Add roles for LDAP groups

When using LDAP authentication with LDAP role management, Hyper-Converged Database (HCD) assigns the user all the roles that match the LDAP groups of which they are a member. At least one HCD role must have login privileges.

All permissions granted to roles that reflect LDAP groups to which the user belongs—directly or indirectly—are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.

After authentication completes successfully, HCD queries the LDAP server to retrieve the user’s group memberships. HCD uses one of two methods to determine group membership, depending on your LDAP server configuration:

  • MemberOf search: Retrieves group information from the user’s memberOf attribute (ldap_group_search_memberof_attribute). This method is used when group membership information is stored directly on the user entry.

  • Directory search: Searches for groups in the specified search bases (ldap_group_search_bases) that contain the username in the group’s member attribute (ldap_group_search_filter). This method is used when group membership is stored on the group entries.

The system extracts group names using the ldap_group_search_name_attribute (typically cn) from the group DN.

RESTRICTION: When role management mode LDAP is enabled with internal authentication, the internal role must correspond to the LDAP user ID attribute in order to look up groups. Example attributes are UID or SamAccountname.

Create and bind a login role

  1. Create a login role that matches the GROUP_NAME, where all users who belong to this group can log in to the HCD database:

    CREATE ROLE GROUP_NAME WITH LOGIN = true;

    Replace GROUP_NAME with the name of the LDAP group.

    Parameter

    Description

    GROUP_NAME

    Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the cn of the group: cn=HCD_Login_Users,ou=Groups,dc=example,dc=com.

    Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. For more information, see Restrict access to data.

    LOGIN

    At least one group the user belongs to must have login privileges that allow the user to execute requests.

  2. Bind the assignment to an authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to GROUP_NAME;

    Replace GROUP_NAME with the name of the LDAP group.

Next steps

Assign permissions to the role. For more information, see About Role Based Access Control (RBAC).

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com