This IS useful and PostgreSQL even has PAM integration and perl bindings(DBD-Pg).
Thoughts on how to implement this will be planned and detailed on this wiki page.
What will ISPMan need to do
- Create the/a database - should it be only one?
- Set the permissions on the created database(s) - Tightened to the ISPman user and/or domain so we can use PAM.
- Configurable limit on the number of databases a user/domain can create - can we limit this on postgres? If not, database creation should be done by ISPMan only.
- Configurable default limit on database size for every user and/or domain
- This page is currently under development by
- This information maybe incomplete or wrong so please use this information at your own risk. Thank you.
- Feel free to make suggestions or edit this page.
In order for postgres to use PAM to authenticate users one must create:
auth required pam_ldap.so account required pam_ldap.so
And change postgres to use PAM. I'm not trusting anyone and requiring all users wether trough sockets or tcp to authenticate trough ldap.
local all all pam postgresql host all all 10.1.0.0/24 pam postgresql
How would one handle roles?
Create a superuser role like domain.tld that will be used to create new roles and new databases? This probably won't be needed if we add another admin user into ISPMan, like the one we set for cyrus on ispman.conf.
Then a user from that domain when trying to create a new database make's ISPman first check if he can have more databases and if he can, delegate that creation to the correct user.
ADMIN SQL Queries
Create new role
CREATE ROLE "email@example.com" NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;
Create new database
For databases named by the username
CREATE DATABASE "firstname.lastname@example.org" OWNER "email@example.com";
For databases named diferently then the username
CREATE DATABASE "DATABASE_NAME" OWNER "firstname.lastname@example.org";
Possible ISPMan CLI tool
A first CLI aproach on this subject.
Do NOTE that I know almost nothing about perl programing ;)