Sign inDemoInstall


Package Overview
File Explorer

Install Socket

Protect your apps from supply chain attacks



Manage PostgreSQL roles and privileges from YAML or LDAP





| |CircleCI| |Codecov| |RTD| |PyPI| |Docker|

Swiss-army knife to synchronize Postgres roles and privileges from YAML or LDAP.

.. _documentation:
.. _license:
.. _contributors:

Postgres is able to check password against an entreprise directory using the
LDAP protocol out of the box. ldap2pg automates the creation, update and
removal of PostgreSQL roles and users based on entreprise organigram described
in the directory.

Managing roles is close to managing privileges as you expect roles to have
proper default privileges. ldap2pg can grant and revoke privileges too.


- Reads settings from an expressive YAML config file.
- Creates, alters and drops PostgreSQL roles from LDAP searches.
- Creates static roles from YAML to complete LDAP entries.
- Manages role members (alias *groups*).
- Grants or revokes privileges statically or from LDAP entries.
- Dry run, check mode.
- Logs LDAP searches as ``ldapsearch(1)`` commands.
- Logs **every** SQL query.

Here is a sample configuration and execution:


    $ cat ldap2pg.yml
    - role:
        name: ldap_roles
        options: NOLOGIN
    - ldapsearch:
        base: ou=people,dc=ldap,dc=ldap2pg,dc=docker
        filter: "(objectClass=organizationalPerson)"
        name: '{cn}'
        options: LOGIN
        parent: ldap_roles
    $ ldap2pg --real
    Starting ldap2pg 5.7.
    Using .../ldap2pg.yml.
    Running in real mode.
    Inspecting roles in Postgres cluster...
    Querying LDAP ou=people,dc=ldap,dc=lda... (objectClass...
    Create domitille.
    Add missing ldap_roles members.
    Delete spurious ldap_roles members.
    Update options of albert.
    Reassign oscar objects and purge ACL on postgres.
    Reassign oscar objects and purge ACL on template1.
    Drop oscar.
    Synchronization complete.


ldap2pg requires Python 2.6+ or 3+, pyyaml, python-ldap and psycopg2.

The universal installation method is to download from PyPI using pip. Other
methods and more details are described in this documentation.

    # apt install -y libldap2-dev libsasl2-dev
    # pip install ldap2pg psycopg2-binary

``ldap2pg`` is licensed under PostgreSQL license_. ``ldap2pg`` is available with
the help of wonderful people, jump to contributors_ list to see them.

ldap2pg **requires** a configuration file called ``ldap2pg.yaml``. The [dumb
but tested
`ldap2pg.yml`]( is a
good way to start.

    # curl -LO
    # editor ldap2pg.yml

Finally, it's up to you to use ``ldap2pg`` in a crontab or a playbook. Have fun!

``ldap2pg`` is reported to work with `OpenLDAP`_, `FreeIPA`_, Oracle Internet
Directory and Microsoft Active Directory.

.. _OpenLDAP:
.. _FreeIPA:


If you need support and you didn't found it in documentation_, just drop a
question in a `GitHub issue <>`_!
French accepted. Don't miss the `cookbook
<>`_. You're welcome!

.. |Codecov| image::
   :alt: Code coverage report

.. |CircleCI| image::
   :alt: Continuous Integration report

.. |Docker| image::
   :alt: Docker Image Available

.. |ldap2pg| image::
   :alt: ldap2pg: PostgreSQL role and privileges management

.. |PyPI| image::
   :alt: Version on PyPI

.. |RTD| image::
   :alt: Documentation


Did you know?

Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.


Related posts

SocketSocket SOC 2 Logo


  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc