You are viewing the documentation for a prerelease version.

View Latest

Configure LDAP

Couchbase Server can be configured to authenticate the user by means of an LDAP server; and to recognize the LDAP groups of which the user is a member.

GET /settings/ldap

Description

Returns information about the ldap settings as JSON object.

Example

curl -v -u Administrator:password \
http://localhost:8091/settings/ldap
{
    "authentication_enabled": true,
    "authorization_enabled": true,
    "encryption": "StartTLSExtension",
    "groups_query": "ou=groups,dc=example,dc=com??one?(member=%D)",
    "hosts": ["172.23.124.25"],
    "port": 389,
    "query_dn": "cn=admin,dc=example,dc=com",
    "query_pass": "**********",
    "user_dn_mapping": [
        {
            "re": "(.+)",
            "template": "uid={0},ou=users,dc=example,dc=com"
        }
    ]
}

POST /settings/ldap

Description

This command establishes an LDAP server to provide authentication-support for Couchbase Server.

Syntax:

 curl -X POST -u <administrator>:<password>
    http://<host>:<port>/settings/ldap
    -d args
    .
    .

Example

curl -v -X POST -u Administrator:password \
http://localhost:8091/settings/ldap \
-d hosts=172.23.124.25 \
-d port=389 \
-d encryption=StartTLSExtension \
-d server_cert_validation=true \
--data-urlencode cacert@/path/to/cert \
-d query_dn='cn=admin,dc=example,dc=com' \
-d query_pass=password \
-d authentication_enabled=true \
--data-urlencode user_dn_mapping='[{"re":"(.+)","template":"uid={0},ou=users,dc=example,dc=com"}]' \
-d authorization_enabled=true \
--data-urlencode groups_query='ou=groups,dc=example,dc=com??one?(member=%D)'
Table 1. Controller parameters
Parameter Description

authentication_enabled

Enables using LDAP to authenticate users. true enables, false disables.

authorization_enabled

Enables using of LDAP groups for authorization. true enables, false disables.

hosts

Comma-separated list of LDAP hosts.

port

LDAP port

encryption

Encryption method to communicate with LDAP servers. Can be StartTLSExtension, TLS, or false.

max_parallel_connections

Maximum number of parallel connections that can be established with LDAP servers.

server_cert_validation

Whether server certificate validation be enabled: true enables, false disables.

cacert

Certificate in PEM format to be used in LDAP server certificate validation, if server_cert_validation is true.

max_cache_size

Maximum number of requests that can be cached: defaults to 10000.

request_timeout

The timeout for LDAP requests, in milliseconds.

user_dn_mapping

User to distinguished name (DN) mapping. If none is specified, the username is used as the user’s distinguished name.

query_dn

DN to use for searching users and groups synchronization.

query_pass

Password for query_dn user.

groups_query

LDAP query, to get the users' groups by username in RFC4516 format. The %u and %D placeholders can be used, for username and user’s DN respectively. If attribute is present in the query, the list of attribute values in the search result is considered as list of user’s groups (single entry result is expected): for example: '%D?memberOf?base'.

If the attribute is not present in the query, every returned entry is considered a group: for example, 'ou=groups,dc=example,dc=com??one?(member=%D)'

nested_groups_enabled

If enabled Couchbase server will try to recursively search for groups for every discovered ldap group. groups_query will be user for the search.

nested_groups_max_depth

Maximum number of recursive groups requests the server is allowed to perform. This option is only valid when nested groups are enabled. Value must be an integer between 1 and 100: the default is 10.

cache_value_lifetime

Lifetime of values in cache in milliseconds. Default 300000 ms.