Add roles for LDAP groups
When using LDAP authentication with LDAP role management, Hyper-Converged Database (HCD) assigns the user all the roles that match the LDAP groups of which they are a member. At least one HCD role must have login privileges.
All permissions granted to roles that reflect LDAP groups to which the user belongs—directly or indirectly—are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions. |
After authentication completes successfully, HCD queries the LDAP server to retrieve the user’s group memberships. HCD uses one of two methods to determine group membership, depending on your LDAP server configuration:
-
MemberOf search: Retrieves group information from the user’s
memberOf
attribute (ldap_group_search_memberof_attribute
). This method is used when group membership information is stored directly on the user entry. -
Directory search: Searches for groups in the specified search bases (
ldap_group_search_bases
) that contain the username in the group’s member attribute (ldap_group_search_filter
). This method is used when group membership is stored on the group entries.
The system extracts group names using the ldap_group_search_name_attribute
(typically cn
) from the group DN.
RESTRICTION: When role management mode LDAP is enabled with internal authentication, the internal role must correspond to the LDAP user ID attribute in order to look up groups. Example attributes are UID
or SamAccountname
.
Create and bind a login role
-
Create a login role that matches the
GROUP_NAME
, where all users who belong to this group can log in to the HCD database:CREATE ROLE
GROUP_NAME
WITH LOGIN = true;Replace
GROUP_NAME
with the name of the LDAP group.Parameter
Description
GROUP_NAME
Names are case-sensitive; enclose names that contain capital letters in double-quotes. For example, use double quotes to match the
cn
of the group:cn=HCD_Login_Users,ou=Groups,dc=example,dc=com
.Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. For more information, see Restrict access to data.
LOGIN
At least one group the user belongs to must have login privileges that allow the user to execute requests.
-
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to
GROUP_NAME
;Replace
GROUP_NAME
with the name of the LDAP group.
Next steps
Assign permissions to the role. For more information, see About Role Based Access Control (RBAC).