Adding roles for LDAP logins

Assigns a DSE role by matching the username provided for authentication (1-1 mapping).

Role manager assigns a DSE role by matching the username provided for authentication with a DSE role name. Create a role for each LDAP user that needs to access the database.
Tip: The LDAP username attribute is defined in user_search_filter, such as the UID (Open LDAP) or SamAccountName (Microsoft Active Directory).

Procedure

  1. Create a login role that matches the username:
    CREATE ROLE ldap_user_role WITH LOGIN = true;
    • ldap_user_role - The username passed from the authenticator to the role manager; the string is exactly as the user entered it at login, including case.
    • LOGIN - Required to allow the user basic access to the database.
    • SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
    CAUTION: Do NOT set a password.
  2. Bind the assignment to an authentication scheme:
    GRANT EXECUTE on LDAP SCHEME to ldap_user_role;
  3. To allow another role to manage the new role:
    GRANT AUTHORIZE FOR ALTER, DROP
    ON new_role_name 
    TO management_role;
    Tip: All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

What's next

Assign permissions to the role, see Assigning permissions.