Adding Roles for LDAP Groups

When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups of which they are a member. At least one DSE role must have login privileges.

All permissions granted to roles that reflect LDAP groups to which the user belongs—directly or indirectly—are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.

After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:

RESTRICTION: When role management mode LDAP is enabled with internal authentication, the internal role must correspond to the LDAP user ID attribute in order to look up groups. Example attributes are UID or SamAccountname.

Create and bind a login role

  1. Create a login role that matches the <`GROUP_NAME`>, where all users who belong to this group can log in to the DSE database:

    CREATE ROLE <`GROUP_NAME`> WITH LOGIN = true;

    Parameter

    Description

    GROUP_NAME

    Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the cn of the group: cn=DSE_Login_Users,ou=Groups,dc=example,dc=com.

    Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. See Restricting access to data.

    LOGIN

    At least one group the user belongs to must have login privileges that allow the user to execute requests.

  2. Bind the assignment to an authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to <`GROUP_NAME`>;

    This step is required only when enabling scheme_permissions.

What’s next

Assign permissions to the role, see Assigning permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com