Adding Roles for LDAP Groups
When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups of which they are a member. At least one DSE role must have login privileges.
All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions. |
After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:
-
The user’s member of attribute (user_memberof_attribute) and returns all group names from the group DN (group_name_attribute).
-
Searches for groups in the group_search_base that contain the username in the group_search_filter attribute and returns a list of the group names using the group_name_attribute from the group
DN
.
Restriction: When role management mode LDAP is enabled with internal authentication, to look up groups the internal role must correspond to the LDAP user id attribute, such as UID
or SamAccountname
.
Procedure
-
Create a login role that matches the
<group_name>
, where all users who belong to this group can log in to the DSE database:CREATE ROLE <group_name> WITH LOGIN = true;
-
<group_name>
- Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match thecn
of the group:cn=DSE_Login_Users,ou=Groups,dc=example,dc=com
. -
LOGIN
- At least one group the user belongs to must have login privileges for the user to execute requests. -
SUPERUSER
- Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
-
-
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to `group_name`;
What is Next
Assign permissions to the role, see Assigning permissions.