February 16, 2025
+ 12
Couchbase Server supports authentication via local and external domains.

Authenticating Locally and Externally

Couchbase users may be given an identity locally on a cluster. This allows their credentials to be maintained and updated on the local cluster. A password policy is enforced for the cluster: the defaults for this policy can be modified. A local user can change their own password.

Enterprises frequently centralize directory services, allowing all user-authentication to be handled by a single server or server-group. LDAP is frequently used in support of such centralization. The authentication handled in this way is therefore external to Couchbase Server.

Couchbase Server supports external authentication. Users are registered as external, for authentication purposes. When such users pass their credentials to Couchbase Server, Couchbase Server recognizes the user as external, and duly passes the credentials to the external authentication facility: if the authentication succeeds there, Couchbase Server is informed, and the user is given appropriate access, based on the roles and privileges on Couchbase Server that they have been assigned.

The default password policy is described in Password Strength. For further information on local and external domains, see Authentication Domains.

LDAP Groups

LDAP supports groups, of which multiple users can be members. Couchbase Server supports the association of LDAP groups with Couchbase-Server groups: a user successfully authenticated on an LDAP server may have their LDAP group information duly returned to Couchbase Server. If Couchbase Server has configured an association between one or more of the user’s LDAP groups and corresponding groups defined on Couchbase Server, the user is assigned the roles and privileges for the corresponding Couchbase-Server groups.

Configuration Options

Couchbase provides a recommended REST method for simple and expedited configuration of LDAP-based authentication. This is described in Configure LDAP.

Alternatively, a legacy REST API for establishing SASL administrator credentials can be used. Note that this requires prior, manual set-up of saslauthd for the cluster: see Configure saslauthd.

APIs in this section

A complete list of APIs described in this section is provided in the table below.

Authentication

HTTP Method URI Documented at

GET

/settings/ldap

Configure LDAP

POST

/settings/ldap

Configure LDAP

GET

/settings/saml

Configure SAML

POST

/settings/saml

Configure SAML

GET

/settings/saslauthdAuth

Configure saslauthd

POST

/settings/saslauthdAuth

Configure saslauthd

GET

/settings/passwordPolicy

Set Password Policy

POST

/settings/passwordPolicy

Set Password Policy

POST

/controller/changePassword

Change Password

POST

/node/controller/loadTrustedCAs

Load Root Certificates

GET

/node/controller/loadTrustedCAs

Get Root Certificates

DELETE

/pools/default/trustedCAs/<id>

Delete Root Certificates

GET

/pools/default/certificates

Retrieve All Node Certificates

POST

/node/controller/reloadCertificate

Upload and Retrieve Node Certificates

GET

/pools/default/certificate/node/<ip-address-or-domain-name>

Upload and Retrieve Node Certificates

POST

/controller/regenerateCertificate

Regenerate All Certificates