---

# How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
# A value of never will disable automatic sync (you can still fire the ldap2pg service manually)
ldap2pg_sync_freq: never

# Under which account will ldap2pg run
# Default is under the local postgres account which is fine for managing a local postgres instance
ldap2pg_user: postgres

ldap2pg_base_conf:
  version: 5  
  ldap:
    uri: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
    binddn: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
    password: XXX
    starttls: True
  postgres:
    dsn: postgres://%2Fvar%2Frun%2Fpostgresql/
    databases_query: |
      SELECT datname
      FROM pg_catalog.pg_database
      WHERE datallowconn IS TRUE AND datname NOT IN ('postgres', 'template0', 'template1');
  
    # Only roles member of the special ldap_roles group can be dropped
    # other role (created manually or outside of ldap2pg scope) will never be dropped
    managed_roles_query: |
      SELECT DISTINCT role.rolname
      FROM pg_roles AS role
      LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
      LEFT OUTER JOIN pg_roles AS ldap_roles
        ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
      WHERE ldap_roles.oid IS NOT NULL
      ORDER BY 1;
  
    # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
    # from privilege management.
    schemas_query: |
      SELECT nspname FROM pg_catalog.pg_namespace
      WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
      ORDER BY 1;

  privileges:
    ro:
      - __connect__
      - __select_on_tables__
      - __select_on_sequences__
      - __usage_on_schemas__
      - __usage_on_types__
  
    rw:
      - __temporary__
      - __all_on_tables__
      - __all_on_sequences__
  
    ddl:
      - __create_on_schemas__

  sync_map:
    - description: "Create the ldap_roles group"
      roles:
        - name: ldap_roles
          options: NOLOGIN
  
    - description: "Create static ldap groups"
      roles:
        - names:
            - support_ro
            - support_rw
          parent:
            - ldap_roles
          options: NOLOGIN
  
      grant:
        - privilege: ro
          roles:
            - support_ro
            - support_rw
  
        - privilege: rw
          roles:
            - support_rw
  
        - privilege: ddl
          roles:
            - support_rw
  
  
#    - description: "Query LDAP to populate support_ro role"
#      ldapsearch:
#        base: OU=People,DC=example,DC=org
#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RO,OU=Roles,DC=example,DC=org))"
#      role:
#        name: '{sAMAccountName}'
#        options: LOGIN
#        parent:
#          - support_ro
#          - ldap_roles
#        comment: "From LDAP account {dn}"
#  
#  
#    - description: "Query LDAP to populate support_rw role"
#      ldapsearch:
#        base: OU=People,DC=example,DC=org
#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RW,OU=Roles,DC=example,DC=org))"
#      role:
#        name: '{sAMAccountName}'
#        options: LOGIN
#        parent:
#          - support_rw
#          - ldap_roles
#        comment: 'From LDAP account {dn}'

ldap2pg_extra_conf: {}
ldap2pg_conf: "{{ ldap2pg_base_conf | combine(ldap2pg_extra_conf, recursive=True) }}"