Adding Roles for LDAP Groups
When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups of which they are a member. At least one DSE role must have login privileges.
All permissions granted to roles that reflect LDAP groups to which the user belongs—directly or indirectly—are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.
After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:
Restriction: When role management mode LDAP is enabled with internal authentication, to look up groups the internal role must correspond to the LDAP user id attribute, such as
Create a login role that matches the
<group_name>, where all users who belong to this group can log in to the DSE database:
CREATE ROLE <group_name> WITH LOGIN = true;
<group_name>- Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the
cnof the group:
LOGIN- At least one group the user belongs to must have login privileges for the user to execute requests.
SUPERUSER- Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to `group_name`;