Configure LDAP

      Couchbase Server can be configured to authenticate the user by means of an LDAP server; and to recognize the LDAP groups of which the user is a member.

      GET /settings/ldap


      Returns information about the ldap settings as JSON object.


      curl -v -u Administrator:password \
        "authenticationEnabled": false,
        "authorizationEnabled": false,
        "bindDN": "",
        "bindPass": "",
        "cacheValueLifetime": 300000,
        "encryption": "None",
        "failOnMaxDepth": false,
        "hosts": [],
        "maxCacheSize": 10000,
        "maxGroupCacheSize": 1000,
        "maxParallelConnections": 100,
        "middleboxCompMode": true,
        "nestedGroupsEnabled": false,
        "nestedGroupsMaxDepth": 10,
        "port": 389,
        "requestTimeout": 5000,
        "serverCertValidation": true,
        "userDNMapping": "None"

      POST /settings/ldap


      This command establishes an LDAP server to provide authentication-support for Couchbase Server.


       curl -X POST -u <administrator>:<password>
          -d args


      curl -v -X POST -u Administrator:password \
      http://localhost:8091/settings/ldap \
      -d hosts= \
      -d port=389 \
      -d encryption=StartTLSExtension \
      -d serverCertValidation=true \
      --data-urlencode cacert@/path/to/cert \
      -d bindDN='cn=admin,dc=example,dc=com' \
      -d bindPass=password \
      -d authenticationEnabled=true \
      --data-urlencode userDNMapping='{"template":"uid=%u,ou=users,dc=example,dc=com"}' \
      -d authorizationEnabled=true \
      --data-urlencode groupsQuery='ou=groups,dc=example,dc=com??one?(member=%D)'
      Table 1. Controller parameters
      Parameter Description


      Enables using LDAP to authenticate users. true enables, false disables.


      Enables using of LDAP groups for authorization. true enables, false disables.


      Comma-separated list of LDAP hosts.


      LDAP port


      Encryption method to communicate with LDAP servers. Can be StartTLSExtension, TLS, or false.


      Maximum number of parallel connections that can be established with LDAP servers.


      Whether networking TLS middlebox compatibility is on or off. Defaults to true which enables middlebox compatibility. See Advanced Settings on the Configure LDAP page for more information about this setting.


      Whether server certificate validation be enabled: true enables, false disables.


      Certificate in PEM format to be used in LDAP server certificate validation, if serverCertValidation is true.


      Maximum number of requests that can be cached: defaults to 10000.


      The timeout for LDAP requests, in milliseconds.


      Controls how Couchbase Server maps usernames supplied by authentication attempts to LDAP Distinguished Names (DN). The value contains a JSON object with one of three keys: template, query, or advanced.

      • template: the value for this key must contain a template that directly maps the username to a DN.

      • query: the value for this key must contain an LDAP query to search for the user.

      • advanced: the value for this key contains an array of JSON objects. Each object has a key that defines a regular expression for Couchbase Server to match against the username, and a replacement string that formats a DN template or LDAP query.

      For more information, see User Authentication Enablement.


      DN to use for searching users and groups synchronization.


      Password for bindDN user.


      LDAP query, to get the users' groups by username in RFC4516 format. The %u and %D placeholders can be used, for username and user’s DN respectively. If attribute is present in the query, the list of attribute values in the search result is considered as list of user’s groups (single entry result is expected): for example: '%D?memberOf?base'.

      If the attribute is not present in the query, every returned entry is considered a group: for example, 'ou=groups,dc=example,dc=com??one?(member=%D)'


      If enabled Couchbase server will try to recursively search for groups for every discovered ldap group. groupsQuery will be user for the search.


      Maximum number of recursive groups requests the server is allowed to perform. This option is only valid when nested groups are enabled. Value must be an integer between 1 and 100: the default is 10.


      Lifetime of values in cache in milliseconds. Default 300000 ms.


      A certificate to be used by Couchbase Server as a client, in authentication with LDAP.


      The private key that corresponds to Couchbase Server’s client certificate, for use in authentication with LDAP.