Authentication API

    +
    Couchbase Server supports authentication via local and external domains.

    Authenticating Locally and Externally

    Couchbase users may be given an identity locally on a cluster. This allows their credentials to be maintained and updated on the local cluster. A password policy is enforced for the cluster: the defaults for this policy can be modified. A local user can change their own password.

    Enterprises frequently centralize directory services, allowing all user-authentication to be handled by a single server or server-group. LDAP is frequently used in support of such centralization. The authentication handled in this way is therefore external to Couchbase Server.

    Couchbase Server supports external authentication. Users are registered as external, for authentication purposes. When such users pass their credentials to Couchbase Server, Couchbase Server recognizes the user as external, and duly passes the credentials to the external authentication facility: if the authentication succeeds there, Couchbase Server is informed, and the user is given appropriate access, based on the roles and privileges on Couchbase Server that they have been assigned.

    The default password policy is described in Password Strength. For further information on local and external domains, see Authentication Domains.

    LDAP Groups

    LDAP supports groups, of which multiple users can be members. Couchbase Server supports the association of LDAP groups with Couchbase-Server groups: a user successfully authenticated on an LDAP server may have their LDAP group information duly returned to Couchbase Server. If Couchbase Server has configured an association between one or more of the user’s LDAP groups and corresponding groups defined on Couchbase Server, the user is assigned the roles and privileges for the corresponding Couchbase-Server groups.

    Configuration Options

    Couchbase provides a recommended REST method for simple and expedited configuration of LDAP-based authentication. This is described in Configure LDAP.

    Alternatively, a legacy REST API for establishing SASL administrator credentials can be used. Note that this requires prior, manual set-up of saslauthd for the cluster: see Configure saslauthd.

    APIs in this section

    A complete list of APIs described in this section is provided in the table below.

    Authentication

    HTTP Method URI Documented at

    GET

    /settings/ldap

    Configure LDAP

    POST

    /settings/ldap

    Configure LDAP

    GET

    /settings/saml

    Configure SAML

    POST

    /settings/saml

    Configure SAML

    GET

    /settings/saslauthdAuth

    Configure saslauthd

    POST

    /settings/saslauthdAuth

    Configure saslauthd

    GET

    /settings/passwordPolicy

    Set Password Policy

    POST

    /settings/passwordPolicy

    Set Password Policy

    POST

    /controller/changePassword

    Change Password

    POST

    /node/controller/loadTrustedCAs

    Load Root Certificates

    GET

    /node/controller/loadTrustedCAs

    Get Root Certificates

    DELETE

    /pools/default/trustedCAs/<id>

    Delete Root Certificates

    GET

    /pools/default/certificates

    Retrieve All Node Certificates

    POST

    /node/controller/reloadCertificate

    Upload and Retrieve Node Certificates

    GET

    /pools/default/certificate/node/<ip-address-or-domain-name>

    Upload and Retrieve Node Certificates

    POST

    /controller/regenerateCertificate

    Regenerate All Certificates