Adding roles for LDAP groups

Assign roles by matching the user's LDAP group names to DSE role names.

When using LDAP authentication with LDAP role management, DSE assigns the user all the roles that match the LDAP groups that they are a member of. At least one DSE role must have login privileges.

Important: All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.
After authentication completes successfully, DSE queries the LDAP again for a list of the groups. DSE either retrieves the list from:
Restriction: When role management mode LDAP is enabled with internal authentication, to look up groups the internal role must correspond to the LDAP user id attribute, such as UID or SamAccountname.

Procedure

  1. Create a login role that matches the group_name, where all users that belong to this group can log in to the DSE database:
    CREATE ROLE group_name WITH LOGIN = true;
    • group_name - Names are case sensitive, enclose names that contain capital letters in double-quotes. For example, use double quotes to match the cn of the group: cn=DSE_Login_Users,ou=Groups,dc=example,dc=com.
    • LOGIN - At least one group the user belongs to must have login privileges for the user to execute requests.
    • SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
  2. Bind the assignment to an authentication scheme:
    GRANT EXECUTE on LDAP SCHEME to group_name;

What's next

Assign permissions to the role, see Assigning permissions.