Allow for empty AD group in LDAP sync #282
Comments
|
Hi @andersbogsnes, thanks for the report.
Could you add a filter that exclude entry without member attribute ? It's hard for ldap2pg to distinguish a missing attribute from a typo in attribute name. |
|
@bersace Thanks for the swift reply! I'm not sure how that filter would work - if the filter returns empty, then it will never have a member attribute and I would get the same error, no? Or does ldap2pg handle that case differently? |
|
Hi @andersbogsnes , having On empty set, ldap2pg just do nothing. As usual, ldap2pg drops managed roles not returned by directory. Is it clearer for you ? |
|
Just to spell it out for someone not well-versed in ldap queries :-) So I would change my ldap section to this? - ldap:
base: "base_dn_goes_here"
filter: "(&(CN=${ENV}_name_of_ad_group)(member=*))" # Replaced at runtime with ENV
role:
name: '{member.cn}'
options: LOGIN SUPERUSER
parent:
- ldap_roles
- owners
on_unexpected_dn: warn |
|
Yep, this looks good. Thanks for the sharing ! |
|
Thanks for the help! |
|
Hello.
I wanted to use ldap2pg to synchronize our AD with several postgresql engines. When I got YAML like: everything works fine, until an empty group is found in LDAP - ldap2pg crashes because no member is there. Whe I tried @andersbogsnes workaround without ${ENV}_name_of_ad_group it works only when any user is not in two groups. YAML: Example: Result in Postgres is: Could you please add an option to ldap2pg, something like you alredy have -> on_unexpected_dn? Thank you very much in advance! |
|
Hi @meegoSVK . That's fair. Just thinking loud. What do you think of something like: sync_map:
- ldap:
base: ...
on_unexpected_dn: fail
allow_missing_attributes: [member]This is so common that this could be the default. Maybe with a warning message. $ ldap2pg ...
...
INFO: Query LDAP to create superusers.
INFO: Querying LDAP ou=groups,dc=ldap,dc=lda... (cn=dba)...
WARN: No member attribute returned for cn=group_pgsql_.... Considering an empty list.
...What do you think of this ? Both of you :-) |
|
Hi @bersace |
|
Looks good to me! Seems like a very useful feature, and the warning is definitely a good way to avoid foot-guns! Is there a flag for treating warnings as errors if the user wants to run in “strict mode” ala Sphinx? |
|
Hi @andersbogsnes treating warnings as error is a good idea. I suggest you to open an issue or maybe complete this to #286 |
|
Hu, that's odd. There ldap2pg already defaults missing attributes to https://github.com/dalibo/ldap2pg/blob/master/ldap2pg/manager.py#L59 |
Created #338 |
|
Hi @bersace ! Thanks for implementing missing attributes. I tried using allow_missing_attributes, but I always get: Here is YAML: Here is output from verbose mode: This happens when it tires to query empty group. Thanks for help, and sorry for reopening old wounds :) |
|
Hi @bersace I found out, that querying for So when I change the YAML to: Everything works fine. |
|
@meegoSVK I have a WIP code to fix the combination of member.* in several fields to make ensure more consistency. The sub-query feature had some consequences in formating combination that I didn't spotted early. |
We have an issue where we mirror ldap2pg.yaml across our environments, (test, dev, prod) and have a similar naming scheme for our AD groups.
The problem occurs when there are no users in the AD group - something that can also occur if someone quits. ldap2pg will error out saying it has no attribute
member.As far as I can see, there is no way to have ldap2pg ignore an AD group with no members.
I have tried "on_unexpected_dn" but that does not seem to work in this case.
The text was updated successfully, but these errors were encountered: