Installation

  • Use your operating system's usual installer e.g.
    sudo yum install ./padnag-1.1-1.el7.centos.x86_64.rpm
  • Edit the configuration file /opt/padnag/bin/padnag.toml . Note that it's case sensitive.
    [Active_Directory]
    server = "ldap://192.168.0.55"
    user = "CN=Administrator,CN=Users,DC=acmecorp,DC=local"
    password = "Password1"

    [Database]
    user = "dbusername"
    password = "dbpassword"
    host = "dbserver"
    database = "salesdb"

    [[Organisation]]
    name = "DB_SALES_GROUP"
    base = "DC=padnag,DC=dev"
    filter = "memberOf=CN=AD_SALES_GROUP,OU=sales_ou,DC=acmecorp,DC=local"
  • Do a test run and check the results look OK.
    cd /opt/padnag/bin/
    ./padnag --config padnag.toml --test --verbose
  • If you want to run padnag as a systemd service
    sudo systemctl start padnag
    sudo systemctl enable padnag

Authentication

Authentication for padnag managed roles can be done using normal ldap authentication in pg_hba.conf.

Example pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the replication privilege.
local replication postgres trust
host replication postgres 127.0.0.1/32 trust
host replication postgres ::1/128 trust
#
host all all 192.168.0.0/16 ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example,dc=net"

Database Privileges

padnag does not manage database privileges. It is up to the database administrator to grant privileges to the roles or groups managed by padnag.

Example: grant privileges to padnag managed group roles and then let users in those groups inherit their privileges.
pgsqldb=$ GRANT CONNECT ON DATABASE pgsqldb TO "ad_group_users"
pgsqldb=$ GRANT SELECT, REFERENCES ON ALL TABLES IN SCHEMA sales TO "ad_group_users";
pgsqldb=$ GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA sales TO "ad_group_superusers";
pgsqldb=$ GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA sales TO "ad_group_superusers";

Manual overrides

All roles created by padnag will have a metadata comment 'Managed by padnag'. Any roles in the database that do not have this exact comment will not be altered or dropped by padnag. This is useful to extend the AD supplied hierarchy of roles with additional "local" roles. One way to manage these is with a pg_hba.conf @include before the ldap authenticated roles.

Example pg_hba.conf with @include file:
# TYPE DATABASE USER ADDRESS METHOD
# All the usual local, postgres and replication stuff
#
# Put manually managed roles in a separate file
host all @pg_hba.local.conf 192.168.0.0/16 md5
#
host all all 192.168.0.0/16 ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=",dc=example, dc=net"
Example @include file pg_hba.local.conf in the same path as pg_hba.conf:
barman
sys_acct_foo
sys_acct_bar