Map Service Roles to LDAP Roles

Before you begin

You need:

Peered Track

Public Track

About this task

In this task, you will map service roles to LDAP roles using curl commands.
Important: For this task, you need the SERV-ADMIN portal role. See Portal Roles.
Important: Only users in your external LDAP server assigned the data-hub-security-admin service role can execute the curl commands that map service roles to LDAP roles. If your service was created before 10/1/2020, the Service Security Admin service role maps the service roles to LDAP roles. For details, see Service Roles.

Procedure

  1. Go to the MarkLogic Data Hub Service home page.
  2. Navigate to your DHS to authenticate users with your LDAP server.
    • In the Service column, click the service name.

    Private Standard MarkLogic Data Hub Service
    Tip: You can customize your dashboard with column sorting, column configuring, and services searching and filtering. See Customize DHS Dashboard.
  3. In the Data Hub Service page, click What's next? to display the modal window containing the curl commands.

    Private Standard MarkLogic Data Hub Service LDAP curl Commands
  4. In the modal window, copy the curl commands to your clipboard:
    • highlight and copy the curl commands, or
    • click the copy script icon ()
     
  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-hub-central-explorer","role": ["hub-central-explorer"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-hub-central-modeler","role": ["hub-central-modeler"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-hub-central-developer","role": ["hub-central-developer"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-hub-central-operator","role": ["hub-central-operator"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-hub-central-curator","role": ["hub-central-curator"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-admin","role": ["data-hub-admin"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-developer","role": ["data-hub-developer"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-operator","role": ["data-hub-operator"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-monitor","role": ["data-hub-monitor"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-odbc-user","role": ["data-hub-odbc-user"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

  curl -X POST --anyauth -u USERNAME:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-pii-reader","role": ["pii-reader"],"external-names":[{"external-name":"ROLE_DN"}]}' \
    https://HOSTNAME:8002/manage/v2/roles/

    For curl commands used to map LDAP roles to service roles in previous versions of MarkLogic Data Hub Service, see Appendix: Map Service Roles to LDAP Roles.

    See Service Roles for descriptions of each service role.

    • To edit the curl commands, paste to a text file.
  5. In the text file, replace the following parameters per your configuration: USERNAME, PASSWORD, and ROLE_DN
    Note: You can update role names ("role-name":) from custom-* to any name of your choosing.
    Value Replace With
    USERNAME The username of a user in the Security Admin DN.
    Remember: After you assign an LDAP configuration to a service, the Security Admin DN will be mapped to the data-hub-security-admin service role in the MarkLogic security database. For details about this service role, see Service Roles.
    PASSWORD The password for the preceding user in the Security Admin DN. Provide the password you defined for this user in your external LDAP server.
    ROLE_DN The DN in your external LDAP server to which you are mapping the service role. Example: CN=DataHubDeveloper,OU=Users,OU=example,DC=example,DC=com
  6. Open a command-line window, and run the modified curl commands.

    Example:

                    
  curl -X POST --anyauth -u SecurityAdminUsername:PASSWORD -H "Content-Type:application/json" \
     -d '{"role-name": "custom-data-hub-developer","role": ["data-hub-developer"],"external-names":[{"external-name":"CN=DataHubDeveloper,OU=Users,OU=example,DC=example,DC=com"}]}' \
     https://abcdefghi.abcdefhgijk.a.marklogicsvc.com:8002/manage/v2/roles/

    For more information about running the curl commands, see Access Private Endpoints and Access Public Endpoints.

What to do next

(Optional) If your DHS network is peered, you can configure SSH Tunneling:

Ingest and Curate Your Data.