ldap2pg 6.1: Postgres 16 unprivileged, hooks and more

Posted on 2024-06-10 by Dalibo
Related Open Source

Paris, the 3 june 2024.

Dalibo provides services, training and support to its clients in France since 2005.

Since 2017, ldap2pg offers the best automatic roles and privileges synchronisation solution for PostgreSQL. Configure PostgreSQL authentication with LDAP in pg_hba.conf file, then use ldap2pg to create and configure roles from your enterprise directory.

Today Dalibo announces the availability of ldap2pg 6.1. This version brings support for PostgreSQL 16 and its new unprivileged administration or roles. Numerous compatibility and configurability improvements make this a practical and stable version. Follow the documentation to install this new version.

Unprivileged execution & Postgres 16

PostgreSQL 16 introduced a major break in compatibility when it comes to delegating the administration of roles to an unprivileged user. This change is based on the observation that the previous implementation offered an illusion of security and was not consistent with the SQL standard. Indeed, a user with the CREATEROLE option can de facto grant himself rights he does not have.

Also, ldap2pg 6.1 refuses to run without being a superuser on PostgreSQL up to version 15. ldap2pg 6.1 can run with the CREATEROLE option on PostgreSQL 16, without superuser privileges.

Configurability

ldap2pg 6.1 provides new configuration facilities. You can now write the environment variables in an .env file alongside the ldap2pg.yml file or in the ldap2pg working directory.

In the same way as make and git commands, ldap2pg accepts a -C parameter which determines the working directory of the command. This parameter determines the search for the ldap2pg.yml and ldaprc configuration files.

Finally, ldap2pg now accepts a command line argument: the connection string to the PostgreSQL instance to be synchronised. This connection string can be in URL format or in key=value format.

Compatibility

ldap2pg no longer executes the whoami LDAP command after connection to the LDAP directory. This operation is an extension of the LDAP protocol and is not available everywhere. Removing this command removes the dependency on the availability of this extension.

The LDAPURI parameter can contain several URIs separated by a space. If the first URI fails, the LDAP client must try the second. ldap2pg 6.1 corrects a regression in version 6.0 and restores this client-side HA implementation.

LDAP is a case-insensitive protocol, only for ASCII characters. ldap2pg 6.1 is now case insensitive for DN and attribute names.

Execution hooks

A very old feature request has just been implemented in ldap2pg : the definition of an arbitrary SQL command to be executed before or after the creation of a role. For example, to create a schema specific to a new user. The role rule now accepts before_create and after_create parameters. These requests can receive dynamic values from the LDAP search.

Continue on error

Some errors should not prevent synchronisation from continuing. For example, if ldap2pg fails to drop a role still owning objects in base. ldap2pg 6.1 tolerates up to 8 such synchronisation errors before giving up.

Other changes

See more changes, features and fixes in changelog.

Documentation, procedures and community support can be found at the following addresses:


√Čtienne Bersac and Pierre-Louis Gonon develop ldap2pg, a project of Dalibo Labs. For any technical questions, the team recommends using the ldap2pg page on GitHub.