ldap2pg 6.0 available

Paris, 1st September 2023

Dalibo is proud to announce the release of ldap2pg 6.0. This new major version gives better performance, new features but breaks compatibility. Follow install documentation to get this version.

Since 2017, ldap2pg has provided the best solution to automatically synchronize roles and privileges for PostgreSQL. lda2pg 6.0 breaks compatibility after years of stability. The performance, liability and portability gains justify this choice.

Rewrite in Go

ldap2pg had a full rewrite in Go 1.20. This rewrite gives a considerable performance gain at the cost of important changes in ldap2pg asset. ldap2pg ships now a statically linked binary of a few megabytes. CLI options switches have slightly changed, make sure you update your crontab line.

Performance wise, ldap2pg 6.0 eats barely more than 1.5MB of memory, even in the most complex situations. Compare this to the minimum 40MB of memory consumed by ldap2pg 5.X, increasing up to hundreds of megabytes depending on configuration. Docker image size shrinks from 126MB to 17MB. This gives an idea of how much disk space one can save with this new release.

Synchronize Roles Parameters

PostgreSQL allows to configure some parameters per roles. For example, a DBA can adjust permanently the log level of one user. With config section in ldap2pg.yml, a DBA can give ldap2pg some PostgreSQL parameters to define. This feature is a contribution of Randolph Voorhies from inVia Robotics.

rules:
- role:
    name: alice
    config:
      log_statement: mod

Inherit Local Role

A common case of synchronization involves predefined groups by the DBA, only the members of which will be synchronized by ldap2pg. ldap2pg 5.0 handled this situation poorly due to a design flaw regarding inheritance management. Now, the DBA defines role parents rather than their members. This concretely means that ldap2pg manages group members rather than explicit groups. Role parents may not necessarily be managed by ldap2pg.

New Privileges Synchronization Strategy

Privilege synchronization is the most resource-intensive operation in ldap2pg execution. ldap2pg 6.0 introduces a new, more efficient, and reliable strategy. Privileges are synchronized independently and sequentially. As a result, the list of privilege grants is divided into multiple lists per privilege and processed individually. This new strategy is very memory-efficient.

Now, synchronization occurs on a per-database basis. Instead of keeping a connection open to each database, ldap2pg only consumes one connection at a time. Queries are grouped by database to minimize round-trips between two databases as much as possible. During multi-database synchronization, the connection to a database may be opened up to three times during the synchronization process.

Finally, a new parameter --skip-privileges allows skipping privilege synchronization. This behavior enables the use of a single configuration file to synchronize roles only, more frequently.

New Definition of Objects Creators

To configure default privileges, ldap2pg needs to know object creators. Now, ldap2pg has two new ways of configuring object creators, replacing older ones. The first is simply to explicitly define the role name(s) in the grant rule using the new owner field. The second is to leave the owner value as __auto__, allowing ldap2pg to determine the creators. With the second option, ldap2pg lists synchronized roles by schema that have CREATE permission on the schema and the LOGIN option. This new strategy is implicit but more consistent.

Other Changes

ldap2pg 6.0 introduces many other changes in behavior, file format, and configuration. Refer to the changelog for a more comprehensive list. The configuration format is updated to version 6. ldap2pg 6.0 will refuse to run with a version 5 configuration file. Anyway, test synchronization in a testing environment before deploying this update.

If you’re missing a feature from ldap2pg 5, feel free to raise it on GitHub to have it reintegrated in a future minor version.

Find the documentation, procedures, and community support at these addresses:

• Online Documentation: http://ldap2pg.rtfd.io/en/latest/
• GitHub project page: https://github.com/dalibo/ldap2pg

Étienne BERSAC is the maintainer of ldap2pg, a project from Dalibo Labs. For all technical questions, the team recommends using the ldap2pg GitHub page.