ldap2pg 6.5.1 manages some roles, on a postgres 17 cluster, including the public pseudo role. I'd like to grant everyone the connect privilege on the postgres database, but adding a grant like this fails
- grant:
databases: postgres
privileges: user
role: public(see full ldap2pg.yml)
It fails with the following error (see the logs in DEBUG mode for more info)
2025-12-11 09:52:37.154 time=2025-12-11T10:52:37.154+01:00 level=INFO msg="Starting ldap2pg" version=6.5.1 commit=fe04c0e4 runtime=go1.25.1 pid=296
2025-12-11 09:52:37.154 time=2025-12-11T10:52:37.154+01:00 level=INFO msg="Using YAML configuration file." path=/secrets/ldap2pg/ldap2pg.yml
2025-12-11 09:52:37.156 time=2025-12-11T10:52:37.156+01:00 level=INFO msg="Real mode. Postgres instance will be modified."
2025-12-11 09:52:37.171 time=2025-12-11T10:52:37.171+01:00 level=INFO msg="Running as superuser." user=postgres super=true server="PostgreSQL 17.6" cluster=postgres database=postgres
2025-12-11 09:52:37.171 time=2025-12-11T10:52:37.171+01:00 level=ERROR msg="Generated grant on unwanted role." grant="CONNECT ON DATABASE postgres TO public" role=public
2025-12-11 09:52:37.171 time=2025-12-11T10:52:37.171+01:00 level=ERROR msg="Generated grant on unwanted role." grant="USAGE ON SCHEMA __all__ TO public" role=public
2025-12-11 09:52:37.171 time=2025-12-11T10:52:37.171+01:00 level=ERROR msg="Fatal error." err="grant on unknown role\ngrant on unknown role"
2025-12-11 09:52:37.171 time=2025-12-11T10:52:37.171+01:00 level=ERROR msg="Run ldap2pg with --verbose to get more informations."
public role is in included in managed_roles_query
postgres:
managed_roles_query: |
VALUES
('public'),
('managed_roles')
UNION
SELECT DISTINCT role.rolname
FROM pg_roles AS role
JOIN pg_auth_members AS ms ON ms.member = role.oid
JOIN pg_roles AS parent
ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
ORDER BY 1;ldap2pg.yml
ldap2pg.yml
postgres:
managed_roles_query: |
VALUES
('public'),
('managed_roles')
UNION
SELECT DISTINCT role.rolname
FROM pg_roles AS role
JOIN pg_auth_members AS ms ON ms.member = role.oid
JOIN pg_roles AS parent
ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
ORDER BY 1;
privileges:
owner:
- writer
- __create_on_schemas__
- __truncate_on_tables__
reader:
- user
- __select_on_tables__
- __select_on_sequences__
- __usage_on_sequences__
rewinder:
- __connect__
- __execute_on_routines__
- __execute_on_functions__
user:
- __connect__
- __usage_on_schemas__
writer:
- reader
- __temporary__
- __insert_on_tables__
- __update_on_tables__
- __delete_on_tables__
- __update_on_sequences__
- __execute_on_routines__
- __execute_on_functions__
- __trigger_on_tables__
version: 6
rules:
- roles:
- comment: Parent role for all ldap2pg managed roles
name: managed_roles
- comment: Parent role for LDAP synced roles
name: ldap_roles
options: NOLOGIN
parents:
- managed_roles
- comment: DB backup
name: backup
options: LOGIN REPLICATION
parents:
- pg_read_all_data
- managed_roles
- comment: Databases admins
name: dba
options: SUPERUSER NOLOGIN
parents:
- managed_roles
- comment: Databases rewinder
name: rewind
options: LOGIN
parents:
- managed_roles
- comment: Databases monitor
name: monitor
options: LOGIN
parents:
- managed_roles
- pg_monitor
- comment: Hashicorp Vault
name: vault
options: SUPERUSER LOGIN
parents:
- managed_roles
- grant:
databases: postgres
privileges: reader
role: vault
- grant:
privileges: user
role: monitor
- grant:
databases: postgres
privileges: rewinder
role: rewind
- grant:
privileges: owner
role: dba
# This is the grant I'm trying to add, and which fails
- grant:
databases: postgres
privileges: user
role: publicExpectations
- I would expect ldap2pg to issue a
GRANT CONNECT ON DATABASE postgres TO public; (which is working if issued manually, but reverted if I re-run ldap2pg without the problematic grant)
- ldap2pg fails (saying the role is unknown)
Verbose output of ldap2pg execution
Verbose output
2025-12-11 10:01:20.227 time=2025-12-11T11:01:20.227+01:00 level=INFO msg="Starting ldap2pg" version=6.5.1 commit=fe04c0e4 runtime=go1.25.1 pid=295
2025-12-11 10:01:20.228 time=2025-12-11T11:01:20.227+01:00 level=INFO msg="Using YAML configuration file." path=/secrets/ldap2pg/ldap2pg.yml
2025-12-11 10:01:20.228 time=2025-12-11T11:01:20.227+01:00 level=DEBUG msg="Loading YAML configuration."
2025-12-11 10:01:20.230 time=2025-12-11T11:01:20.229+01:00 level=DEBUG msg="Dumping normalized YAML to stderr."
2025-12-11 10:01:20.230 postgres:
2025-12-11 10:01:20.230 managed_roles_query: |
2025-12-11 10:01:20.230 VALUES
2025-12-11 10:01:20.230 ('public'),
2025-12-11 10:01:20.230 ('managed_roles')
2025-12-11 10:01:20.230
2025-12-11 10:01:20.230 UNION
2025-12-11 10:01:20.230
2025-12-11 10:01:20.230 SELECT DISTINCT role.rolname
2025-12-11 10:01:20.230 FROM pg_roles AS role
2025-12-11 10:01:20.230 JOIN pg_auth_members AS ms ON ms.member = role.oid
2025-12-11 10:01:20.230 JOIN pg_roles AS parent
2025-12-11 10:01:20.230 ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
2025-12-11 10:01:20.230 ORDER BY 1;
2025-12-11 10:01:20.230 privileges:
2025-12-11 10:01:20.230 owner:
2025-12-11 10:01:20.230 - "on": SCHEMA
2025-12-11 10:01:20.230 type: CREATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: TRUNCATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: TRUNCATE
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: TRUNCATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - "on": ALL FUNCTIONS IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - "on": ALL ROUTINES IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: TEMPORARY
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: CONNECT
2025-12-11 10:01:20.230 - "on": SCHEMA
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 reader:
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: CONNECT
2025-12-11 10:01:20.230 - "on": SCHEMA
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 rewinder:
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: CONNECT
2025-12-11 10:01:20.230 - "on": ALL FUNCTIONS IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - "on": ALL ROUTINES IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 user:
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: CONNECT
2025-12-11 10:01:20.230 - "on": SCHEMA
2025-12-11 10:01:20.230 type: USAGE
2025-12-11 10:01:20.230 writer:
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: DELETE
2025-12-11 10:01:20.230 - "on": ALL FUNCTIONS IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: ROUTINES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - "on": ALL ROUTINES IN SCHEMA
2025-12-11 10:01:20.230 type: EXECUTE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: INSERT
2025-12-11 10:01:20.230 - "on": DATABASE
2025-12-11 10:01:20.230 type: TEMPORARY
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: TRIGGER
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.230 type: UPDATE
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: SEQUENCES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.230 type: SELECT
2025-12-11 10:01:20.230 - object: TABLES
2025-12-11 10:01:20.230 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.231 type: SELECT
2025-12-11 10:01:20.231 - "on": ALL TABLES IN SCHEMA
2025-12-11 10:01:20.231 type: SELECT
2025-12-11 10:01:20.231 - object: SEQUENCES
2025-12-11 10:01:20.231 "on": GLOBAL DEFAULT
2025-12-11 10:01:20.231 type: USAGE
2025-12-11 10:01:20.231 - object: SEQUENCES
2025-12-11 10:01:20.231 "on": SCHEMA DEFAULT
2025-12-11 10:01:20.231 type: USAGE
2025-12-11 10:01:20.231 - "on": ALL SEQUENCES IN SCHEMA
2025-12-11 10:01:20.231 type: USAGE
2025-12-11 10:01:20.231 - "on": DATABASE
2025-12-11 10:01:20.231 type: CONNECT
2025-12-11 10:01:20.231 - "on": SCHEMA
2025-12-11 10:01:20.231 type: USAGE
2025-12-11 10:01:20.231 rules:
2025-12-11 10:01:20.231 - description: ""
2025-12-11 10:01:20.231 grants: []
2025-12-11 10:01:20.231 ldapsearch:
2025-12-11 10:01:20.231 filter: (objectClass=*)
2025-12-11 10:01:20.231 scope: sub
2025-12-11 10:01:20.231 roles:
2025-12-11 10:01:20.231 - comment: Parent role for all ldap2pg managed roles
2025-12-11 10:01:20.231 name: managed_roles
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: false
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: false
2025-12-11 10:01:20.231 parents: []
2025-12-11 10:01:20.231 - comment: Parent role for LDAP synced roles
2025-12-11 10:01:20.231 name: ldap_roles
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: false
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: false
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - comment: DB backup
2025-12-11 10:01:20.231 name: backup
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: true
2025-12-11 10:01:20.231 REPLICATION: true
2025-12-11 10:01:20.231 SUPERUSER: false
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: pg_read_all_data
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - comment: Databases admins
2025-12-11 10:01:20.231 name: dba
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: false
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: true
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - comment: Databases rewinder
2025-12-11 10:01:20.231 name: rewind
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: true
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: false
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - comment: Databases monitor
2025-12-11 10:01:20.231 name: monitor
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: true
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: false
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - name: pg_monitor
2025-12-11 10:01:20.231 - comment: Hashicorp Vault
2025-12-11 10:01:20.231 name: vault
2025-12-11 10:01:20.231 options:
2025-12-11 10:01:20.231 BYPASSRLS: false
2025-12-11 10:01:20.231 CONNECTION LIMIT: -1
2025-12-11 10:01:20.231 CREATEDB: false
2025-12-11 10:01:20.231 CREATEROLE: false
2025-12-11 10:01:20.231 INHERIT: true
2025-12-11 10:01:20.231 LOGIN: true
2025-12-11 10:01:20.231 REPLICATION: false
2025-12-11 10:01:20.231 SUPERUSER: true
2025-12-11 10:01:20.231 parents:
2025-12-11 10:01:20.231 - name: managed_roles
2025-12-11 10:01:20.231 - description: ""
2025-12-11 10:01:20.231 grants:
2025-12-11 10:01:20.231 - database: postgres
2025-12-11 10:01:20.231 owner: __auto__
2025-12-11 10:01:20.231 privilege: reader
2025-12-11 10:01:20.231 role: vault
2025-12-11 10:01:20.231 schema: __all__
2025-12-11 10:01:20.231 ldapsearch:
2025-12-11 10:01:20.231 filter: (objectClass=*)
2025-12-11 10:01:20.231 scope: sub
2025-12-11 10:01:20.231 roles: []
2025-12-11 10:01:20.231 - description: ""
2025-12-11 10:01:20.231 grants:
2025-12-11 10:01:20.231 - database: __all__
2025-12-11 10:01:20.231 owner: __auto__
2025-12-11 10:01:20.231 privilege: user
2025-12-11 10:01:20.231 role: monitor
2025-12-11 10:01:20.231 schema: __all__
2025-12-11 10:01:20.231 ldapsearch:
2025-12-11 10:01:20.231 filter: (objectClass=*)
2025-12-11 10:01:20.231 scope: sub
2025-12-11 10:01:20.231 roles: []
2025-12-11 10:01:20.231 - description: ""
2025-12-11 10:01:20.231 grants:
2025-12-11 10:01:20.231 - database: postgres
2025-12-11 10:01:20.231 owner: __auto__
2025-12-11 10:01:20.231 privilege: rewinder
2025-12-11 10:01:20.231 role: rewind
2025-12-11 10:01:20.231 schema: __all__
2025-12-11 10:01:20.231 ldapsearch:
2025-12-11 10:01:20.231 filter: (objectClass=*)
2025-12-11 10:01:20.231 scope: sub
2025-12-11 10:01:20.231 roles: []
2025-12-11 10:01:20.231 - description: ""
2025-12-11 10:01:20.232 grants:
2025-12-11 10:01:20.232 - database: __all__
2025-12-11 10:01:20.232 owner: __auto__
2025-12-11 10:01:20.232 privilege: owner
2025-12-11 10:01:20.232 role: dba
2025-12-11 10:01:20.232 schema: __all__
2025-12-11 10:01:20.232 ldapsearch:
2025-12-11 10:01:20.232 filter: (objectClass=*)
2025-12-11 10:01:20.232 scope: sub
2025-12-11 10:01:20.232 roles: []
2025-12-11 10:01:20.232 - description: ""
2025-12-11 10:01:20.232 grants:
2025-12-11 10:01:20.232 - database: postgres
2025-12-11 10:01:20.232 owner: __auto__
2025-12-11 10:01:20.232 privilege: user
2025-12-11 10:01:20.232 role: public
2025-12-11 10:01:20.232 schema: __all__
2025-12-11 10:01:20.232 ldapsearch:
2025-12-11 10:01:20.232 filter: (objectClass=*)
2025-12-11 10:01:20.232 scope: sub
2025-12-11 10:01:20.232 roles: []
2025-12-11 10:01:20.232 version: 6
2025-12-11 10:01:20.232 time=2025-12-11T11:01:20.231+01:00 level=DEBUG msg="Loaded configuration file." version=6
2025-12-11 10:01:20.232 time=2025-12-11T11:01:20.231+01:00 level=INFO msg="Real mode. Postgres instance will be modified."
2025-12-11 10:01:20.232 time=2025-12-11T11:01:20.231+01:00 level=DEBUG msg="Setting default Postgres connection timeout." timeout=5s
2025-12-11 10:01:20.232 time=2025-12-11T11:01:20.231+01:00 level=DEBUG msg="Stage 0: role blacklist."
2025-12-11 10:01:20.232 time=2025-12-11T11:01:20.231+01:00 level=DEBUG msg="Opening Postgres global connection." database=""
2025-12-11 10:01:20.242 time=2025-12-11T11:01:20.242+01:00 level=DEBUG msg="Inspecting PostgreSQL server and session."
2025-12-11 10:01:20.242 time=2025-12-11T11:01:20.242+01:00 level=DEBUG msg="Executing SQL query:\nWITH me AS (\n\tSELECT\n\t\trolname AS \"current_user\",\n\t\trolsuper AS \"issuper\"\n\tFROM pg_catalog.pg_roles\n\tWHERE rolname = CURRENT_USER\n),\npostgres AS (\n\tSELECT\n\t\tsubstring(version() from '^[^ ]+ [^ ]+') AS server_version,\n\t\tcurrent_setting('server_version_num')::BIGINT AS server_version_num,\n\t\tcurrent_setting('cluster_name') AS cluster_name,\n\t\tcurrent_database() AS current_database\n)\nSELECT\n\tpostgres.*,\n\tme.*\nFROM postgres, me;\n"
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=INFO msg="Running as superuser." user=postgres super=true server="PostgreSQL 17.6" cluster=postgres database=postgres
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Fallback owner configured." role=postgres
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Inspecting roles blacklist." config=roles_blacklist_query
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Reading values from YAML."
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Roles blacklist loaded." patterns="[pg_* postgres]"
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Processing sync map item." item=0
2025-12-11 10:01:20.244 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=managed_roles options="" parents=[] comment="Parent role for all ldap2pg managed roles"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=ldap_roles options="" parents=[managed_roles] comment="Parent role for LDAP synced roles"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=backup options="" parents="[pg_read_all_data managed_roles]" comment="DB backup"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=dba options="" parents=[managed_roles] comment="Databases admins"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=rewind options="" parents=[managed_roles] comment="Databases rewinder"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=monitor options="" parents="[managed_roles pg_monitor]" comment="Databases monitor"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.244+01:00 level=DEBUG msg="Wants role." name=vault options="" parents=[managed_roles] comment="Hashicorp Vault"
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Processing sync map item." item=1
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Processing sync map item." item=2
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Processing sync map item." item=3
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Processing sync map item." item=4
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Processing sync map item." item=5
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=ERROR msg="Generated grant on unwanted role." grant="CONNECT ON DATABASE postgres TO public" role=public
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=ERROR msg="Generated grant on unwanted role." grant="USAGE ON SCHEMA __all__ TO public" role=public
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=DEBUG msg="Closing Postgres global connection." database=""
2025-12-11 10:01:20.245 time=2025-12-11T11:01:20.245+01:00 level=ERROR msg="Fatal error." err="grant on unknown role\ngrant on unknown role"
ldap2pg 6.5.1 manages some roles, on a postgres 17 cluster, including the public pseudo role. I'd like to grant everyone the connect privilege on the postgres database, but adding a grant like this fails
(see full ldap2pg.yml)
It fails with the following error (see the logs in DEBUG mode for more info)
public role is in included in managed_roles_query
ldap2pg.yml
ldap2pg.yml
Expectations
GRANT CONNECT ON DATABASE postgres TO public;(which is working if issued manually, but reverted if I re-run ldap2pg without the problematic grant)Verbose output of ldap2pg execution
Verbose output