Setup of AWS RDS with Kerberos enabled login fails

[waxo0o]

Hi,
we are currently setting up an AWS RDS instance with Kerberos authentication enabled. I am trying to configure ldap2pg to sync user creation from an AD.
As you may know RDS doesn't provide you with a Superuser, so ldap2pg has to run unprivileged. We are still on postgres 14 so I am running ldap2pg v6.0.

ldapsearch part is unproblematic. I create the users with their full domain as found in a key in the AD.

- description: Sync users
  ldapsearch:
    base: DC=example,DC=org
    filter: "(&(objectClass=group)(name=example-group))"
  role:
    name: '{member.fullusername.upper()}'
    parent:
    - some_group
    - rds_ad
    options: LOGIN

I am setting the parent to rds_ad, because this tells RDS to authenticate this role with kerberos against the AD.

The problem comes from the fact that ldap2pg in unprivileged mode (at least in v6.0) grants the created role to the CURRENT_USER for management purposes. Via inheritance ldap2pg_user > CREATED_ROLE > rds_ad, the rds_ad role is also granted to ldap2pg_user. A subsequent run of ldap2pg fails, because RDS wants to authenticate the ldap2pg_user with kerberos against the AD where it doesn't exist.

The only solution I came up with until now is to drop ldap2pg_user after each ldap2pg run and recreate it before the next one, which seems bad. Can anyone think of a better option for me?

[bersace]

Hi @waxo0o , thanks for the feedback. Are you running Postgres 16 or later ? Did you tried 6.2 ? It has a lot of fixes regarding unprivileged execution. Please confirm the issue with 6.2.

[waxo0o]

Like I noted in my post, we are on v6.0 because we have to support postgres 14.