Issues when syncing AD groups #26
Description
Hi,
first of all thank you for this piece of software, it works great.
I have one questions: When we have a real AD group like this one:
PS C:\Users\dwe> get-adgroup admins
DistinguishedName : CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
GroupCategory : Security
GroupScope : Global
Name : admins
ObjectClass : group
ObjectGUID : 9375dfed-4889-498f-8398-b5cf6c521292
SamAccountName : admins
SID : S-1-5-21-1526535285-4293193832-2851663263-1765
... and have that in the yaml file:
# Search parameters for LDAP users which should be synchronized
ldap_users:
base: CN=admins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com
filter: (sAMAccountName=*)
# this attribute is used as PG role name
name_attribute: sAMAccountName
# lowercase name for use as PG role name
lowercase_name: true
Syncing results in these warnings for the users in that group:
W, [2018-10-11T08:48:52.138569 #2554] WARN -- : ldap member with dn CN=dba4,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138587 #2554] WARN -- : ldap member with dn CN=dba3,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
W, [2018-10-11T08:48:52.138602 #2554] WARN -- : ldap member with dn CN=dba1,OU=pgadmins,OU=PostgreSQL,DC=test,DC=dbiservices,DC=com is unknown
We managed to get it working by adjusting the filter to only return users of that group and setting the base to the real location of the users but we wonder if pg_ldap_sync could be improved to work with the groups directly? Or do we miss something?
Thanks for your help
Daniel