ldap2pg 6.1: Postgres 16 unprivileged, hooks and more

*Paris, the 3 june 2024.*

Dalibo provides services, training and support to its clients in France since 2005.

Since 2017, [ldap2pg](https://labs.dalibo.com/ldap2pg) offers the best automatic roles and privileges synchronisation solution for PostgreSQL.
Configure PostgreSQL authentication with LDAP in `pg_hba.conf` file, then use ldap2pg to create and configure roles from your enterprise directory.

Today Dalibo announces the availability of ldap2pg 6.1.
This version brings support for PostgreSQL 16
and its new unprivileged administration or roles.
Numerous compatibility and configurability improvements make this a practical and stable version.
Follow the [documentation to install](https://ldap2pg.readthedocs.io/en/latest/install/) this new version.

<!--MORE-->

### Unprivileged execution & Postgres 16

PostgreSQL 16 introduced a major break in compatibility when it comes to delegating the administration of roles
to an unprivileged user.
This change is based on the observation that the previous implementation
offered an illusion of security
and was not consistent with the SQL standard.
Indeed, a user with the `CREATEROLE` option can de facto grant himself rights he does not have.

Also, ldap2pg 6.1 refuses to run without being a superuser on PostgreSQL up to version 15.
ldap2pg 6.1 can run with the `CREATEROLE` option on PostgreSQL 16,
without superuser privileges.

### Configurability

ldap2pg 6.1 provides new configuration facilities.
You can now write the environment variables in an `.env` file alongside the `ldap2pg.yml` file
or in the ldap2pg working directory.

In the same way as `make` and `git` commands,
ldap2pg accepts a `-C` parameter which determines the working directory of the command.
This parameter determines the search for the `ldap2pg.yml` and `ldaprc` configuration files.

Finally, ldap2pg now accepts a command line argument:
the connection string to the PostgreSQL instance to be synchronised.
This connection string can be in URL format or in key=value format.

### Compatibility

ldap2pg no longer executes the *whoami* LDAP command after connection to the LDAP directory.
This operation is an extension of the LDAP protocol and is not available everywhere.
Removing this command removes the dependency on the availability of this extension.

The `LDAPURI` parameter can contain several URIs separated by a space.
If the first URI fails, the LDAP client must try the second.
ldap2pg 6.1 corrects a regression in version 6.0 and restores this client-side HA implementation.

LDAP is a case-insensitive protocol,
only for ASCII characters.
ldap2pg 6.1 is now case insensitive for DN and attribute names.

### Execution hooks

A very old feature request has just been implemented in ldap2pg :
the definition of an arbitrary SQL command to be executed before or after the creation of a role.
For example, to create a schema specific to a new user.
The *role* rule now accepts `before_create` and `after_create` parameters.
These requests can receive dynamic values from the LDAP search.

### Continue on error

Some errors should not prevent synchronisation from continuing.
For example, if ldap2pg fails to drop a role still owning objects in base.
ldap2pg 6.1 tolerates up to 8 such synchronisation errors before giving up.

### Other changes

See more changes, features and fixes in [changelog].

[changelog]: https://ldap2pg.readthedocs.io/en/latest/changelog/#ldap2pg-61

Documentation, procedures and community support can be found at the following addresses:

* Online documentation: [http://ldap2pg.rtfd.io/en/latest/](http://ldap2pg.rtfd.io/en/latest/)
* The project on GitHub: [https://github.com/dalibo/ldap2pg](https://github.com/dalibo/ldap2pg)

------------

**Étienne Bersac and Pierre-Louis Gonon develop ldap2pg, a project of [Dalibo Labs](https://labs.dalibo.com/).
For any technical questions, the team recommends using the [ldap2pg page on GitHub](https://github.com/dalibo/ldap2pg/discussions).**