In this article:

Creating a Database User

Creating a Database

Creating a Custom Schema in the Current Database

Support of Domain Groups

Features of Working with PostgreSQL DBMS

Example of Ready PostgreSQL DBMS Script in Linux OS

Preparing PostgreSQL Server

PostgreSQL server is prepared by the DBMS administrator.

IMPORTANT. To ensure system security before preparing the PostgreSQL server, check server access settings in the pg_hba.conf configuration file and settings of the lc_messages parameter in the postgresql.conf configuration file. The PostgreSQL message language should match with operating system language settings. The standard_conforming_strings parameter should also be set to on.

To prepare the PostgreSQL server, execute scripts using any of the available methods, for example, via the pgAdmin application. Take into account the following features on executing the scripts:

TIP. To prepare a PostgreSQL server in Linux OS, use ready script. After executing the script the following is created: the NEW_USER database user with the NEW_USER password, the NEW_DATABASE database, the repository with the NEW_DATABASE identifier, and the SERVICE_USER service user with the SERVICE_USER password.

Creating a Database User

To create a database user, execute the script:

CREATE ROLE "USER_NAME" LOGIN ENCRYPTED PASSWORD 'USER_PASSWORD' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;

Where:

IMPORTANT. The ADMIN user name must not be used.

Creating a Database

To create a database, execute the script:

CREATE DATABASE "DATABASE_NAME" WITH OWNER = "USER_NAME" ENCODING = 'UTF8' TABLESPACE = pg_default LC_COLLATE = default LC_CTYPE = default CONNECTION LIMIT = -1;

GRANT ALL ON DATABASE "DATABASE_NAME" TO "USER_NAME";

Where:

Creating a database supports only the UTF-8 encoding.

IMPORTANT. A database is created via the postgres service database by default. To proceed with DBMS server preparation, connect to the created database.

Creating a Custom Schema in the Current Database

The public schema is used by default.

If the current database is supposed to use a custom schema, execute the script to create a schema:

CREATE SCHEMA "SCHEMA_NAME" AUTHORIZATION "USER_NAME";

Where:

After executing the operations a custom schema will be created. The user created at Step 1 will be a schema owner.

For details about working with custom schemas, see PostgreSQL documentation.

Support of Domain Groups

When domain groups are added in the security manager prepare PostgreSQL server for their support.

NOTE. Domain group support in PostgreSQL is available if there are groups as roles and users included in these roles on DBMS level.

To enable support of domain groups in PostgreSQL:

  1. Create the script for users and groups synchronization from Active Directory or Astra Linux Directory using the Git version control system.

In Linux OS make sure that the Ruby programming language 3.2 or later is installed that is used for script generation.

Open the command line and execute the commands:

  • Debian-based distributions:

apt-get install ruby libpq-dev git make gcc libffi-dev ruby-dev
git clone https://github.com/afsight/pg-ldap-sync.git
cd pg-ldap-sync
gem install bundler -v 1.16
bundle _1.16_ install
bundle install
bundle exec rake install

  • RedHat-based distributions:

dnf install ruby libpq-devel git make gcc libffi-devel ruby-devel redhat-rpm-config
git clone https://github.com/afsight/pg-ldap-sync.git
cd pg-ldap-sync
gem install bundler -v 1.16
bundle _1.16_ install
bundle install
bundle exec rake install

  • ALT Linux:

apt-get install ruby libpq-devel git make gcc5 libffi-devel ruby-tools postgresql-devel libruby-devel
git clone https://github.com/afsight/pg-ldap-sync.git
cd pg-ldap-sync
gem install bundler -v 1.16
bundle _1.16_ install
bundle install
bundle exec rake install

In Windows OS, first of all, install the version 3.2 or later of RubyInstaller to work with the Ruby programming language used for script generation.

Open the Git CMD and execute the commands:

git clone https://github.com/afsight/pg-ldap-sync.git
cd pg-ldap-sync
gem install bundler -v 1.16
bundle _1.16_ install
bundle install
bundle exec rake install

After executing the operations, the pg-ldap-sync folder with latest script source files will be added from Git, and the script will be generated.

  1. Create the lsync.yml configuration file manually. The example of the lsync.yml file if Active Directory is used:

# With this sample config the distinction between LDAP-synchronized
# groups/users from is done by the membership to ldap_user and
# ldap_group. These two roles has to be defined manually before
# pg_ldap_sync can run.
# Parameters of connection with LDAP server in the AD example. Indicate in username the user who has connection permissions (almost any domain user name and password)
# see also: http://net-ldap.rubyforge.org/Net/LDAP.html#method-c-new
ldap_connection:
    host: domain-controller.domain.com
    port: 389
    auth:
        method: :simple
        username: username@domain.com
        password: password
        # encryption:
        # method: :simple_tls
# User search settings, in this case users are taken from the section OU=Users, DC=domain, DC=com
ldap_users:
   base: OU=users,DC=domain,DC=com
   # LDAP filter (according to RFC 2254)
   # defines to users in LDAP to be synchronized
   # the following is the section occurrence filter, only proper users are searched by object classes, one can also set search by other attributes
   filter: (&(objectClass=person)(objectClass=organizationalPerson)(givenName=*)(sn=*)(sAMAccountName=*))
   # this attribute is used as PG role name
   # attribute is set, which will be used to create user name in DBMS
   name_attribute: sAMAccountName
   # lowercase name for use as PG role name
   # set up conversion of user name to lower case
   lowercase_name: false
   # uppercase name for use as PG role name
   # set up conversion of user name to upper case (recommended for working with platform)
   uppercase_name: false
# Search parameters for LDAP groups which should be synchronized
# All the same for groups
ldap_groups:
    base: OU=users,DC=domain,DC=com
    filter: (cn=domain.*)
    # this attribute is used as PG role name
    name_attribute: cn
    # lowercase name for use as PG role name
    lowercase_name: false
    # uppercase name for use as PG role name
    uppercase_name: false
    # this attribute must reference to all member DN's of the given group
    member_attribute: member
    # True if use Astra Linux Domain
    ald_domain: false
# Connection parameters to PostgreSQL server
# Parameters of connection to PostgreSQL server
# see also: http://rubydoc.info/gems/pg/PG/Connection#initialize-instance_method
pg_connection:
    host: database_host
    dbname: postgres
    user: postgres
    password: postgres
pg_users:
    # Filter for identifying LDAP generated users in the database.
    # User filter to create and check whether a separate role is required, in this case ldap_users, users in this role will be compared with the search results and will be removed in case of differences
    # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
    filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_users')
    # Options for CREATE RULE statements
    create_options: LOGIN IN ROLE ldap_users
pg_groups:
    # Filter for identifying LDAP generated groups in the database.
    # All the same for groups
    # It's the WHERE-condition to "SELECT rolname, oid FROM pg_roles"
    filter: oid IN (SELECT pam.member FROM pg_auth_members pam JOIN pg_roles pr ON pr.oid=pam.roleid WHERE pr.rolname='ldap_groups')
    # Options for CREATE RULE statements
    create_options: NOLOGIN IN ROLE ldap_groups
    grant_options:

NOTE. When creating the lsync.yml file in Astra Linux Directory, use the "cn" value instead of "sAMAccountName" and set the ald_domain parameter to true. The ald_domain parameter is used to support domain groups in Astra Linux Directory.

  1. Check validity of the created lsync.yml file.

  2. Execute the script:

/usr/local/bin/pg_ldap_sync -c <Full path to configuration file>/lsync.yml

After executing the operations the script is started and synchronization is executed once.

In Linux OS set up automatic script start using the Cron (Command Run ON) utility - the system for automatic scheduled program and script start on server:

  1. Execute the command to open and edit the text editor that contains a list of executed commands:

crontab -e

  1. Execute the command to add a string to the text editor, executing of which adds the lsync.yml configuration file:

*/<number of minutes> * * * * /usr/local/bin/pg_ldap_sync -c <full path to configuration file>/lsync.yml

  1. Add an additional empty string.

  2. Save changes in the text editor.

After executing the operations the script will start with the specified frequency, for example, every 5 minutes.

In Windows OS set up automatic script start using Windows task scheduler.

  1. Distribute privileges between domain groups in the security manager. After this permissions for repository tables are granted for users of the corresponding groups.

After executing the operations, the users included in the added domain groups will be able to connect to and work with the repository.

Features of Working with PostgreSQL DBMS

Default configuration for PostgreSQL servers includes autovacuum - clearing of space occupied by data deleted from tables using the VACUUM SQL command. Statistic that is used by scheduler to select query execution method is also updated. If it is supposed that intensive work consisting in changing data in tables, it is recommended to set up configuration in such a way that autovacuum is executed in server low-load time (night, weekend). The setup can be executed using the documentation at the developer website.

Example of Ready PostgreSQL DBMS Script in Linux OS

The example contains all parts of selected scripts for the PostgreSQL DBMS:

See also:

Preparing DBMS Back End