A large AD from with 1501 members fails to merge the users with the pg-group. As a result all of the members of the pg-group have their membership revoked from the pg-group. The issue start when the three members were add to the AD group taking the number of members from 1498 to 1501. removing the three members allows the sync to work correctly.

Chris Roberts asked per mail:

First off thank you for creating this tool. and thank you in advance for any help.

I've been tasked with standing up a PostgreSQL instance and integrate it with our AD. The initial sync worked just fine. However when we re-run pg_ldap_sync we run into an error. I've sanitized the .yaml file and the error we're getting. There is not a lot of documentation out there for this addon and would appreciate any help.

We have a group made for postgres (postgress_admin). First time running pg_ldap_sync the group (along with users) synced with postgres. However additional runs result in the error below

I, [2018-03-12T15:20:27.452143 #23276]  INFO -- : SQL: CREATE ROLE "postgres_admin" NOLOGIN
/var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:217:in `exec': ERROR:  role "postgres_admin" already exists (PG::DuplicateObject)
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:217:in `pg_exec_modify'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:228:in `create_pg_role'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:237:in `block in sync_roles_to_pg'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `each'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `sync_roles_to_pg'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:332:in `start!'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
        from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<top (required)>'
        from /usr/local/bin/pg_ldap_sync:23:in `load'
        from /usr/local/bin/pg_ldap_sync:23:in `<main>'

pg_ldap_sync (1).txt

Hi! Is it possible to use multiple OU for sync users. Can i add 2 or 3 OU's in this code?

Search parameters for LDAP users which should be synchronized

ldap_users:
base: OU=company,OU=company,DC=company,DC=de

Hey,

From a fresh Ubuntu install, I get this error:

/var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:in `start!': uninitialized constant PgLdapSync::Application::PGconn (NameError)
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<top (required)>'
	from /usr/local/bin/pg_ldap_sync:23:in `load'
	from /usr/local/bin/pg_ldap_sync:23:in `<main>'

My Ubuntu 16.04.03 setup was:

sudo apt-get install -y postgresql-server-dev-9.6 libpq-dev ruby ruby-all-dev
sudo gem install pg pg-ldap-sync

I then created a config file and ran:

pg_ldap_sync -c conf.yaml -vv

And I get the output (i've removed some confidential info):

I, [2018-01-19T16:38:00.504887 #5496]  INFO -- : found user-dn: ...
I, [2018-01-19T16:38:00.505617 #5496]  INFO -- : found user-dn: ...
I, [2018-01-19T16:38:00.508775 #5496]  INFO -- : found group-dn: ...
/var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:in `start!': uninitialized constant PgLdapSync::Application::PGconn (NameError)
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<top (required)>'
	from /usr/local/bin/pg_ldap_sync:23:in `load'
	from /usr/local/bin/pg_ldap_sync:23:in `<main>'

Any help would be much appreciated! I've never used Ruby before so it's probably a noobie mistake.

I could run this script daily it would remove people's access who have been moved to other teams.

Problem when sync with postgres 9.6 because role pg_signal_backend is created by default in postgres:

trace

I, [2017-01-26T11:38:45.007290 #32350]  INFO -- : group stat: create: 0 drop: 1 keep: 0
I, [2017-01-26T11:38:45.007350 #32350]  INFO -- : membership stat: grant: 0 revoke: 0 keep: 0
I, [2017-01-26T11:38:45.007414 #32350]  INFO -- : SQL: DROP ROLE "pg_signal_backend"
/root/.gem/ruby/gems/postgres-pr-0.7.0/lib/postgres-pr/connection.rb:145:in `query': ERROR	VERROR	C2BP01	Mcannot drop role pg_signal_backend because it is required by the database system	Fpg_shdepend.c	L577	RcheckSharedDependencies (DatabaseError)
	from /root/.gem/ruby/gems/postgres-pr-0.7.0/lib/postgres-pr/postgres-compat.rb:38:in `query'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:217:in `pg_exec_modify'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:232:in `drop_pg_role'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:238:in `block in sync_roles_to_pg'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `each'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `sync_roles_to_pg'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:330:in `start!'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
	from /root/.gem/ruby/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<main>'

Hi,

I'm using this ldap-sync. It fits exactly on my needs. I could successfully sync the users and groups. But I beliedve I did not setup correctly the ldap_groups parameters.

Here is my config file:

#######Begin of my config file

ldap_connection:
host: 192.168.0.20
port: 389
auth:
method: :simple
username: CN=Postgres SEC,OU=COMPANYLOC,OU=Users,OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
password: "password"

ldap_users:
base: OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=)(sn=))
name_attribute: sAMAccountName

ldap_groups:
base: OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
filter: (|(CN=loc_sec_db_read_only))
name_attribute: cn
member_attribute: member

pg_connection:
host: 192.168.0.10
dbname: postgres
user: postgres
password: password

pg_users:
filter: rolcanlogin AND NOT rolsuper
create_options: LOGIN NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION

pg_groups:
filter: NOT rolcanlogin AND NOT rolsuper
create_options: NOLOGIN NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE NOREPLICATION
grant_options:

######End of my config file

Here is a piece of the output:

#########Begin of the output

$> pg_ldap_sync -c ./config_sync_ldap.yaml -vv
I, [2016-01-13T10:04:36.184535 #11232] INFO -- : user stat: create: 0 drop: 0 keep: 645
I, [2016-01-13T10:04:36.184589 #11232] INFO -- : group stat: create: 1 drop: 0 keep: 0
W, [2016-01-13T10:04:36.185454 #11232] WARN -- : ldap member with dn CN=Domain Users,CN=Users,DC=Network,DC= company,DC=com,DC=br is unknown
I, [2016-01-13T10:04:36.186076 #11232] INFO -- : membership stat: grant: 1 revoke: 0 keep: 0
I, [2016-01-13T10:04:36.187874 #11232] INFO -- : SQL: CREATE ROLE "loc_sec_db_read_only" NOLOGIN NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE NOREPLICATION
I, [2016-01-13T10:04:36.192699 #11232] INFO -- : SQL: GRANT "loc_sec_db_read_only" TO "foo.user"

###################End of the output

I created a group called loc_sec_db_read_only. Then I added the Active Directory "cn=Domain Users" to it. And for testing purpose I added the user foo.user to the same group.

What happened is that the pg_ldap_sync application granted the role loc_sec_db_read_only to foo.user but not to the users inside Domain Users.

It is quite simple to understand why it didn't work: searching in loc_sec_db_read_only for the objects members (member_attribute: member) will, of course (see the ldapsearch query bellow), return these two objects.

In my point of view, adding all current members to loc_sec_db_read_only group is not suitable because we'll need to manually add every new users to it.

So, the question is: how can I setup the parameters in order to the pg_ldap_sync application search the Domain Users inside loc_sec_db_read_only ?

Thank you very much.
Alex Lopes Pereira

##########Begin of ldapsearch output

$ ldapsearch -h 192.168.0.20 -p 389 -x -b "cn=loc_sec_db_read_only,OU=Groups,OU=CRPV,OU=CENSIPAM,DC=Rede,DC=sipam,DC=gov,DC=br" -D "CN=Postgres SEC,OU=COMPANYLOC,OU=Users,OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br" -W
Enter LDAP Password:

extended LDIF

LDAPv3

base <cn=loc_sec_db_read_only,OU=Groups,OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br> with scope subtree

filter: (objectclass=*)

requesting: ALL

loc_sec_db_read_only, Groups, SEC, COMPANYDIR, 192.168.0.20

dn: CN=loc_sec_db_read_only,OU=Groups,OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
objectClass: top
objectClass: group
cn: loc_sec_db_read_only
member: CN=Foo User,OU=COINT,OU=Users,OU=CRBE,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
member: CN=Domain Users,CN=Users,DC=Network,DC= company,DC=com,DC=br
distinguishedName: CN=loc_sec_db_read_only,OU=Groups,OU=COMPANYSEC,OU=COMPANYDIR,DC=Network,DC= company,DC=com,DC=br
instanceType: 4
whenCreated: 20160112151212.0Z
whenChanged: 20160113000204.0Z
uSNCreated: 4172211
uSNChanged: 4176677
name: loc_sec_db_read_only
objectGUID:: 2fjZgyQZf0CI0heyiF4Flw==
objectSid:: AQUAAAAAAAUVAAAA7CYBtuwuaN3HhXsd0xIAAA==
sAMAccountName: loc_sec_db_read_only
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=Network,DC= company,DC=com,DC=br
dSCorePropagationData: 16010101000000.0Z

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

############End of ldapsearch output

Is there a way to do this to keep the password hidden and or Encrypted, and be able to pass this into the command.
To remove clear text passwords?
pg_ldap_sync -c my_config.yaml -vv -t

Hi,

I hope you are doing well.
I am facing the below error when I am testing pg-ldap-sync. I have used a different ruby version but the error is the same. Please find the error below.

-- Control frame information -----------------------------------------------
c:0010 p:---- s:0057 e:000056 CFUNC :conninfo_parse
c:0009 p:0026 s:0052 e:000051 METHOD /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg/connection.rb:680
c:0008 p:0007 s:0041 e:000040 METHOD /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg/connection.rb:661
c:0007 p:0019 s:0035 e:000034 METHOD /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg.rb:69
c:0006 p:0066 s:0029 e:000028 METHOD /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:325
c:0005 p:0071 s:0023 E:000710 METHOD /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:371
c:0004 p:0030 s:0017 e:000016 TOP /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/exe/pg_ldap_sync:6 [FINISH]
c:0003 p:---- s:0013 e:000012 CFUNC :load
c:0002 p:0112 s:0008 E:000b20 EVAL /home/gpadmin/.rvm/gems/ruby-2.7.2/bin/pg_ldap_sync:23 [FINISH]
c:0001 p:0000 s:0003 E:000770 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
/home/gpadmin/.rvm/gems/ruby-2.7.2/bin/pg_ldap_sync:23:in <main>' /home/gpadmin/.rvm/gems/ruby-2.7.2/bin/pg_ldap_sync:23:in load'
/home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/exe/pg_ldap_sync:6:in <top (required)>' /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:371:in run'
/home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:325:in start!' /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg.rb:69:in connect'
/home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg/connection.rb:661:in new' /home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg/connection.rb:680:in connect_to_hosts'
/home/gpadmin/.rvm/gems/ruby-2.7.2/gems/pg-1.4.1/lib/pg/connection.rb:680:in `conninfo_parse'

-- Machine register context ------------------------------------------------
RIP: 0x00007fbdc82468c1 RBP: 0x00000000015a15a8 RSP: 0x00007ffe37947978
RAX: 0x0000000000000000 RBX: 0x0000000000000014 RCX: 0x0000000000000014
RDX: 0x00000000009785c0 RDI: 0x0000000000000014 RSI: 0x00000000015a14b8
R8: 0x0000000000000000 R9: 0x0000000000000002 R10: 0x00007fbdba72ae7d
R11: 0x00007fbdc8264590 R12: 0x000000000154e390 R13: 0x00000000015a1b70
R14: 0x00000000015a14b8 R15: 0x00000000014e55f0 EFL: 0x0000000000010287

-- C level backtrace information -------------------------------------------
Segmentation fault (core dumped)

-- Control frame information -----------------------------------------------
c:0010 p:---- s:0057 e:000056 CFUNC :conninfo_parse
c:0009 p:0026 s:0052 e:000051 METHOD /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg/connection.rb:680
c:0008 p:0007 s:0041 e:000040 METHOD /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg/connection.rb:661
c:0007 p:0019 s:0035 e:000034 METHOD /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg.rb:69
c:0006 p:0066 s:0029 e:000028 METHOD /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:325
c:0005 p:0071 s:0023 E:001680 METHOD /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:371
c:0004 p:0030 s:0017 e:000016 TOP /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/exe/pg_ldap_sync:6 [FINISH]
c:0003 p:---- s:0013 e:000012 CFUNC :load
c:0002 p:0112 s:0008 E:000790 EVAL /home/gpadmin/.rvm/gems/ruby-3.0.0/bin/pg_ldap_sync:23 [FINISH]
c:0001 p:0000 s:0003 E:002210 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
/home/gpadmin/.rvm/gems/ruby-3.0.0/bin/pg_ldap_sync:23:in <main>' /home/gpadmin/.rvm/gems/ruby-3.0.0/bin/pg_ldap_sync:23:in load'
/home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/exe/pg_ldap_sync:6:in <top (required)>' /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:371:in run'
/home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-ldap-sync-0.3.0/lib/pg_ldap_sync/application.rb:325:in start!' /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg.rb:69:in connect'
/home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg/connection.rb:661:in new' /home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg/connection.rb:680:in connect_to_hosts'
/home/gpadmin/.rvm/gems/ruby-3.0.0/gems/pg-1.4.1/lib/pg/connection.rb:680:in `conninfo_parse'

-- Machine register context ------------------------------------------------
RIP: 0x00007f87435528c1 RBP: 0x00000000021e89b0 RSP: 0x00007ffe0a5ec928
RAX: 0x0000000000000000 RBX: 0x0000000000000014 RCX: 0x0000000000000014
RDX: 0x00000000011255a0 RDI: 0x0000000000000014 RSI: 0x00000000022a51f0
R8: 0x0000000000000000 R9: 0x0000000000000002 R10: 0x00007f8735a2d5ed
R11: 0x00007f8743570590 R12: 0x00000000022a5420 R13: 0x00000000021e8970
R14: 0x00000000022a51f0 R15: 0x0000000001a273c0 EFL: 0x0000000000010287

-- C level backtrace information -------------------------------------------
Segmentation fault (core dumped)

Thanks
Vasista

Initial setup. Under ldap_users I have it filtered to 1 user. The user is created in postgres, but I can not login using my LDAP password.
Under ldap_groups, the group is added, but not its members (the members are nested groups). ldapsearch with the same filter shows the group members.

Hello,

I have downloaded the pg-ldap-sync.git using wget in command line.

While installing it, I am having the following errors:

Command for Installing : git clone pg-ldap-sync.git /opt/pg-ldap-sync/

Output
Cloning into '/opt/pg-ldap-sync'...
fatal: Invalid gitfile format: /opt/rpm_repo/pg-ldap-sync.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

git clone pg-ldap-sync.git pg-ldap-sync
Cloning into 'pg-ldap-sync'...
fatal: Invalid gitfile format: /opt/rpm_repo/pg-ldap-sync.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Any idea why am having this issue?

Thank You,
Regards
Farzanah

PostgreSQL 9.6.4, Debian GNU/Linux 9.1, clean installation.

pg-ldap-sync is trying to drop system role pg_signal_backend.

I, [2017-09-22T11:54:58.039771 #10234]  INFO -- : SQL: DROP ROLE "pg_signal_backend"

/var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:217:in `exec': ERROR:  cannot drop role pg_signal_backend because it is required by the database system (PG::DependentObjectsStillExist)
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:217:in `pg_exec_modify'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:232:in `drop_pg_role'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:238:in `block in sync_roles_to_pg'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `each'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:236:in `sync_roles_to_pg'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:330:in `start!'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
	from /var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<top (required)>'
	from /usr/local/bin/pg_ldap_sync:22:in `load'
	from /usr/local/bin/pg_ldap_sync:22:in `<main>'

Quick and dirty workaround at
/var/lib/gems/2.3.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:231

def drop_pg_role(role)
    unless role.name == "pg_signal_backend"
        pg_exec_modify "DROP ROLE \"#{role.name}\""
    end
end

Hi,

unfortunately I wasn't able to configure yaml properly.
I just want to synchronize users, which are assigned to given groups, nevertheless of the users's OU. Is this possible?
Are the permissions granted to users or groups on postgres side? Different ldap groups need different DB rights.

Best regards

Hi guys,

first thx for this cool solution! With a single domain it is working perfect for me.
But the requirements are now to connect to a domain forest, so users are in a special domain as the groups.
I tired to connect both with two domains in the host section but that is not working.
Is there any way to do this?
Thank You!

Hi,

I must sync with an Active Directory server which does not return any member when requesting the groups details, but instead adds a memberOf property when requesting a user details.

The user entry has an 'memberOf' attribute value for each group (as opposed to the group having a 'member' attribute value for each user)

If I understood correctly, pg-ldap-sync cannot yet use this user memberOf property, but expects the group member property ?

Hi,

first of all thank you for this piece of software, it works great.
I have one questions: When we have a real AD group like this one:

PS C:\Users\dwe> get-adgroup admins

DistinguishedName : CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
GroupCategory     : Security
GroupScope        : Global
Name              : admins
ObjectClass       : group
ObjectGUID        : 9375dfed-4889-498f-8398-b5cf6c521292
SamAccountName    : admins
SID               : S-1-5-21-1526535285-4293193832-2851663263-1765

... and have that in the yaml file:

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
  filter: (sAMAccountName=*)
  # this attribute is used as PG role name
  name_attribute: sAMAccountName
  # lowercase name for use as PG role name
  lowercase_name: true

Syncing results in these warnings for the users in that group:

W, [2018-10-11T08:48:52.138569 #2554]  WARN -- : ldap member with dn CN=dba4,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138587 #2554]  WARN -- : ldap member with dn CN=dba3,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138602 #2554]  WARN -- : ldap member with dn CN=dba1,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown

We managed to get it working by adjusting the filter to only return users of that group and setting the base to the real location of the users but we wonder if pg_ldap_sync could be improved to work with the groups directly? Or do we miss something?

Thanks for your help
Daniel

Hy,

I try your program but i stop of this problem and i don't know why :/

PS C:\Ruby25-x64\lib\ruby\gems\2.5.0\gems\pg-ldap-sync-0.2.0\config> pg_ldap_sync -c config.yaml -vv -t
Traceback (most recent call last):
        9: from C:/Ruby25-x64/bin/pg_ldap_sync:23:in `<main>'
        8: from C:/Ruby25-x64/bin/pg_ldap_sync:23:in `load'
        7: from C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/pg-ldap-sync-0.2.0/exe/pg_ldap_sync:6:in `<top (required)>'
        6: from C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:355:in `run'
        5: from C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:301:in `start!'
        4: from C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:43:in `read_config_file'
        3: from C:/Ruby25-x64/lib/ruby/2.5.0/psych.rb:263:in `load'
        2: from C:/Ruby25-x64/lib/ruby/2.5.0/psych.rb:350:in `parse'
        1: from C:/Ruby25-x64/lib/ruby/2.5.0/psych.rb:402:in `parse_stream'
C:/Ruby25-x64/lib/ruby/2.5.0/psych.rb:402:in `parse': (<unknown>): did not find expected key while parsing a block mapping at line 7 column 1 (Psych::SyntaxError)
PS C:\Ruby25-x64\lib\ruby\gems\2.5.0\gems\pg-ldap-sync-0.2.0\config>

If you have any advice, i take it :)

Thanks in advance

Hello,

thanks for this awesome software...
can someone please share an example for grant_options: in the config file...

i want a user to become SUPERUSER based on the group he is in...

can somebody please help me?

thanks and merry christmas :)

Greetings

Christian

Hi,

First off thank you VERY much for this. I am trying to set this up and running into an issue. I have RHEL 7.1 install with EDB PostgreSQL Plus Advanced server version 9.5. Everything is running fine on the server as far as the database is concerned. I want to install pg-ldap-sync on the same server to test it out. I can install pg-ldap-sync just fine, however, when I attempt to install pg using gem, it gives me an error that really doesn't say much (at least not to me):

My command: sudo gem install pg -- --with-pg-config=/db/PostgresPlus/9.5AS/bin/pg_config
Result: Building native extensions with: '--with-pg-config=/db/PostgresPlus/9.5AS/bin/pg_config'
This could take a while...
ERROR: Error installing pg:
ERROR: Failed to build gem native extension.

/usr/bin/ruby extconf.rb --with-pg-config=/db/PostgresPlus/9.5AS/bin/pg_config

Using config values from /db/PostgresPlus/9.5AS/bin/pg_config
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers. Check the mkmf.log file for more details. You may
need configuration options.

Provided configuration options:
--with-opt-dir
.
.
--without-pg-lib=${pg-dir}/
/usr/share/ruby/mkmf.rb:434:in try_do': The compiler failed to generate an executable file. (RuntimeError) You have to install development tools first. from /usr/share/ruby/mkmf.rb:519:intry_link0'
from /usr/share/ruby/mkmf.rb:534:in try_link' from extconf.rb:36:in

Gem files will remain installed in /usr/local/share/gems/gems/pg-0.18.4 for inspection.
Results logged to /usr/local/share/gems/gems/pg-0.18.4/ext/gem_make.out

I searched around quite a bit and installed devel packages but to no success. I then gave up on pg, and decided to install postgres-pr instead. That install ran fine without error. I configured my yaml file and attempted to run a test using the following command:

My command: sudo ./pg_ldap_sync -c /etc/pg_ldap_sync.yaml -vv -t
Result: I, [2016-03-29T16:29:02.197334 #27801] INFO -- : found user-dn: uid=MM7071, ou=People,dc=mykronos,dc=internal
I, [2016-03-29T16:29:02.197726 #27801] INFO -- : found user-dn: uid=NK7072, ou=People,dc=mykronos,dc=internal
/usr/local/share/gems/gems/postgres-pr-0.7.0/lib/postgres-pr/postgres-compat.rb:16:in initialize': wrong number of arguments (1 for 7) (ArgumentError) from /usr/local/share/gems/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:innew'
from /usr/local/share/gems/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:in start!' from /usr/local/share/gems/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:inrun'
from /usr/local/share/gems/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in <top (required)>' from ./pg_ldap_sync:23:inload'
from ./pg_ldap_sync:23:in `

As you can see, it is connecting to the LDAP server but it is having issues connecting to the database using the connector. The values in the yaml are all valid. So now I am stuck. I can't install pg and I can't get postgres-pr to connect.

Any ideas on how to proceed?

Thanks in advance!

-Mayan

Hi,

I just installed this and the connection to the AD is fine. Executing pg-ldap-sync is not create any users on the postgres side, so probably I am missing something:

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
  # LDAP filter (according to RFC 2254)
  # defines to users in LDAP to be synchronized
  filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
  # this attribute is used as PG role name
  name_attribute: sAMAccountName
  # lowercase name for use as PG role name
  lowercase_name: true

Testing this it returns the three test users:

[postgres@pgadsync ~]$ ldapsearch -x -h 172.22.30.1 -D "xxxxxxxxx" -W -b "OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com" | grep sAMAccountName
Enter LDAP Password: 
sAMAccountName: dba1
sAMAccountName: dba2
sAMAccountName: dba3

Same for the groups:

# Search parameters for LDAP groups which should be synchronized
ldap_groups:
  base: OU=pggroups,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
  filter: (cn=company.*)
  # this attribute is used as PG role name
  name_attribute: cn
  # lowercase name for use as PG role name
  lowercase_name: false
  # this attribute must reference to all member DN's of the given group
  member_attribute: member

ldapsearch against that:

[postgres@pgadsync ~]$ ldapsearch -x -h 172.22.30.1 -D "xxxxx" -W -b "OU=pggroups,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com" | grep member
Enter LDAP Password: 
member: CN=dba3,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
member: CN=dba2,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
member: CN=dba1,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com

What am I missing here?

[postgres@pgadsync ~]$ bin/pg_ldap_sync -c etc/pg_ldap_sync.yaml -vv -t
I, [2018-07-23T11:26:53.775372 #28962]  INFO -- : user stat: create: 0 drop: 0 keep: 0
I, [2018-07-23T11:26:53.775695 #28962]  INFO -- : group stat: create: 0 drop: 0 keep: 0
I, [2018-07-23T11:26:53.783104 #28962]  INFO -- : membership stat: grant: 0 revoke: 0 keep: 0

Thanks,
Daniel

Hello,

This is my first time to try to use pg-ldap-sync and before I try it on production environment I first installed it on my Windows 10 pro laptop and I encounter an issue. After calling a command pg_ldap_sync -c config.yaml -vv or pg_ldap_sync -c config.yaml -vv -t I am getting following:

Traceback (most recent call last):
5: from C:/Ruby27-x64/bin/pg_ldap_sync:23:in <main>' 4: from C:/Ruby27-x64/bin/pg_ldap_sync:23:in load'
3: from C:/Ruby27-x64/lib/ruby/gems/2.7.0/gems/pg-ldap-sync-0.2.0/exe/pg_ldap_sync:6:in <top (required)>' 2: from C:/Ruby27-x64/lib/ruby/gems/2.7.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:355:in run'
1: from C:/Ruby27-x64/lib/ruby/gems/2.7.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:305:in start!' C:/Ruby27-x64/lib/ruby/gems/2.7.0/gems/pg-ldap-sync-0.2.0/lib/pg_ldap_sync/application.rb:76:in search_ldap_users': LDAP: Invalid Credentials (PgLdapSync::LdapError)

LDAP ports are open on domain controller and on my PC, I am using domain administrator in config.yaml, also I tried different Ruby versions... and really not sure how to troubleshoot more.
Can someone point me where can be an issue here?

Thanks in advance!

Regards,
Nikola

LDAP group membership resolver does not see group in group memberships.

e.g.:
LDAP group "reporting_read" with subgroup "analysts" as a member.

Config example

ldap_connection:
  host: $LDAP_SERVER
  port: 389
  auth:
    method: :simple
    username: CN=admin,OU=Admin,OU=Domain Services,dc=admin,dc=com
    password: $LDAP_SERVER_ADMIN_PASSWORD

I’m trying to use pg_ldap_sync and am getting an error. I’ve started with a brand new ubuntu 14.04 server. I setup a postgres server and did the following:

sudo apt-get install ruby rubygems-integration
sudo gem install pg-ldap-sync postgres-pr

Here’s my config file:

# With this sample config the distinction between PG groups and users is
# done by the LOGIN/NOLOGIN attribute. Any non-superuser account
# is considered as LDAP-synchronized.

# Connection parameters to LDAP server
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
ldap_connection:
  host: ds1.aws.gnshc.com
  port: 1636
  auth:
    method: :simple
    username: uid=service_postgres,ou=ServiceAccounts,dc=ops,dc=gnshc,dc=com
    password: test
  encryption: 
    method: :simple_tls

# Search parameters for LDAP users which should be synchronized
ldap_users:
  base: ou=People,ou=gns,dc=tenants,dc=gnshc,dc=com
  # LDAP filter (according to RFC 2254)
  # defines to users in LDAP to be synchronized
  filter: (&(objectClass=inetOrgPerson)(isMemberOf=cn=authorized_users,ou=nonep-database,ou=Postgres,ou=Applications,dc=ops,dc=gnshc,dc=com))
  # this attribute is used as PG role name
  name_attribute: uid

# Search parameters for LDAP groups which should be synchronized
ldap_groups:
  base: ou=nonep-database,ou=Postgres,ou=Applications,dc=ops,dc=gnshc,dc=com
  filter: (&(objectClass=groupOfUniqueNames)(ou=pg_role))
  # this attribute is used as PG role name
  name_attribute: cn
  # this attribute must reference to all member DN's of the given group
  member_attribute: uniqueMember

# Connection parameters to PostgreSQL server
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
pg_connection:
  host: localhost
  dbname: postgres
  user: postgres
  password: test

pg_users:
  # Filter for identifying LDAP generated users in the database.
  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='authorized_users')
  # Options for CREATE RULE statements
  create_options: LOGIN IN ROLE ldap_users

pg_groups:
  # Filter for identifying LDAP generated groups in the database.
  # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
  filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='authorized_users')
  # Options for CREATE RULE statements
  create_options: NOLOGIN IN ROLE ldap_groups
  grant_options:

Then I try test and get the following:

postgres@openam2:~$ pg_ldap_sync -c ~/pgsync.yml -vv -t
I, [2015-10-06T14:55:59.901793 #13348]  INFO -- : found user-dn: uid=csanchez,ou=People,ou=gns,dc=tenants,dc=gnshc,dc=com
I, [2015-10-06T14:55:59.942828 #13348]  INFO -- : found group-dn: cn=authorized_users,ou=nonep-database,ou=Postgres,ou=Applications,dc=ops,dc=gnshc,dc=com
I, [2015-10-06T14:55:59.943334 #13348]  INFO -- : found group-dn: cn=marketscan,ou=nonep-database,ou=Postgres,ou=Applications,dc=ops,dc=gnshc,dc=com
I, [2015-10-06T14:55:59.943731 #13348]  INFO -- : found group-dn: cn=developers,ou=nonep-database,ou=Postgres,ou=Applications,dc=ops,dc=gnshc,dc=com
/var/lib/gems/1.9.1/gems/postgres-pr-0.7.0/lib/postgres-pr/postgres-compat.rb:16:in `initialize': wrong number of arguments (1 for 7) (ArgumentError)
        from /var/lib/gems/1.9.1/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:in `new'
        from /var/lib/gems/1.9.1/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:317:in `start!'
        from /var/lib/gems/1.9.1/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
        from /var/lib/gems/1.9.1/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6:in `<top (required)>'
        from /usr/local/bin/pg_ldap_sync:23:in `load'
        from /usr/local/bin/pg_ldap_sync:23:in `<main>’

Hi,
My system is ubuntu 14.04. I have installed LDAP v3, PG 9.3 and ruby 2.0
My aim is to import LDAP users to PG so I came across this post. I came across error:
ERROR: While executing gem ... (NameError)
uninitialized constant Gem::SafeYAML
Will appreciate any help regarding this.
Thanks.

Hello, my postgres user does not have a password, is it possible to make him perform the operation, without needing a password?

I cannot make pg-ldap-sync connect to ldap via Kerberos. The error I get is this:

[me@me ~]$ ~/bin/pg_ldap_sync --config /var/tmp/sample-config2.yaml 
/home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/auth_adapter.rb:15:in `[]': Unsupported auth method (gssapi) (Net::LDAP::AuthMethodUnsupportedError)
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:278:in `block in bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/connection.rb:276:in `bind'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1309:in `use_connection'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:783:in `block in search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:782:in `search'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1215:in `search_root_dse'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:1281:in `paged_searches_supported?'
	from /home/me/.local/share/gem/ruby/gems/net-ldap-0.17.1/lib/net/ldap.rb:775:in `search'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:58:in `search_ldap_users'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:366:in `start!'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:416:in `run'
	from /home/me/.local/share/gem/ruby/gems/pg-ldap-sync-0.4.0/exe/pg_ldap_sync:6:in `<top (required)>'
	from /home/me/bin/pg_ldap_sync:25:in `load'
	from /home/me/bin/pg_ldap_sync:25:in `<main>'

I've tried installing the net-ldap-auth_adapter-gssapi gem , but that does not help.

Here's the "ldap_connection" part of my config:

ldap_connection:
  host: my.adserver.local
  port: 389
  auth:
    method: :gssapi

Am I doing something wrong, or can GSSAPI/Kerberos not be used with pg-ldap-sync?

Hi Lars,

I want to use the GUID of the LDAP group to identify users...we use this in our keycloak ldap filter but it doesn't work...

(&(memberOf:1.2.840.113556.1.4.1941:=<GUID=5fc686b5-67a1-41a5-a366-417d0147deef>))
instead of
(&(memberOf:1.2.840.113556.1.4.1941:=CN=POSTGRES.USER,DC=domain,DC=de))

There is the case, that groups can move and the sync will no longer work...but with a GUID it will...

Could you add this feature? Or am i using it worng?

We are seeing the sync happen between active directory and our pg cluster but the users are not granted the role representing the ldap group they are a member of.

State of Active Directory:

1. Group xyz_biz_analysts contains 1 member sally

What we see in pg cluster:

1. Role named xyz_biz_analysts is created and granted ldap_groups role
2. Role named sally is created and granted ldap_users role, but not the xyz_biz_analysts role

Desired:

1. Role named xyz_biz_analysts is created and granted ldap_groups role - OK
2. Role named sally is created and granted ldap_users role and is also granted xyz_biz_analysts role

psych.rb:377:in parse': (<unknown>): did not find expected key while parsing a block mapping at line 2 column 4 (Psych::SyntaxError) from /db/ruby/lib/ruby/2.4.0/psych.rb:377:in parse_stream'
from /db/ruby/lib/ruby/2.4.0/psych.rb:325:in parse' from /db/ruby/lib/ruby/2.4.0/psych.rb:252:in load'
from /db/ruby/lib/ruby/gems/2.4.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:67:in read_config_file' from /db/ruby/lib/ruby/gems/2.4.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:309:in start!'
from /db/ruby/lib/ruby/gems/2.4.0/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in run' from /db/pg-ldap-sync-master/bin/pg_ldap_sync:6:in

If using multiple (more than 1) hostnames for host directive in configuration like so:

ldap_connection:
  host: ldap-host-1 ldap-host-2
...

it fails with the error:

/usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:1192:in `initialize': No such address or other socket error. (Net::LDAP::LdapError)
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:663:in `new'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:663:in `search'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:655:in `search'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:1118:in `search_root_dse'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:1173:in `paged_searches_supported?'
        from /usr/lib/ruby/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:648:in `search'
        from /usr/lib/ruby/gems/1.8/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:81:in `search_ldap_users'
        from /usr/lib/ruby/gems/1.8/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:313:in `start!'
        from /usr/lib/ruby/gems/1.8/gems/pg-ldap-sync-0.1.1/lib/pg_ldap_sync/application.rb:353:in `run'
        from /usr/lib/ruby/gems/1.8/gems/pg-ldap-sync-0.1.1/bin/pg_ldap_sync:6
        from /usr/bin/pg_ldap_sync:19:in `load'
        from /usr/bin/pg_ldap_sync:19

All tested hostnames do resolve correctly from the client host in question.
It works correctly when using multiple (or a single) IP address(es) or a single hostname.

Hello,

I get the following error message.

`/var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:114:in `block in retrieve_array_attribute': undefined method `first' for nil:NilClass (NoMethodError)
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:102:in `loop'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:102:in `retrieve_array_attribute'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:154:in `block (2 levels) in search_ldap_groups'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:153:in `each'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:153:in `block in search_ldap_groups'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap.rb:786:in `block (3 levels) in search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:448:in `block (2 levels) in search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:402:in `loop'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:402:in `block in search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:391:in `search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap.rb:784:in `block (2 levels) in search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap.rb:1311:in `use_connection'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap.rb:783:in `block in search'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
        from /var/lib/gems/3.0.0/gems/net-ldap-0.18.0/lib/net/ldap.rb:782:in `search'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:131:in `search_ldap_groups'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:367:in `start!'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/lib/pg_ldap_sync/application.rb:416:in `run'
        from /var/lib/gems/3.0.0/gems/pg-ldap-sync-0.4.0/exe/pg_ldap_sync:6:in `<top (required)>'
        from /usr/local/bin/pg_ldap_sync:25:in `load'
        from /usr/local/bin/pg_ldap_sync:25:in `<main>'`

I am trying to synchronize an AD group with about 1600 members. When I use ldapsearch, I see that the members are accessed via range attribute, and our AD can export a maximum of 1500 entries at once.

member;range=0-1499

Could you please fix your program in general to handle the usecases with large AD groups iteratively with editing 1500 entries per step without errors? Or maybe there is a parameter and I can limit the range for the LDAP query myself.

Thank you in advance.

Hi,

pg_ldap_sync works like charm.
we have installed then on Cent OS and we didn't face any issue but when we are doing on redhat we are facing a issue with one of the lib header. "<libpq-fe.h>".
we are using postgres version 11. and if we try to install it from postgresql-devel it shows the conflict.
Please let us know if there is any other way to install pg_ldap_sync on redhat where having postgres version 11.x.
Thanks in advance.

Thanks
Vasista

Tried to connect using simple_tls as method but fails with the following error;

usr/lib/ruby/gems/1.8/gems/net-ldap-0.3.1/lib/net/ldap.rb:1215:in `bind': Unsupported auth method (simple_tls) (Net::LDAP::LdapError)

Any ideas?

Best regards, Martin

Hello! Is it possible to configure pg-ldap-sync utility for backward sync, from pg to ldap? Thank you!

Hello,

Is it possible to use pg_ldap_sync if i do not have access directly the OU that contain the list of users ?
If yes, can you please tell me how ?
i only have access to a list of groups and its members.

thanks
regards
Farzanah