< Back to blog home PostgreSQL Zone

Enhancing security in Fujitsu Enterprise Postgres with ldap2pg

Nishchay Kothari | January 12, 2025

Database security: A vital component of data management

In today’s data-driven world, security is not just a priority—it is an imperative. For enterprises leveraging Fujitsu Enterprise Postgres, ensuring secure and efficient user management is critical to protecting sensitive data and meeting compliance requirements.

Fujitsu Enterprise Postgres has consistently raised the bar for database security, and with the introduction of inbuilt ldap2pg support from version 16 onwards, it adds another powerful tool to its arsenal. This blog explores the significance of ldap2pg, its installation and configuration, and the benefits it brings to organizations using Fujitsu Enterprise Postgres.

The importance of security in Fujitsu Enterprise Postgres

Fujitsu Enterprise Postgres is renowned for its robust security features such as Transparent Data Encryption, Data Masking, Dedicated Audit Log, CyberArk Privileged Access Manager, and many more, which ensure that data remains protected against unauthorized access.

However, managing database roles and permissions in large-scale environments can be challenging. Manually maintaining role mappings and privileges is not only error-prone but also time-consuming. This is where ldap2pg comes into play, streamlining role management through integration with LDAP (Lightweight Directory Access Protocol).

LDAP is a widely adopted standard for centralized user authentication and management, enabling organizations to enforce consistent security policies across their IT infrastructure. By leveraging ldap2pg, Fujitsu Enterprise Postgres users can synchronize roles and privileges from an LDAP directory, ensuring that database access aligns with organizational policies and is automatically updated as changes occur in LDAP.

What is ldap2pg?

ldap2pg is an open-source tool designed to automate the synchronization of Fujitsu Enterprise Postgres/PostgreSQL roles and privileges with an LDAP directory. It simplifies user and group management by enabling administrators to:

• Map LDAP groups to Fujitsu Enterprise Postgres/PostgreSQL roles
• Automatically create, update, or drop roles in Fujitsu Enterprise Postgres/PostgreSQL based on LDAP membership
• Enforce least-privilege access by assigning only the necessary permissions.

When you run the ldap2pg command, it syncs users from the LDAP server with roles in Fujitsu Enterprise Postgres based on the mappings in ldap2pg.yml—if a role listed in ldap2pg.yml doesn’t exist in Fujitsu Enterprise Postgres, it gets created; roles not listed in ldap2pg.yml are removed. You can exclude certain roles, like database administrator roles that don’t work with LDAP, from being updated or deleted by specifying them in ldap2pg.yml.

Installing and configuring ldap2pg for Fujitsu Enterprise Postgres

Prerequisites

Before installing ldap2pg, ensure that the following prerequisites are met:

1. Fujitsu Enterprise Postgres 16 or later is installed and operational.
2. Access to an LDAP directory (e.g., Active Directory, OpenLDAP) with appropriate credentials.
3. LDAP as Fujitsu Enterprise Postgres authentication is configured and working correctly.
   For details on this configuration, refer to my article Connecting Fujitsu Enterprise Postgres to Active Directory for Authentication using LDAP

Step 1  Install ldap2pg

Install ldap2pg on database server using the Fujitsu Enterprise Postgres 16 or later client program ISO file.

Step 2  Set the PATH environment variable for ldap2pg

$ export PATH=/opt/fsepv<xx>ldap2pg/bin:$PATH

Where <xx> indicates the Fujitsu Enterprise Postgres version.

Step 3  Define the database role

Define a database role on the database server that has superuser privileges as the executor of ldap2pg. 

Step 4  Configure ldap2pg

Create a file called ldap2pg.yml in your working directory. This file lets you configure everything: Postgres queries, LDAP searches, privileges, and sync settings. ldap2pg looks for the configuration file in this order:

• ldap2pg.yml in current working directory.
• ~/.config/ldap2pg.yml.
• /etc/ldap2pg.yml.
• /etc/ldap2pg/ldap2pg.yml.

In this article, I am going to create lpdap2pg.yml file in /etc/ldap2pg/.

vi /etc/ldap2pg/lpdap2pg.yml

version: 6

postgres:
  roles_blacklist_query:
  - postgres
  - fepuser
  - "pg_*"
  - pgx_update_profile_status
  - "pgx_cgroup_role_*" 

rules:
  - description: "Sync roles from LDAP to PostgreSQL"
    ldapsearch:
      base: "cn=Users,dc=testldap,dc=com"
      filter: "(objectClass=person)"
    roles:
      - name: "{cn.lower()}"
        options: LOGIN 

For information on ldap2pg.yml, refer to the ldap2pg file reference

Step 5  Set ldap2pg-related environment variables

LDAPURI=ldap://10.1.0.16:389 
LDAPBINDDN="CN=lookup,CN=Users,dc=testldap,dc=com"
LDAPPASSWORD="fep@2025"

For this test my LDAP server IP address is 10.1.0.16 and LDAP user is lookup. 

Step 6  Test the configuration

Run ldap2pg in dry-run mode to preview the synchronization without making changes:

[fepuser@hostname]$ ldap2pg --config /etc/ldap2pg/ldap2pg.yml 
07:56:52 INFO   Starting ldap2pg                                 version=snapshot runtime=go1.22.1 commit=<none> pid=117882
07:56:52 INFO   Using YAML configuration file.                   path=/etc/ldap2pg/ldap2pg.yml
07:56:52 WARN   Dry run. Postgres instance will be untouched.   
07:56:52 INFO   Running as superuser.                            user=fepuser super=true server="PostgreSQL 17.0" cluster="" database=postgres
07:56:52 INFO   Connected to LDAP directory.                     uri=ldap://10.1.0.16:389
07:56:52 INFO   Sync roles from LDAP to PostgreSQL              
07:56:52 INFO   All roles synchronized.                         
07:56:52 INFO   Nothing to do.                                   searches=1 roles=7 queries=0 grants=0
07:56:52 INFO   Done.                                            elapsed=25.207394ms mempeak=1.2MiB ldap=1.160823ms inspect=10.414003ms sync=0s
[fepuser@hostname]$

Review the output to ensure that the mappings are correct.

Step 7  Apply the changes to the database server

If the above dry-run output looks good, apply the changes:

[fepuser@hostname]$ ldap2pg --config /etc/ldap2pg/ldap2pg.yml --real
07:58:36 INFO   Starting ldap2pg                                 version=snapshot runtime=go1.22.1 commit=<none> pid=117904
07:58:36 INFO   Using YAML configuration file.                   path=/etc/ldap2pg/ldap2pg.yml
07:58:36 INFO   Real mode. Postgres instance will be modified.  
07:58:36 INFO   Running as superuser.                            user=fepuser super=true server="PostgreSQL 17.0" cluster="" database=postgres
07:58:36 INFO   Connected to LDAP directory.                     uri=ldap://10.1.0.16:389
07:58:36 INFO   Sync roles from LDAP to PostgreSQL              
07:58:36 INFO   All roles synchronized.                         
07:58:36 INFO   Nothing to do.                                   searches=1 roles=7 queries=0 grants=0
07:58:36 INFO   Done.                                            elapsed=28.319536ms mempeak=1.2MiB ldap=2.361545ms inspect=11.435717ms sync=0s
[fepuser@hostname]$

Please note that --real option is used to synchronize roles with the database server.

Step 8  Automate the process

To keep roles and privileges in sync, schedule ldap2pg to run periodically using a cron job:

crontab -e

Add the following line to run ldap2pg on every 5 minutes:

*/5 * * * * source /home/fepuser/.bash_profile && . /home/fepuser/ldap2pg_sync.sh >> /home/fepuser/ldap2pg_sync.log 2>&1 
[fepuser@hostname]$ cat /home/fepuser/ldap2pg_sync.sh
#!/bin/bash
####################
# LDAP2PG Sync Script #
####################
BIN=/opt/fsepv17ldap2pg/bin
$BIN/ldap2pg --config /etc/ldap2pg/ldap2pg.yml --real
[fepuser@hostname]$

Benefits of configuring ldap2pg in Fujitsu Enterprise Postgres

• Centralized user management
  By synchronizing FEP/PostgreSQL roles with LDAP, administrators can manage users and groups from a single directory, reducing the complexity of managing database access.
• Improved security
  ldap2pg enforces organizational policies by ensuring that database access is consistent with LDAP-defined roles. This minimizes the risk of unauthorized access.
• Reduced administrative overhead
  Automating role and privilege management eliminates the need for manual updates, freeing up valuable time for database administrators.
• Enhanced compliance
  Centralized and automated role management ensures alignment with regulatory requirements, such as GDPR and HIPAA, by maintaining an auditable trail of access control changes.
• Scalability
  ldap2pg is well-suited for large-scale deployments, where managing thousands of users and roles manually would be impractical.

Conclusion

The addition of ldap2pg support from Fujitsu Enterprise Postgres 16 underscores Fujitsu’s commitment to delivering secure and efficient database solutions. By integrating LDAP with Fujitsu Enterprise Postgres/PostgreSQL, ldap2pg simplifies role management, enhances security, and reduces administrative overhead.

Organizations leveraging Fujitsu Enterprise Postgres 16 or later can now achieve greater control over their database environments while ensuring compliance with industry standards. Start exploring ldap2pg today to unlock the full potential of your Fujitsu Enterprise Postgres deployment.