Will this drop users once removed from LDAP groups?

Question

Will this drop users once removed from LDAP groups?

dacresni opened this issue 7 years ago · 1 comments

I could run this script daily it would remove people's access who have been moved to other teams.

Answer 1 · 2017-12-01T06:11:21.000Z

Yes, group memberships are changed properly, when a user changes from one group to another. When the user is removed from LDAP, the corresponding user gets dropped from PostgreSQL. The same is true, when the user is no longer in the result set of the LDAP query, due to a changed group membership.

There is one caveat: PostgreSQL forbids removal of users, when they have permissions on relations. I usually solve this by never granting permissions to users, but to groups only.