dalibo
Verify managed_roles_query
After roles are synchronized, ldap2pg could check whether postgres:managed_roles_query returns all roles as LDAP directory wants.
Background
postgres:managed_roles_query returns the list of droppable roles and roles whose privileges are managed. This query can be tricky with groups. If this query miss some roles, they will never be dropped. We should help users to ensure this query is ok.
A solution
After roles are synchronized, ldap2pg should re-run postgres:managed_roles_query query and compare it with ldaproles set. If the results are different, this is a bug in managed_roles_query.
ldap2pg should rely only on managed_roles_query to inspect privileges.
The code entrypoint is at https://github.com/dalibo/ldap2pg/blob/master/ldap2pg/manager.py#L247-L257
Output would looks like.
$ ldap2pg
Starting ldap2pg 4.5.
Using .../docs/ldap2pg.minimal.yml.
Running in real mode.
Inspecting Postgres roles...
Querying LDAP ou=people,dc=ldap,dc=lda... (objectClass...
Create albert.
...
managed_roles_query does not return all created roles. You should review it.
Synchronization complete.
$
Tasks
- [ ] Review synchronisation logic to reinspect managed roles and compare
- [ ] Ensure it's unit tested
- [ ] Maybe document this in
docs/roles.mdand point to the section in the log message
I offer mentorship to this contribution :-)
