LDAP-Based Authentication

LDAP-Based Authentication

Couchbase administrators can be set up to authenticate by means of LDAP. This requires that each administrator be added as a user on an LDAP server, and their LDAP credentials mapped to Couchbase Server. Additionally, it requires that the saslauthd library, which handles authentication-requests on behalf of Couchbase Server, be configured to handle LDAP authentication.

Restrictions

LDAP authentication is currently available only for the Enterprise Edition of Couchbase Server, and only on the Linux platform.

Note also that mixed-version clusters do not support LDAP authentication: therefore, to use LDAP authentication with a given cluster, upgrade all cluster-nodes to the latest version of Enterprise Edition Couchbase Server.

Couchbase Server is designed to interoperate with OpenLDAP software, which can be downloaded from the openldap.org website.

Benefits

Authenticating Couchbase Server-administrators with LDAP provides the benefits of:

  • Centralized identity management. Multiple administrators can be defined, each with either read-only or full, read-write permissions.

  • Centralized security policy-management. All administrative accounts can be consistently protected: for example, through the enforcement of password strength-levels, password-rotation, and auto-lockout.

  • Simplified compliance. The activities of each administrator can be identified, tracked, and comprehensively audited.

Architecture

The LDAP authentication-architecture used by Couchbase Server is as follows:

As the illustration shows, the administrator enters a username and password at the login prompt provided by Couchbase Web Console. This is checked against a local admin password file. If the saslauthd library has been configured for LDAP, the credentials are then checked against an LDAP directory service: if the credentials are validated, authentication succeeds.

For details on configuring the saslauthd library, see Setting up saslauthd.