Configure LDAP

    +
    Couchbase Server can be configured to authenticate the user by means of an LDAP server; and to recognize the LDAP groups of which the user is a member.

    GET /settings/ldap

    Description

    Returns information about the ldap settings as JSON object.

    Example

    curl -v -u Administrator:password \
    http://localhost:8091/settings/ldap
    {
        "authenticationEnabled": true,
        "authorizationEnabled": true,
        "encryption": "StartTLSExtension",
        "groupsQuery": "ou=groups,dc=example,dc=com??one?(member=%D)",
        "hosts": ["172.23.124.25"],
        "port": 389,
        "bindDN": "cn=admin,dc=example,dc=com",
        "bindPass": "**********",
        "userDNMapping": {"template": "uid=%u,ou=users,dc=example,dc=com"}
    }

    POST /settings/ldap

    Description

    This command establishes an LDAP server to provide authentication-support for Couchbase Server.

    Syntax:

     curl -X POST -u <administrator>:<password>
        http://<host>:<port>/settings/ldap
        -d args
        .
        .

    Example

    curl -v -X POST -u Administrator:password \
    http://localhost:8091/settings/ldap \
    -d hosts=172.23.124.25 \
    -d port=389 \
    -d encryption=StartTLSExtension \
    -d serverCertValidation=true \
    --data-urlencode cacert@/path/to/cert \
    -d bindDN='cn=admin,dc=example,dc=com' \
    -d bindPass=password \
    -d authenticationEnabled=true \
    --data-urlencode userDNMapping='{"template":"uid=%u,ou=users,dc=example,dc=com"}' \
    -d authorizationEnabled=true \
    --data-urlencode groupsQuery='ou=groups,dc=example,dc=com??one?(member=%D)'
    Table 1. Controller parameters
    Parameter Description

    authenticationEnabled

    Enables using LDAP to authenticate users. true enables, false disables.

    authorizationEnabled

    Enables using of LDAP groups for authorization. true enables, false disables.

    hosts

    Comma-separated list of LDAP hosts.

    port

    LDAP port

    encryption

    Encryption method to communicate with LDAP servers. Can be StartTLSExtension, TLS, or false.

    maxParallelConnections

    Maximum number of parallel connections that can be established with LDAP servers.

    serverCertValidation

    Whether server certificate validation be enabled: true enables, false disables.

    cacert

    Certificate in PEM format to be used in LDAP server certificate validation, if serverCertValidation is true.

    maxCacheSize

    Maximum number of requests that can be cached: defaults to 10000.

    requestTimeout

    The timeout for LDAP requests, in milliseconds.

    userDNMapping

    User to distinguished name (DN) mapping. If none is specified, the username is used as the user’s distinguished name.

    bindDN

    DN to use for searching users and groups synchronization.

    bindPass

    Password for bindDN user.

    groupsQuery

    LDAP query, to get the users' groups by username in RFC4516 format. The %u and %D placeholders can be used, for username and user’s DN respectively. If attribute is present in the query, the list of attribute values in the search result is considered as list of user’s groups (single entry result is expected): for example: '%D?memberOf?base'.

    If the attribute is not present in the query, every returned entry is considered a group: for example, 'ou=groups,dc=example,dc=com??one?(member=%D)'

    nestedGroupsEnabled

    If enabled Couchbase server will try to recursively search for groups for every discovered ldap group. groupsQuery will be user for the search.

    nestedGroupsMaxDepth

    Maximum number of recursive groups requests the server is allowed to perform. This option is only valid when nested groups are enabled. Value must be an integer between 1 and 100: the default is 10.

    cacheValueLifetime

    Lifetime of values in cache in milliseconds. Default 300000 ms.

    clientTLSCert

    A certificate to be used by Couchbase Server as a client, in authentication with LDAP.

    clientTLSKey

    The private key that corresponds to Couchbase Server’s client certificate, for use in authentication with LDAP.