Hi,
Since ldap2pg 6, I'm working on running by default as non-super role
with CREATEDB. Robert Haas made this a viable solution as of Postgres
16.
I got a case where ldap2pg tries to remove a role from a group. But
ldap2pg user is not the grantor of this membership. This triggers a
warning:
$ REVOKE owners FROM alice;
WARNING: role "alice" has not been granted membership in role "owners"
by role "ldap2pg"
I'll add a condition on grantor when listing manageable membership to
simply avoid this.
However, I'd prefer if Postgres fails properly. Because the GRANT is
actually not revoked. This prevent ldap2pg to report an issue in
handling privileges on such roles.
What do you think of make this warning an error ?