ldap2pg icon indicating copy to clipboard operation
ldap2pg copied to clipboard

Published 20 hours ago verified publisher icon dalibo

fix for pg16.

Open kato-sho opened this issue 1 year ago • 2 comments

Hi,

CREATEROLE privileges are restricted in PG16, so ldap2pg user could not grant ADMIN OPTION to himself when ldap2pg is executed by non-superuser. Moreover, non-superuser needs to INHERIT OPTION to modify default privileges.

I send this PR to resolve this issue. Thoughts?

kato-sho avatar Jan 19 '24 08:01 kato-sho

However, I think this fix is not good way because granting ADMIN OPTION to all rolls managed by ldap2pg is inconvenient. Thus, In PG16, restricting user excuting ldap2pg to super user is highly convenient. What do you think?

kato-sho avatar Jan 25 '24 00:01 kato-sho

Hi @kato-sho , thanks for the report and the patch.

The subject looks tricky.

Should we consider https://www.postgresql.org/docs/16/runtime-config-client.html#GUC-CREATEROLE-SELF-GRANT ?

bersace avatar Jan 29 '24 10:01 bersace

Hi @kato-sho . I worked out this and Postgres 16 changed deeply how unprivileged user creator should run. Actually, CREATEROLE is considered flawed until Postgres 16.

Can you review #593 ?

bersace avatar Mar 18 '24 17:03 bersace