Adding Roles for LDAP Groups

When using LDAP authentication with LDAP role management, DataStax Enterprise (DSE) assigns the user all the roles that match the LDAP groups of which they are a member. At least one DSE role must have login privileges.

All permissions granted to roles that reflect LDAP groups to which the user belongs—directly or indirectly—are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.

After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:

The user’s member of attribute (user_memberof_attribute) and returns all group names from the group DN (group_name_attribute).
Searches for groups in the group_search_base that contain the username in the group_search_filter attribute and returns a list of the group names using the group_name_attribute from the group DN.

RESTRICTION: When role management mode LDAP is enabled with internal authentication, the internal role must correspond to the LDAP user ID attribute in order to look up groups. Example attributes are UID or SamAccountname.

Create a login role that matches the <`GROUP_NAME`>, where all users who belong to this group can log in to the DSE database:

CREATE ROLE <`GROUP_NAME`> WITH LOGIN = true;

Parameter	Description
`GROUP_NAME`	Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the `cn` of the group: `cn=DSE_Login_Users,ou=Groups,dc=example,dc=com`. Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. See Restricting access to data.
LOGIN	At least one group the user belongs to must have login privileges that allow the user to execute requests.

Parameter

Description

GROUP_NAME

Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the cn of the group: cn=DSE_Login_Users,ou=Groups,dc=example,dc=com.

Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. See Restricting access to data.

At least one group the user belongs to must have login privileges that allow the user to execute requests.

Bind the assignment to an authentication scheme:
```
GRANT EXECUTE on LDAP SCHEME to <`GROUP_NAME`>;
```
This step is required only when enabling scheme_permissions.

What’s next

Assign permissions to the role, see Assigning permissions.

Adding Roles for LDAP Groups

What’s next

Was this helpful?

Give Feedback

Adding Roles for LDAP Groups

Create and bind a login role

What’s next

Was this helpful?