Configure LDAP
Couchbase Server can be configured to authenticate the user by means of an LDAP server; and to recognize the LDAP groups of which the user is a member.
GET /settings/ldap
Description
Returns information about the ldap settings as JSON object.
Example
curl -v -u Administrator:password \ http://localhost:8091/settings/ldap { "authenticationEnabled": true, "authorizationEnabled": true, "encryption": "StartTLSExtension", "groupsQuery": "ou=groups,dc=example,dc=com??one?(member=%D)", "hosts": ["172.23.124.25"], "port": 389, "bindDN": "cn=admin,dc=example,dc=com", "bindPass": "**********", "userDNMapping": {"template": "uid=%u,ou=users,dc=example,dc=com"} }
POST /settings/ldap
Description
This command establishes an LDAP server to provide authentication-support for Couchbase Server.
Syntax:
curl -X POST -u <administrator>:<password> http://<host>:<port>/settings/ldap -d args . .
Example
curl -v -X POST -u Administrator:password \ http://localhost:8091/settings/ldap \ -d hosts=172.23.124.25 \ -d port=389 \ -d encryption=StartTLSExtension \ -d serverCertValidation=true \ --data-urlencode cacert@/path/to/cert \ -d bindDN='cn=admin,dc=example,dc=com' \ -d bindPass=password \ -d authenticationEnabled=true \ --data-urlencode userDNMapping='{"template":"uid=%u,ou=users,dc=example,dc=com"}' \ -d authorizationEnabled=true \ --data-urlencode groupsQuery='ou=groups,dc=example,dc=com??one?(member=%D)'
Parameter | Description |
---|---|
authenticationEnabled |
Enables using LDAP to authenticate users. true enables, false disables. |
authorizationEnabled |
Enables using of LDAP groups for authorization. |
hosts |
Comma-separated list of LDAP hosts. |
port |
LDAP port |
encryption |
Encryption method to communicate with LDAP servers. Can be StartTLSExtension, TLS, or false. |
maxParallelConnections |
Maximum number of parallel connections that can be established with LDAP servers. |
serverCertValidation |
Whether server certificate validation be enabled: true enables, false disables. |
cacert |
Certificate in PEM format to be used in LDAP server certificate validation, if serverCertValidation is true. |
maxCacheSize |
Maximum number of requests that can be cached: defaults to 10000. |
requestTimeout |
The timeout for LDAP requests, in milliseconds. |
userDNMapping |
User to distinguished name (DN) mapping. If none is specified, the username is used as the user’s distinguished name. |
bindDN |
DN to use for searching users and groups synchronization. |
bindPass |
Password for bindDN user. |
groupsQuery |
LDAP query, to get the users' groups by username in RFC4516 format. The %u and %D placeholders can be used, for username and user’s DN respectively. If attribute is present in the query, the list of attribute values in the search result is considered as list of user’s groups (single entry result is expected): for example: '%D?memberOf?base'. If the attribute is not present in the query, every returned entry is considered a group: for example, 'ou=groups,dc=example,dc=com??one?(member=%D)' |
nestedGroupsEnabled |
If enabled Couchbase server will try to recursively search for groups for every discovered ldap group. groupsQuery will be user for the search. |
nestedGroupsMaxDepth |
Maximum number of recursive groups requests the server is allowed to perform. This option is only valid when nested groups are enabled. Value must be an integer between 1 and 100: the default is 10. |
cacheValueLifetime |
Lifetime of values in cache in milliseconds. Default 300000 ms. |
clientTLSCert |
A certificate to be used by Couchbase Server as a client, in authentication with LDAP. |
clientTLSKey |
The private key that corresponds to Couchbase Server’s client certificate, for use in authentication with LDAP. |