Configure LDAP

      +
      Couchbase Server can be configured to authenticate the user by means of an LDAP server; and to recognize the LDAP groups of which the user is a member.

      GET /settings/ldap

      Description

      Returns information about the ldap settings as JSON object.

      Example

      curl -v -u Administrator:password \
      http://localhost:8091/settings/ldap
      {
        "authenticationEnabled": false,
        "authorizationEnabled": false,
        "bindDN": "",
        "bindPass": "",
        "cacheValueLifetime": 300000,
        "encryption": "None",
        "failOnMaxDepth": false,
        "hosts": [],
        "maxCacheSize": 10000,
        "maxGroupCacheSize": 1000,
        "maxParallelConnections": 100,
        "middleboxCompMode": true,
        "nestedGroupsEnabled": false,
        "nestedGroupsMaxDepth": 10,
        "port": 389,
        "requestTimeout": 5000,
        "serverCertValidation": true,
        "userDNMapping": "None"
      }

      POST /settings/ldap

      Description

      This command establishes an LDAP server to provide authentication-support for Couchbase Server.

      Syntax:

       curl -X POST -u <administrator>:<password>
          http://<host>:<port>/settings/ldap
          -d args
          .
          .

      Example

      curl -v -X POST -u Administrator:password \
      http://localhost:8091/settings/ldap \
      -d hosts=172.23.124.25 \
      -d port=389 \
      -d encryption=StartTLSExtension \
      -d serverCertValidation=true \
      --data-urlencode cacert@/path/to/cert \
      -d bindDN='cn=admin,dc=example,dc=com' \
      -d bindPass=password \
      -d authenticationEnabled=true \
      --data-urlencode userDNMapping='{"template":"uid=%u,ou=users,dc=example,dc=com"}' \
      -d authorizationEnabled=true \
      --data-urlencode groupsQuery='ou=groups,dc=example,dc=com??one?(member=%D)'
      Table 1. Controller parameters
      Parameter Description

      authenticationEnabled

      Enables using LDAP to authenticate users. true enables, false disables.

      authorizationEnabled

      Enables using of LDAP groups for authorization. true enables, false disables.

      hosts

      Comma-separated list of LDAP hosts.

      port

      LDAP port

      encryption

      Encryption method to communicate with LDAP servers. Can be StartTLSExtension, TLS, or false.

      maxParallelConnections

      Maximum number of parallel connections that can be established with LDAP servers.

      middleboxCompMode

      Whether networking TLS middlebox compatibility is on or off. Defaults to true which enables middlebox compatibility. See Advanced Settings on the Configure LDAP page for more information about this setting.

      serverCertValidation

      Whether server certificate validation be enabled: true enables, false disables.

      cacert

      Certificate in PEM format to be used in LDAP server certificate validation, if serverCertValidation is true.

      maxCacheSize

      Maximum number of requests that can be cached: defaults to 10000.

      requestTimeout

      The timeout for LDAP requests, in milliseconds.

      userDNMapping

      Controls how Couchbase Server maps usernames supplied by authentication attempts to LDAP Distinguished Names (DN). The value contains a JSON object with one of three keys: template, query, or advanced.

      • template: the value for this key must contain a template that directly maps the username to a DN.

      • query: the value for this key must contain an LDAP query to search for the user.

      • advanced: the value for this key contains an array of JSON objects. Each object has a key that defines a regular expression for Couchbase Server to match against the username, and a replacement string that formats a DN template or LDAP query.

      For more information, see User Authentication Enablement.

      bindDN

      DN to use for searching users and groups synchronization.

      bindPass

      Password for bindDN user.

      groupsQuery

      LDAP query, to get the users' groups by username in RFC4516 format. The %u and %D placeholders can be used, for username and user’s DN respectively. If attribute is present in the query, the list of attribute values in the search result is considered as list of user’s groups (single entry result is expected): for example: '%D?memberOf?base'.

      If the attribute is not present in the query, every returned entry is considered a group: for example, 'ou=groups,dc=example,dc=com??one?(member=%D)'

      nestedGroupsEnabled

      If enabled Couchbase server will try to recursively search for groups for every discovered ldap group. groupsQuery will be user for the search.

      nestedGroupsMaxDepth

      Maximum number of recursive groups requests the server is allowed to perform. This option is only valid when nested groups are enabled. Value must be an integer between 1 and 100: the default is 10.

      cacheValueLifetime

      Lifetime of values in cache in milliseconds. Default 300000 ms.

      clientTLSCert

      A certificate to be used by Couchbase Server as a client, in authentication with LDAP.

      clientTLSKey

      The private key that corresponds to Couchbase Server’s client certificate, for use in authentication with LDAP.