Gestion automatique des groupes pour ident via droits nounou

Bundler/ident-mapping.xml

@@ -1,4 +1,5 @@
 <Bundle name="ident-mapping">
     <Python name="/etc/postgresql/9.1/main/pg_hba.conf"/>
+    <Python name="/etc/postgresql/9.1/main/pg_ident.conf"/>
     <Package name="postgresql"/>
 </Bundle>

Python/etc/postgresql/9.1/main/pg_hba.conf

@@ -89,6 +89,11 @@ out("""# PostgreSQL Client Authentication Configuration File
 # a SIGHUP signal.  If you edit the file on a running system, you have
 # to SIGHUP the postmaster for the changes to take effect.  You can
 # use "pg_ctl reload" to do that.
+
+#Attention; do not REMOVE this line
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    Syslog           rsyslog             127.0.0.1/32            md5
 

Python/etc/postgresql/9.1/main/pg_ident.conf

@@ -0,0 +1,120 @@
+info["owner"] = "postgres"
+info["group"] = "postgres"
+info["mode"] = 0640
+
+
+import sys
+sys.path.append('/usr/scripts')
+import lc_ldap.shortcuts
+
+conn = lc_ldap.shortcuts.lc_ldap_readonly()
+
+comment_start = "#"
+header("Gestion des acces ident pour les utilisateurs")
+
+# Liste des nounous
+adm_objects = conn.search(u'droits=nounou')
+nounous = [adm['uid'][0] for adm in adm_objects]
+
+out("""# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for 1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here""")
+
+#Syslog
+out("""# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+syslog          postgres                rsyslog
+syslog          root                    rsyslog""")
+
+#Ensuite les nounous
+
+for nounou in nounous:
+    out("""syslog          """ + str(nounou) + """                   crans""")
+
+#Db django rw
+out("""
+django          www-data                crans
+django          asterisk                crans
+django          respbats                crans
+django          root                    crans""")
+
+# Etherpad
+out("""
+etherpad        etherpad                        crans""")
+
+
+# mac_prises
+out("""
+mac_prises          root                   crans""")
+for nounou in nounous:
+        out("""mac_prises          """ + str(nounou) + """                   crans""")
+
+
+#Filtrage
+out("""filtrage      root              crans""")
+
+#Sqlgrey
+out("""sqlgrey       postgres          sqlgrey""")
+
+# cluebringer
+out("""cluebringer   www-data          cluebringer
+cluebringer   cluebringer       cluebringer""")
+
+#Webmail
+out("""webmail       www-data          roundcube""")
+
+#horde
+out("""horde         www-data          www-data""")
+
+#Mediadrop
+
+out("""mediadrop     root              mediadrop
+mediadrop     www-data          mediadrop""")
+
+#Db django ro
+out("""
+django_ro     respbats          crans_ro
+django_ro     freerad           crans_ro
+django_ro     arpwatch          crans_ro
+django_ro     munin             crans_ro
+django_ro     asterisk          crans_ro
+django_ro     www-data          crans_ro""")
+
+for nounou in nounous:
+    out("""django_ro    """ + str(nounou) + """                   crans""")
+