Authentication API

      +
      Couchbase Server supports authentication via local and external domains.

      Authenticating Locally and Externally

      Couchbase users may be given an identity locally on a cluster. This allows their credentials to be maintained and updated on the local cluster. A password policy is enforced for the cluster: the defaults for this policy can be modified. A local user can change their own password.

      Enterprises frequently centralize directory services, allowing all user-authentication to be handled by a single server or server-group. LDAP is frequently used in support of such centralization. The authentication handled in this way is therefore external to Couchbase Server.

      Couchbase Server supports external authentication. Users are registered as external, for authentication purposes. When such users pass their credentials to Couchbase Server, Couchbase Server recognizes the user as external, and duly passes the credentials to the external authentication facility: if the authentication succeeds there, Couchbase Server is informed, and the user is given appropriate access, based on the roles and privileges on Couchbase Server that they have been assigned.

      The default password policy is described in Password Strength. For further information on local and external domains, see Authentication Domains.

      LDAP Groups

      LDAP supports groups, of which multiple users can be members. Couchbase Server supports the association of LDAP groups with Couchbase-Server groups: a user successfully authenticated on an LDAP server may have their LDAP group information duly returned to Couchbase Server. If Couchbase Server has configured an association between one or more of the user’s LDAP groups and corresponding groups defined on Couchbase Server, the user is assigned the roles and privileges for the corresponding Couchbase-Server groups.

      Configuration Options

      Couchbase provides a recommended REST method for simple and expedited configuration of LDAP-based authentication. This is described in Configure LDAP.

      Alternatively, a legacy REST API for establishing SASL administrator credentials can be used. Note that this requires prior, manual set-up of saslauthd for the cluster: see Configure saslauthd.

      APIs in this section

      A complete list of APIs described in this section is provided in the table below.

      Authentication

      HTTP Method URI Documented at

      GET

      /settings/ldap

      Configure LDAP

      POST

      /settings/ldap

      Configure LDAP

      GET

      /settings/saml

      Configure SAML

      POST

      /settings/saml

      Configure SAML

      GET

      /settings/saslauthdAuth

      Configure saslauthd

      POST

      /settings/saslauthdAuth

      Configure saslauthd

      GET

      /settings/passwordPolicy

      Set Password Policy

      POST

      /settings/passwordPolicy

      Set Password Policy

      POST

      /controller/changePassword

      Change Password

      POST

      /node/controller/loadTrustedCAs

      Load Root Certificates

      GET

      /node/controller/loadTrustedCAs

      Get Root Certificates

      DELETE

      /pools/default/trustedCAs/<id>

      Delete Root Certificates

      GET

      /pools/default/certificates

      Retrieve All Node Certificates

      POST

      /node/controller/reloadCertificate

      Upload and Retrieve Node Certificates

      GET

      /pools/default/certificate/node/<ip-address-or-domain-name>

      Upload and Retrieve Node Certificates

      POST

      /controller/regenerateCertificate

      Regenerate All Certificates