Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGYyr-00EWc9-Cy for pgsql-announce@arkaria.postgresql.org; Mon, 10 Jun 2024 06:58:14 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sGYyp-008u2M-Bx for pgsql-announce@arkaria.postgresql.org; Mon, 10 Jun 2024 06:58:12 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGYtx-008UaQ-TL for pgsql-announce@lists.postgresql.org; Mon, 10 Jun 2024 06:53:10 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGYtv-000tIU-4m for pgsql-announce@lists.postgresql.org; Mon, 10 Jun 2024 06:53:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:From:To:Subject: MIME-Version:Content-Type:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=tO/6wvfVQ0VsUYcKWLULItFT7yldxCjxGo+Vgdy+v5U=; b=tQzUWU0eoWMM1FFfifDTOddd/H 5YJ/d70dXE9e+7Zd39JpdEOjvx1rPtewVUGnREEDWKboj+mMhcqDwmfBkUzhLlbcwY1MCWQhb58f2 vclrErXCuLWTgJDxVkS+U/RNYAStdgvegMkUiDrur5+LG0ZGESJgZQKaIFpboihQRKlMh1oSIwBen yC9zvIBDjwGPry7LWN9+hI+11HVUfu+rrViMGfU40otoavxQR2qmxt2QBBOvCrjOgQI3rR3StktvU vg/P29Zp+N6EyZeHG8nXTNV3sCCX8JeSXlzUgkntfCDHkVw4080n3MPF850KFCtViy9KznSZuUV6P 8TrePPww==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sGYtt-001tmX-Ac for pgsql-announce@lists.postgresql.org; Mon, 10 Jun 2024 06:53:05 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sGYtq-00ANmE-Dy for pgsql-announce@lists.postgresql.org; Mon, 10 Jun 2024 06:53:03 +0000 Content-Type: multipart/mixed; boundary="===============3831574209493625724==" MIME-Version: 1.0 Subject: ldap2pg 6.1: Postgres 16 unprivileged, hooks and more To: PostgreSQL Announce From: Dalibo via PostgreSQL Announce Reply-To: etienne.bersac@dalibo.com Date: Mon, 10 Jun 2024 06:52:58 +0000 Message-ID: <171800237834.20938.9181267419949704486@wrigleys.postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-pglister-tags: related X-pglister-tagsig: 544228415c11b46bfc59f0372445c0f59cab5259e3465b059eade8e9f84382db List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --===============3831574209493625724== Content-Type: multipart/alternative; boundary="===============2058994692641846920==" MIME-Version: 1.0 --===============2058994692641846920== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable *Paris, the 3 june 2024.* Dalibo provides services, training and support to its clients in France sin= ce 2005. Since 2017, [ldap2pg](https://labs.dalibo.com/ldap2pg) offers the best auto= matic roles and privileges synchronisation solution for PostgreSQL. Configure PostgreSQL authentication with LDAP in `pg_hba.conf` file, then u= se ldap2pg to create and configure roles from your enterprise directory. Today Dalibo announces the availability of ldap2pg 6.1. This version brings support for PostgreSQL 16 and its new unprivileged administration or roles. Numerous compatibility and configurability improvements make this a practic= al and stable version. Follow the [documentation to install](https://ldap2pg.readthedocs.io/en/lat= est/install/) this new version. ### Unprivileged execution & Postgres 16 PostgreSQL 16 introduced a major break in compatibility when it comes to de= legating the administration of roles to an unprivileged user. This change is based on the observation that the previous implementation offered an illusion of security and was not consistent with the SQL standard. Indeed, a user with the `CREATEROLE` option can de facto grant himself righ= ts he does not have. Also, ldap2pg 6.1 refuses to run without being a superuser on PostgreSQL up= to version 15. ldap2pg 6.1 can run with the `CREATEROLE` option on PostgreSQL 16, without superuser privileges. ### Configurability ldap2pg 6.1 provides new configuration facilities. You can now write the environment variables in an `.env` file alongside the= `ldap2pg.yml` file or in the ldap2pg working directory. In the same way as `make` and `git` commands, ldap2pg accepts a `-C` parameter which determines the working directory of = the command. This parameter determines the search for the `ldap2pg.yml` and `ldaprc` con= figuration files. Finally, ldap2pg now accepts a command line argument: the connection string to the PostgreSQL instance to be synchronised. This connection string can be in URL format or in key=3Dvalue format. ### Compatibility ldap2pg no longer executes the *whoami* LDAP command after connection to th= e LDAP directory. This operation is an extension of the LDAP protocol and is not available ev= erywhere. Removing this command removes the dependency on the availability of this ex= tension. The `LDAPURI` parameter can contain several URIs separated by a space. If the first URI fails, the LDAP client must try the second. ldap2pg 6.1 corrects a regression in version 6.0 and restores this client-s= ide HA implementation. LDAP is a case-insensitive protocol, only for ASCII characters. ldap2pg 6.1 is now case insensitive for DN and attribute names. ### Execution hooks A very old feature request has just been implemented in ldap2pg : the definition of an arbitrary SQL command to be executed before or after t= he creation of a role. For example, to create a schema specific to a new user. The *role* rule now accepts `before_create` and `after_create` parameters. These requests can receive dynamic values from the LDAP search. ### Continue on error Some errors should not prevent synchronisation from continuing. For example, if ldap2pg fails to drop a role still owning objects in base. ldap2pg 6.1 tolerates up to 8 such synchronisation errors before giving up. ### Other changes See more changes, features and fixes in [changelog]. [changelog]: https://ldap2pg.readthedocs.io/en/latest/changelog/#ldap2pg-61 Documentation, procedures and community support can be found at the followi= ng addresses: * Online documentation: [http://ldap2pg.rtfd.io/en/latest/](http://ldap2pg.= rtfd.io/en/latest/) * The project on GitHub: [https://github.com/dalibo/ldap2pg](https://github= .com/dalibo/ldap2pg) ------------ **=C3=89tienne Bersac and Pierre-Louis Gonon develop ldap2pg, a project of = [Dalibo Labs](https://labs.dalibo.com/). For any technical questions, the team recommends using the [ldap2pg page on= GitHub](https://github.com/dalibo/ldap2pg/discussions).** --===============2058994692641846920== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable ldap2pg 6.1: Postgres 16 unprivileged, hooks and more
 

ldap2pg 6.1: Postgres 16 unprivileged, hooks and more

Paris, the 3 june 2024.

Dalibo provides services, training and supp= ort to its clients in France since 2005.

Since 2017, ldap2pg offers the best automatic roles and privileges synchronisation solution = for PostgreSQL. Configure PostgreSQL authentication with LDAP in pg_hba.conf f= ile, then use ldap2pg to create and configure roles from your enterprise di= rectory.

Today Dalibo announces the availability of = ldap2pg 6.1. This version brings support for PostgreSQL 16 and its new unprivileged administration or roles. Numerous compatibility and configurability improvements make this a practic= al and stable version. Follow the documentation to install= this new version.

Unprivileged execution & Po= stgres 16

PostgreSQL 16 introduced a major break in c= ompatibility when it comes to delegating the administration of roles to an unprivileged user. This change is based on the observation that the previous implementation offered an illusion of security and was not consistent with the SQL standard. Indeed, a user with the CREATEROLE option can de facto grant h= imself rights he does not have.

Also, ldap2pg 6.1 refuses to run without be= ing a superuser on PostgreSQL up to version 15. ldap2pg 6.1 can run with the CREATEROLE option on PostgreSQL 1= 6, without superuser privileges.

Configurability

ldap2pg 6.1 provides new configuration faci= lities. You can now write the environment variables in an .env file al= ongside the ldap2pg.yml file or in the ldap2pg working directory.

In the same way as make and git commands, ldap2pg accepts a -C parameter which determines the working di= rectory of the command. This parameter determines the search for the ldap2pg.yml and <= code>ldaprc configuration files.

Finally, ldap2pg now accepts a command line= argument: the connection string to the PostgreSQL instance to be synchronised. This connection string can be in URL format or in key=3Dvalue format.

Compatibility

ldap2pg no longer executes the whoami LDAP command after connection to the LDAP directory. This operation is an extension of the LDAP protocol and is not available ev= erywhere. Removing this command removes the dependency on the availability of this ex= tension.

The LDAPURI parameter can cont= ain several URIs separated by a space. If the first URI fails, the LDAP client must try the second. ldap2pg 6.1 corrects a regression in version 6.0 and restores this client-s= ide HA implementation.

LDAP is a case-insensitive protocol, only for ASCII characters. ldap2pg 6.1 is now case insensitive for DN and attribute names.

Execution hooks

A very old feature request has just been im= plemented in ldap2pg : the definition of an arbitrary SQL command to be executed before or after t= he creation of a role. For example, to create a schema specific to a new user. The role rule now accepts before_create and aft= er_create parameters. These requests can receive dynamic values from the LDAP search.

Continue on error

Some errors should not prevent synchronisat= ion from continuing. For example, if ldap2pg fails to drop a role still owning objects in base. ldap2pg 6.1 tolerates up to 8 such synchronisation errors before giving up.=

Other changes

See more changes, features and fixes in changelog.

Documentation, procedures and community sup= port can be found at the following addresses:

=C3=89tienne Bersac and Pierre-Loui= s Gonon develop ldap2pg, a project of Dalibo Labs. For any technical questions, the team recommends using the ldap2pg page on GitHub.
This email was sent to you from Dalibo. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message shou= ld be sent to Dalibo.

You were sent this email as a subscriber of the pgsql-announce mai= linglist, for the content tag Related Open Source. To unsubscribe from further emails, or change which emails you want to receive, please click th= e personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 
--===============2058994692641846920==-- --===============3831574209493625724==--