authzync
LDAP to authz sync tool.
Installation
git
$ pypi install ldap3
$ git clone https://github.com/rbw0/authzync.git
pypi
$ pypi install authzync
Configuration
Authzync
Configures LDAP, mappings and parse rules.
$ authzync.py --config authzync.json
Example: https://github.com/rbw0/authzync/blob/master/examples/authzync.json
Non-LDAP users (optional)
Can be used to set repository permissions for users not present in the LDAP directory, i.e. local users.
$ authzync.py --local_db local_db.json
Example: https://github.com/rbw0/authzync/blob/master/examples/local_db.json
How it works
- Authzync starts by looking for groups matching the
patterns.access_pattern
inldap.base_dn
Note that there's only one required part in the group name: repo_access
(RO or RW). This tells authzync which permission to apply to members of this group.
- Next, the value of the attribute set in
mappings.repo_path
is parsed according topatterns.repo_pattern
- Finally, a list of members is fetched and the authz file generated.
Example
Authz config
Name | Value |
---|---|
ldap.base_dn | ou=SVN,dc=example,dc=com |
mappings.repo_path | description |
patterns.access_pattern | ^svn_.*_(?P<repo_access>RO|RW)$ |
patterns.repo_pattern | ^(?P<repo_name>.*):(?P<repo_path>/.*) |
LDAP directory
Group name | Description attribute | Members |
---|---|---|
svn_repo1-trunk_ro | repo1:/trunk | user1, user2 |
svn_repo1-branches_ro | repo2:/branches | user1, user3 |
svn_repo1_rw | repo1:/ | user3 |
This should result in the following SVN authz file:
[repo1:/trunk] user1 = ro user2 = ro [repo2:branches] user1 = ro user3 = ro [repo1:/] user3 = rw
Compatibility
Compatible with both Python 2 and 3.
Author
Created by Robert Wikman <rbw@vault13.org> in 2017