Adding roles for LDAP logins

A role manager assigns a DSE role by matching the username provided for authentication with a DSE role name. Create a role for each LDAP user who needs to access the database.

The LDAP username attribute is defined in user_search_filter, such as the UID (Open LDAP) or SamAccountName (Microsoft Active Directory).

Create and bind a Login role

  1. Create a login role that matches the username:

    CREATE ROLE <`LDAP_USER_ROLE`> WITH LOGIN = true;

    Parameter

    Description

    LDAP_USER_ROLE

    The username passed from the authenticator to the role manager. The string is exactly as the user entered it at login, including case.

    Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. See Restricting access to data.

    LOGIN

    REQUIRED. Allows the user basic database access.

    Do NOT set a password.

  2. Bind the assignment to an authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to <`LDAP_USER_ROLE`>;

    This step is required only when enabling scheme_permissions.

  3. To allow another role to manage the new role:

    GRANT AUTHORIZE FOR ALTER, DROP
ON <new_role_name>
TO <management_role>;

    All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

What’s next

Assign permissions to the role, see Assigning permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com