ldapenforcer declaratively manages users and groups in an LDAP server.
It keeps the definitions of users, groups, and group membership in plain text files that can be committed to git. The synchronization process can be run repeatedly to no ill effect --- unlike applying LDIFs, which will only work once for some operations like add or delete.
Currently it assumes it's talking to an instance of 389 Directory Server with the MemberOf plugin enabled.
- Download from GitHub Releases
- Use the Docker image
Continuously synchronize users and groups from a config file:
ldapenforcer sync --poll --config /etc/ldapenforcer.tomlExample config file:
[ldapenforcer]
uri = "ldap://localhost:389"
bind_dn = "cn=Directory Manager"
password = "P@ssw0rd"
# Directory Structure
enforced_people_ou = "ou=enforced,ou=people,dc=micahrl,dc=me"
enforced_svcacct_ou = "ou=enforced,ou=services,dc=micahrl,dc=me"
enforced_group_ou = "ou=enforced,ou=groups,dc=micahrl,dc=me"
[ldapenforcer.person.bobert]
cn = "Bob R Robert"
mail = "[email protected]"
posix = [20069, 20101]
[ldapenforcer.group.employees]
description = "Regular user accounts here at ACME CORP"
posixGidNumber = 10200
people = ["bobert"]See complete documentation and examples at https://pages.micahrl.com/ldapenforcer.
Build from source:
git clone https://github.com/mrled/ldapenforcer.git
cd ldapenforcer
go build -o ldapenforcer ./cmd/ldapenforcerExternal requirements:
golangci-lint: for lintinggoreleaserfor making releaseshugofor the documentation site
go run ./cmd/docgen -m site/content/docs/commandcd ./site && hugo
version=$(go run ./cmd/ldapenforcer version -r); git tag v"$version" && git push origin master v"$version"We use goreleaser in GitHub actions. To run it locally for testing:
brew install goreleaser/tap/goreleaser
# Build like the master branch
goreleaser build --snapshot --clean
# Build like the full release
goreleaser release --snapshot --clean