You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to configure ldap2pg to connect with a role that doesn't own the database, instead opting to grant it admin over the managed roles (this is a PG >= 16 feature).
For example
CREATE ROLE role_admin WITH LOGIN CREATEROLE;
GRANT CONNECT ON DATABASE mydatabase TO role_admin WITH GRANT OPTION;
GRANT reader, editor TO role_admin WITH ADMIN TRUE, SET FALSE, INHERIT FALSE;
I'd expect in this case, ldap2pg would be able to manage the reader and editor roles, but it fails with default database not listed:
msg="Inspecting managed databases." config=databases_query
msg="Executing SQL query:\nSELECT datname FROM pg_catalog.pg_database WHERE datname = 'mydatabase' ORDER BY 1;"
msg="Inspecting database owners."
msg="Executing SQL query:\nSELECT datname, rolname\nFROM pg_catalog.pg_database\nJOIN pg_catalog.pg_roles\n ON pg_catalog.pg_roles.oid = datdba\n -- Ensure ldap2pg can reassign to owner.\nWHERE pg_has_role(CURRENT_USER, datdba, 'USAGE')\nORDER BY 1;\n"
msg="Closing Postgres global connection." database=mydatabase
msg="Fatal error." err="databases: default database not listed"
The first query is in the yaml as postgres.databases_query, but the second query appears to be hard-coded. It would help if I could override this in the yaml
This is half bug report / half feature request.
I'd like to configure ldap2pg to connect with a role that doesn't own the database, instead opting to grant it admin over the managed roles (this is a PG >= 16 feature).
For example
I'd expect in this case, ldap2pg would be able to manage the reader and editor roles, but it fails with
default database not listed
:ldap2pg/internal/inspect/stage1.go
Line 76 in 43c2f11
https://github.com/dalibo/ldap2pg/blob/master/internal/inspect/sql/databases.sql
ldap2pg did succeed after I granted role_admin the datdba role, but I'd prefer to operate at the lowest level of privilege possible.
Is this something the project would consider supporting?
The text was updated successfully, but these errors were encountered: