How do you do it?

• Manually.
• Ad-hoc script.
• Ansible (limited).
• pg-ldap-sync (slow, unmaintained).

Why roles AND privileges?

• Allows to manage default privileges on role creation.
• Allows to grant privileges from directory.

Introducing ldap2pg

• Simple and powerful configuration in YAML.
• Python 3, 2.7 and 2.6.
• Minimal dependencies: python-ldap, psycopg2 and pyyaml.
• Describe roles statically or from LDAP objects.

How does it work

• Introspect Postgres and query LDAP.
• Compare & Synchronise.
• Roles first, then privileges.

YAML Sample

privileges:
  ro: [__connect__, __select__]

sync_map:
- role: me
- grant:
    privilege: ro
    role: me

Be nice with DBAs

• Meaningful messages.
• Dry run by default.
• Check mode alias audit mode.
• Logs every SQL queries.
• Logs LDAP queries as ldapsearch commands.

Hope you’ll enjoy it!