You are viewing the documentation for a prerelease version.

View Latest

Authentication API

Couchbase Server supports authentication via external domains.

Authenticating Externally

Enterprises frequently centralize directory services, allowing all user-authentication to be handled by a single server or server-group. LDAP is frequently used in support of such centralization. The authentication handled in this way is therefore external to Couchbase Server.

Couchbase Server supports external authentication. Users are registered as external, for authentication purposes. When such users pass their credentials to Couchbase Server, Couchbase Server recognizes the user as external, and duly passes the credentials to the external authentication facility: if the authentication succeeds there, Couchbase Server is informed, and the user is given appropriate access, based on the roles and privileges on Couchbase Server that they have been assigned.

LDAP Groups

LDAP supports groups, of which multiple users can be members. Couchbase Server supports the association of LDAP groups with Couchbase-Server groups: a user successfully authenticated on an LDAP server may have their LDAP group information duly returned to Couchbase Server. If Couchbase Server has configured an association between one or more of the user’s LDAP groups and corresponding groups defined on Couchbase Server, the user is assigned the roles and privileges for the corresponding Couchbase-Server groups.

Configuration Options

Couchbase provides a recommended REST method for simple and expedited configuration of LDAP-based authentication. This is described in Configure LDAP.

Alternatively, a legacy REST API for establishing SASL administrator credentials can be used. Note that this requires prior, manual set-up of saslauthd for the cluster: see Configure saslauthd.