A newer version of this documentation is available.

View Latest


    To access Couchbase Server, administrators and applications must be authenticated. Authentication is a process for identifying a user who is attempting to access a system.

    Passing Credentials

    Couchbase-Server authentication relies on credentials, which must be passed into the system by the user who is attempting access. Credentials can be entered manually, or passed into the system by an application. The credentials passed must match ones already stored and accessible by the system: if a match is achieved, the user is thereby recognized, and so may be granted access. If no match is achieved, the user is denied access.

    To access Couchbase Server, administrators authenticate by means of a username and password. These credentials can be validated by Couchbase Server itself: alternatively if the Enterprise Edition of Couchbase Server for Linux is used, validation can be performed either on a network-accessible directory-server, by means of the Lightweight Directory Access Protocol (LDAP); or by means of the Pluggable Authentication Modules (PAM) authentication-framework.

    Authentication Domains

    Couchbase Server assigns users to different authentication domains:

    • Local: Contains users defined locally. This includes:

      • The Full Administrator for Couchbase Server.

      • Internal Components within Couchbase Server that support core functionality (for example, indexing, searching, and replicating), and run with full administrative privileges.

      • Generated Users, which are created by Couchbase Server as part of the upgrade process to 5.0; each in correspondence with a legacy bucket. Each Generated User is assigned a username that is identical to the bucket-name; and either a password that is identical to the bucket’s pre-5.0 password, or no password, if the bucket did not feature a password. Generated Users are created to ensure that legacy applications can continue to access legacy buckets after upgrade to 5.0, with the same username-password combination being used for authentication.

      • Locally Defined Users, which are explicitly created by a Couchbase Server administrator; and each feature a username and password unique within the Local domain.

    • External: Contains users defined externally; either by means of LDAP or PAM. Passwords are defined and stored remotely. Note that External usernames do not clash with Local usernames.

    When a user attempts to authenticate, Couchbase Server always looks up their credentials in the same order: which is Local first, and External second.