Skip to content

Fix LDAP component to use dedicated user instead of operator user#1026

Draft
delgod wants to merge 5 commits intomainfrom
fix/ldap-dedicated-user-966
Draft

Fix LDAP component to use dedicated user instead of operator user#1026
delgod wants to merge 5 commits intomainfrom
fix/ldap-dedicated-user-966

Conversation

@delgod
Copy link
Member

@delgod delgod commented Jul 9, 2025

Issue

Fixes #966

The LDAP component currently uses the operator user to connect to PostgreSQL, which violates the principle of least privilege. Each component should have its own dedicated user with minimal necessary permissions.

Solution

This PR implements a dedicated LDAP user for PostgreSQL connections used by the LDAP synchronization service:

Key Changes:

  1. Add LDAP user constants and system configuration:

    • Added LDAP_USER = "ldap" and LDAP_PASSWORD_KEY = "ldap-password" constants
    • Added LDAP_USER to SYSTEM_USERS list for proper management
    • Imported new constants in charm.py

  2. Implement LDAP user creation with minimal privileges:

    • Generate LDAP password during leader election alongside other system passwords
    • Create LDAP user in _start_primary method with CREATEROLE privilege only
    • Ensures minimal necessary permissions for LDAP sync operations

  3. Update LDAP sync to use dedicated user:

    • Modified _setup_ldap_sync to use LDAP_USER and LDAP_PASSWORD_KEY
    • Replaced operator user credentials with dedicated LDAP user credentials
    • Maintains security isolation between components

  4. Comprehensive test coverage:

    • Added LDAP user to integration password rotation tests
    • Extended unit tests for get-password and set-password actions
    • Ensures LDAP user is properly tested in all password management scenarios

  5. Complete documentation updates:

    • Added LDAP user to internal users documentation with privilege explanation
    • Updated PostgreSQL roles dump example to include ldap user
    • Extended password management documentation to include all system users

Security Benefits:

  • Principle of least privilege: LDAP user has only CREATEROLE privilege needed for LDAP sync
  • Component isolation: LDAP service no longer uses operator user credentials
  • Audit clarity: LDAP operations are clearly identifiable in logs and monitoring

Backward Compatibility:

  • Existing deployments will automatically create the LDAP user during next restart
  • No manual intervention required for existing LDAP integrations
  • Password management actions now support the new LDAP user

Checklist

  • I have added or updated any relevant documentation.
  • I have cleaned any remaining cloud resources from my accounts.

delgod added 5 commits July 9, 2025 15:31
@delgod
Add LDAP user constants and system configuration
c66cd61 
- Add LDAP_USER constant for dedicated LDAP sync user
- Add LDAP_PASSWORD_KEY for password management
- Include LDAP_USER in SYSTEM_USERS list for proper system user handling

This establishes the foundation for issue #966 fix by defining the dedicated
LDAP user instead of reusing the operator user for LDAP synchronization.
@delgod
Implement dedicated LDAP user creation and password management
16a2398 
- Import LDAP_USER and LDAP_PASSWORD_KEY constants
- Add LDAP password generation in leader election event
- Create dedicated LDAP user with CREATEROLE privilege in primary startup
- Update LDAP sync configuration to use dedicated user instead of operator

Fixes #966 by implementing a dedicated LDAP user with minimal privileges
(CREATEROLE) for PostgreSQL role synchronization, improving security by
avoiding use of the superuser operator account for LDAP operations.
@delgod
tests: Add LDAP user to integration password rotation tests
649ee06 
- Add LDAP password retrieval and rotation to test_password_rotation.py
- Test both password generation and verification for LDAP user
- Ensure LDAP user is included in comprehensive password testing suite

Fixes part of #966
@delgod
tests: Add LDAP user to unit test password actions
dcebef9 
- Extend test_on_get_password to include LDAP user password retrieval
- Extend test_on_set_password to include LDAP user password setting
- Ensure comprehensive coverage of LDAP user in password management actions
- Update test data to include ldap-password for testing scenarios

Fixes part of #966
@delgod
docs: Add comprehensive LDAP user documentation
4464f66 
- Add LDAP user to internal users list in explanation/users.md
- Document LDAP user's CREATEROLE privilege and purpose
- Update PostgreSQL roles dump example to include ldap user
- Extend set-password action documentation to include ldap user
- Add clarification on all available system users in manage-passwords.md

Provides complete documentation for LDAP user implementation to help
users understand its role in LDAP synchronization and management.

Fixes part of #966
@github-actions github-actions bot added the Libraries: Out of sync The charm libs used are out-of-sync label Jul 9, 2025
@sinclert-canonical
Copy link
Contributor

sinclert-canonical commented Jul 10, 2025

A couple of thoughts about these changes, in case the PR was not created for demo purposes:

  • When I designed the whole LDAP integration, one key aspect considering PostgreSQL resource ownership model, was which user was going to be the one "acquiring" the ownership of deleted user resources once they get removed from the connected LDAP server. I went for operator, as it seems the all power user that will never go away.
  • Even if the CREATEROLE PostgreSQL privileges allowed the proposed user to alter / create/ drop users, I do not think it will allow it to read from system views such as pg_user and pg_group (see usage), nor to reassign resources before dropping a role (see usage).

I think separating concerns in terms of which system user is in charge of running the LDAP sync service is a great idea. We just need to make sure we are comfortable with it owning the deleted-users resources, and provide it enough privileges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Libraries: Out of sync The charm libs used are out-of-sync

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

operator user shouldn't be used by ldap component to connect to postgresql

2 participants

@delgod @sinclert-canonical