Replies: 3 comments
-
|
Hi. In general, ldap2pg must have the privileges it will be able to grant. E.g. if you manage superusers, ldap2pg must be superusers. Note that Postgres 16 changes a lot role management. Prior to Postgres 16, CREATEROLE is considered flawed and is de facto equivalent to being superuser. This is because CREATEROLE allows to escalade privileges by granting almost any other roles. So I'd suggest to run superuser for Postgres 15 and wait for ldap2pg 6.1 to be released to run unprivileged with Postgres 16. Is that clear for you ? Regards, |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your reply. I understood that superuser is recommended (for PG 15). This issue can be closed. In my case, the owner of the DB is not a superuser so I need to run ldap2pg as superuser in order to be able to manage privileges and additional roles that inherit from the DB owner role. |
Beta Was this translation helpful? Give feedback.
-
You can inherite from DB owner with ADMIN option, that should do the trick. |
Beta Was this translation helpful? Give feedback.
-
Bon soir,
I want to run ldap2pg v6 using an unprivileged user. Next to role options CREATEDB & CREATEROLE do I also need to grant predefined postgres role pg_signal_backend so that ldap2pg can kill existing sessions before dropping a user?
Why is the role option CREATEDB required in v6 od ldap2pg? Does the unprivileged user have to be the owner of the managed DB or can the DB have a different owner?
Thanks,
Mat
Beta Was this translation helpful? Give feedback.
All reactions