jcolebrand,dc=info
  password: "*H9sHZughaS*Kqhm"

#
#       1.   P O S T G R E S   I N S P E C T I O N
#
#  See https://ldap2pg.readthedocs.io/en/latest/postgres/
#

postgres:
  dsn: postgres://postgres@%2fvar%2frun%2fpostgresql:5432/
  databases_query: "SELECT datname FROM pg_catalog.pg_database;"
  # List of role names which can be dropped from cluster. Privileges on these
  # roles can be revoked.
  managed_roles_query: |
    SELECT ('public')
    UNION
    SELECT ('ldap_roles')
    UNION
    SELECT DISTINCT role.rolname
    FROM pg_roles AS role
    LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
    LEFT OUTER JOIN pg_roles AS ldap_roles
      ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
    WHERE role.rolname IN ('ldap_roles', 'readers', 'writers', 'owners')
        OR ldap_roles.oid IS NOT NULL
    ORDER BY 1;
  # List of object owners that requires default privileges configuration. Since
  # readers/writer/owners groups are globals to cluster, we have a global
  # owners_query.
  owners_query: |
    SELECT DISTINCT role.rolname
    FROM pg_catalog.pg_roles AS role
    JOIN pg_catalog.pg_auth_members AS ms ON ms.member = role.oid
    JOIN pg_catalog.pg_roles AS owners
      ON owners.rolname = 'owners' AND owners.oid = ms.roleid
    ORDER BY 1;
  # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
  # from privilege management.
  schemas_query: |
    SELECT nspname FROM pg_catalog.pg_namespace
    WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
    ORDER BY 1;
#
#       2.   P R I V I L E G E S   D E F I N I T I O N
#
# See https://ldap2pg.readthedocs.io/en/latest/privileges/. Privileges wrapped
# in double underscores are well-known privileges built-in ldap2pg. See
# https://ldap2pg.readthedocs.io/en/latest/wellknown/ for a documentation of
# each of them.
#

privileges:
  # Define `ro` privilege group with read-only grants
  ro:
  - __connect__
  - __select_on_tables__
  - __select_on_sequences__
  - __usage_on_schemas__
  - __usage_on_types__

  # `rw` privilege group lists write-only grants
  rw:
  - __temporary__
  - __all_on_tables__
  - __all_on_sequences__

  # `ddl` privilege group lists DDL only grants.
  ddl:
  - __create_on_schemas__


#
#       3.   S Y N C H R O N I S A T I O N   M A P
#
# This list contains rules to declare roles and grants. Each role or grant rule
# can be templated with attributes from LDAP entries returned by a search
# query.
#
# Any role found in cluster and not generated by sync_map will be dropped. Any
# grant found in cluster and not generated by sync_map will be revoked.
#

sync_map:
- description: "Setup static roles and grants."
  roles:
  - names:
    - ldap_roles
    - readers
    options: NOLOGIN
  - name: writers
    # Grant reading to writers
    parent: readers
    options: NOLOGIN
  - name: owners
    # Grant read/write to owners
    parent: writers
    options: NOLOGIN

  grant:
  - privilege: ro
    role: readers
    schemas: __all__
  - privilege: rw
    role: writers
    schema: __all__
  - privilege: ddl
    role: owners
    schema: __all__

- description: "Query LDAP to create superusers."
  ldapsearch:
    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
    filter: "(cn=superuser)"
  role:
    # LDAP attribute member is a Distinguished Name. Use CN component of the
    # member value.
    name: '{member.cn}'
    options: LOGIN SUPERUSER
    parent:
    - ldap_roles
    - owners
    comment: "From LDAP group {dn}"


- description: "Query LDAP to create writers."
  ldapsearch:
    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
    filter: "(cn=writers)"
    on_unexpected_dn: warn
  role:
    name: '{member.cn}'
    options: LOGIN
    parent:
    - ldap_roles
    - writers
    comment: 'From LDAP groupe {dn}'

- description: "Query LDAP to create readers."
  ldapsearch:
    base: ou=ldap2pg,ou=groups,dc=jcolebrand,dc=info
    filter: "(cn=readers)"
  role:
    name: '{member.cn}'
    options: LOGIN
    parent:
    - ldap_roles
    - readers