Adding Roles for LDAP Groups
When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups of which they are a member. At least one DSE role must have login privileges.
All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.
After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:
The user’s member of attribute (user_memberof_attribute) and returns all group names from the group DN (group_name_attribute).
Searches for groups in the group_search_base that contain the username in the group_search_filter attribute and returns a list of the group names using the group_name_attribute from the group
Restriction: When role management mode LDAP is enabled with internal authentication, to look up groups the internal role must correspond to the LDAP user id attribute, such as
Create a login role that matches the
<group_name>, where all users who belong to this group can log in to the DSE database:
CREATE ROLE <group_name> WITH LOGIN = true;
<group_name>- Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the
cnof the group:
LOGIN- At least one group the user belongs to must have login privileges for the user to execute requests.
SUPERUSER- Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to `group_name`;
What is Next
Assign permissions to the role, see Assigning permissions.