Adding roles for LDAP logins
Assigns a DSE role by matching the username provided for authentication (1-1 mapping).
Role manager assigns a DSE role by matching the username provided for authentication
with a DSE role name. Create a role for each LDAP user that needs to access the
database.
Tip: The LDAP username attribute is defined in , such as the UID (Open LDAP) or
SamAccountName (Microsoft Active Directory).
Procedure
-
Create a login role that matches the
username
:CREATE ROLE ldap_user_role WITH LOGIN = true;
- ldap_user_role - The username passed from the authenticator to the role manager; the string is exactly as the user entered it at login, including case.
- LOGIN - Required to allow the user basic access to the database.
- SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
CAUTION: Do NOT set a password. -
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to ldap_user_role;
-
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON new_role_name TO management_role;
Tip: All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.