Adding roles for LDAP groups

Assign roles by matching the user's LDAP group names to DSE role names.

When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups that they are a member of. At least one DSE role must have login privileges.

CAUTION: DSE does not support nested groups with LDAP role management.
After authentication completes successfully. DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:
  • The user's member of attribute () and returns all group names from the group DN ().
  • Searches for groups in the that contain the username in the attribute and returns a list of the group names using the from the group DN.
Restriction: When role management mode LDAP is enabled with internal authentication, to look up groups the internal role must correspond to the LDAP user id attribute, such as UID or SamAccountname.

Procedure

  1. Create a login role that matches the group_name, where all users that belong to this group can log in to the DSE database:
    CREATE ROLE group_name WITH LOGIN = true;
    • group_name - Names are case sensitive, enclose names that contain capital letters in double-quotes. For example, use double quotes to match the cn of the group: cn=DSE_Login_Users,ou=Groups,dc=example,dc=com.
    • LOGIN - At least one group the user belongs to must have login privileges for the user to execute requests.
    • SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
    Tip: is required to execute requests.
  2. Bind the assignment to an authentication scheme:
    GRANT EXECUTE on LDAP SCHEME to group_name;

What's next

Assign permissions to the role, see Assigning permissions.