Currently, the synchronization tool uses a hardcoded LDAP attribute (e.g., memberUid) to identify group members. This limits compatibility with other LDAP directory structures, such as FreeIPA, which typically uses a different attribute (e.g., member).
Furthermore, the synchronizer is designed to operate in a continuous loop, performing synchronization at regular intervals. This mode is not ideal for scenarios where it's preferable or necessary to execute a single synchronization and then terminate, for instance, for integration with scheduled jobs (like cronjobs) or in containerized environments where fine-grained process lifecycle control is important.
This Issue proposes the introduction of two new functionalities:
Configurable LDAP Group Member Attribute:
- Introduce a new environment variable:
LDAP_GROUP_MEMBER_ATTR.
This variable will allow users to specify which LDAP attribute should be used to retrieve group members (e.g., member for FreeIPA, memberUid for Active Directory, etc.).
- A default value will be provided to maintain existing compatibility.
Single-Run Mode:
- Introduce a new environment variable:
SINGLE_RUN_MODE.
- When
SINGLE_RUN_MODE is set to 'true', the synchronizer will perform one complete synchronization cycle (fetching users/groups from LDAP, updating PostgreSQL) and then exit immediately (e.g., for use in a cronjob). If set to 'false' (or any other value), the synchronizer will continue to operate in a continuous loop mode, as it does currently.
I have already implemented and tested these changes locally and plan to open a Pull Request soon. Thank you for considering these enhancements!
Currently, the synchronization tool uses a hardcoded LDAP attribute (e.g., memberUid) to identify group members. This limits compatibility with other LDAP directory structures, such as FreeIPA, which typically uses a different attribute (e.g., member).
Furthermore, the synchronizer is designed to operate in a continuous loop, performing synchronization at regular intervals. This mode is not ideal for scenarios where it's preferable or necessary to execute a single synchronization and then terminate, for instance, for integration with scheduled jobs (like cronjobs) or in containerized environments where fine-grained process lifecycle control is important.
This Issue proposes the introduction of two new functionalities:
Configurable LDAP Group Member Attribute:
LDAP_GROUP_MEMBER_ATTR.This variable will allow users to specify which LDAP attribute should be used to retrieve group members (e.g.,
memberfor FreeIPA,memberUidfor Active Directory, etc.).Single-Run Mode:
SINGLE_RUN_MODE.SINGLE_RUN_MODEis set to 'true', the synchronizer will perform one complete synchronization cycle (fetching users/groups from LDAP, updating PostgreSQL) and then exit immediately (e.g., for use in a cronjob). If set to 'false' (or any other value), the synchronizer will continue to operate in a continuous loop mode, as it does currently.I have already implemented and tested these changes locally and plan to open a Pull Request soon. Thank you for considering these enhancements!