LDAP authentication for Couchbase administrators involves setting up LDAP administrators on the LDAP server, mapping their user IDs using the Couchbase Web Console and configuring the saslauthd agent.
LDAP Use in Couchbase Server
Couchbase Server is using LDAP authentication for external identity management, which is achieved with the following:
- Centralized identity management:
- Defines multiple read-only administrators and full-administrators.
- Allows for centralized security policy management of the administrative accounts for stronger passwords, password rotation, and auto lockouts.
- Individual accountability and simplified compliance:
- Defines UIDs in LDAP and maps UIDs to read-only or full administrative role in Couchbase.
- Allows for comprehensive audit trails with LDAP UIDs in audit records.
There are two types of LDAP administrators: full administrators and read-only administrators. Both types of LDAP administrators can be enabled or disabled in the UI at any time. LDAP administrators are configured only when the option to enable LDAP is selected.
To configure LDAP administrators using the Couchbase Web Console, see External Roles.
LDAP Download and Installation
- LDAP server software
The LDAP server software is downloaded and installed separately on the LDAP server. This document only explains how it is configured to work with Couchbase Server.
Perform these tasks on the LDAP server:
- Create users.
- Set up user passwords.
These tasks are performed using the Couchbase Web Console:
- Mapping users in LDAP to full administrators or read-only administrators in Couchbase.
- Validating LDAP credentials.
- To configure LDAP using the Couchbase Web Console, see External Roles.
saslauthd process handles authentication requests on behalf of Couchbase Server.
To use LDAP authentication, you need to configure saslauthd properly using the steps explained in Setting up saslauthd.
Configuring LDAP on the Server
Couchbase Server works with the OpenLDAP software, which can be downloaded from the openldap.org website.
The Lightweight Directory Access Protocol (LDAP) is a public standard that facilitates distributed directories (such as network user privilege information) over the Internet Protocol (IP).
Couchbase connects to LDAP through the saslauthd library. Refer to the next section on how to configure the saslauthd library for LDAP.