Paris, 3 June 2024
Dalibo announces the availability of ldap2pg 6.1. This version brings support for PostgreSQL 16 and its new non-privileged role administration. Numerous compatibility and configurability improvements make this a practical and stable version. Follow the documentation to install this new version.
Since 2017, ldap2pg has offered the best automatic roles and privileges synchronisation solution for PostgreSQL.
Configure PostgreSQL authentication with LDAP in pg_hba.conf file,
then use ldap2pg to create and configure roles from your enterprise directory.
Unprivileged execution & Postgres 16
PostgreSQL 16 introduces a major break in compatibility when it comes to delegating the administration of roles
to an unprivileged user.
This change is based on the observation that the previous implementation
offered an illusion of security
and was not consistent with the SQL standard.
Indeed, a user with the CREATEROLE option can de facto grant himself rights that he does not have.
Also, ldap2pg 6.1 refuses to run without being a superuser on PostgreSQL up to version 15.
If you use ldap2pg 6.0 with the CREATEROLE option on Postgres 15 and below,
the easiest thing to do is to grant superuser rights to ldap2pg.
ldap2pg 6.1 can run with the CREATEROLE option on PostgreSQL 16,
without superuser privileges.
Since PostgreSQL 16, ldap2pg can only grant the rights it has itself.
Configurability
ldap2pg 6.1 provides new configuration facilities.
Since version 6.0, the ldap2pg.yml file no longer accepts PostgreSQL and LDAP access configuration.
The preferred method is to use environment variables and ldaprc, .pgpass, etc. files.
If you prefer to set the connexions in a file,
you can now write the environment variables in an .env file alongside the ldap2pg.yml file
or in the ldap2pg working directory.
In the same way as make and git commands,
ldap2pg accepts a -C parameter which determines the working directory of the command.
This parameter determines the search for the ldap2pg.yml and ldaprc configuration files.
Finally, ldap2pg now accepts a command line argument: the connection string to the PostgreSQL instance to be synchronised. This connection string can be in URL format or in key=value format.
Compatibility
ldap2pg no longer executes the whoami LDAP command after connection to the LDAP directory. This operation is an extension of the LDAP protocol and is not available everywhere. Removing this command removes the dependency on the availability of this extension.
The LDAPURI parameter can contain several URIs separated by a space.
If the first URI fails, the LDAP client must try the second.
ldap2pg 6.1 corrects a regression in version 6.0 which treated this parameter as a single URI.
LDAP is a case-insensitive protocol, only for ASCII characters. ldap2pg 6.1 is now case insensitive for DNs and attribute names.
Execution hooks
A very old request has just been implemented in ldap2pg :
the definition of an arbitrary SQL command to be executed before or after the creation of a role.
For example, to create a schema specific to a new user.
The role rule now accepts before_create and after_create parameters.
These requests can receive dynamic values from the LDAP search.
For security and simplicity,
ldap2pg accepts two new modifiers on an LDAP attribute:
.identifier() protects the value as a PostgreSQL identifier
and .string() protects the value as a SQL string literal.
Continue on error
Some errors do not prevent synchronisation from continuing. For example, if ldap2pg fails to drop a role with objects in base. ldap2pg 6.1 tolerates up to 8 synchronisation errors before giving up. Of course, synchronisation ends in failure for the slightest accumulated error, even if ldap2pg continues up to the end of the synchronisation. A synchronisation problem on a user does not affect the synchronisation of the others.
Other changes
ldap2pg is available for RHEL 9. At startup, ldap2pg displays its PID. A new performance metric: time spent inspecting Postgres. See more in changelog.
Documentation, procedures and community support can be found at the following addresses:
- Online documentation: http://ldap2pg.rtfd.io/en/latest/
- The project on GitHub: https://github.com/dalibo/ldap2pg
Étienne Bersac and Pierre-Louis Gonon ldap2pg, a project of Dalibo Labs. For any technical questions, the team recommends using the ldap2pg on GitHub page.
