GET /manage/v2/external-security/{id|name}/properties

Summary

This resource address returns the properties of the specified external-security configuration.

For more information on external security, see External Security in the Security Guide.

Response

Upon success, MarkLogic Server returns status code 200 (OK), and the response body contains the requested data. A status code of 401 (Unauthorized) is returned if the user does not have the necessary privileges. A status code of 404 (no such user) is returned if the user does not exist.

Required Privileges

• the manage-admin and security role
• the following privileges:

  http://marklogic.com/xdmp/privileges/manage

  http://marklogic.com/xdmp/privileges/manage-admin

  http://marklogic.com/xdmp/privileges/external-security-get-authentication

Usage Notes

The structure of the output returned from this REST API is as follows:

external-security-id

An external security id (unique key).

external-security-name

External security name (unique)

description

An object's description.

authentication

Authentication

cache-timeout

The login cache timeout, in seconds.

authorization

An authorization scheme.

ldap-server-uri

URI of the ldap server. Required if authentication or authorization is ldap.

ldap-base

starting point for search. Required if authentication or authorization is ldap.

ldap-attribute

ldap attribute for user lookup. Required if authentication or authorization is ldap.

ldap-default-user

ldap user used by MarkLogic server. Required if authentication is kerberos and authorization is ldap or bind method is simple.

ldap-password

password of the default ldap user. Required if authentication is kerberos and authorization is ldap or bind method is simple.

ldap-bind-method

ldap bind method.

ldap-memberof-attribute

ldap attribute for group lookup. This is optional. If it is not specified, "memberOf" will be used for search for the groups of a user.

ldap-member-attribute

ldap attribute for group lookup. This is optional. If it is not specified, "member" will be used for search for the group of a group.

ldap-start-tls

Whether or not to use start TLS request to the ldap server.

ldap-certificate

The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server. It can be used for mutual authentication if bind method is MD5 or simple. Or it can be used for external binding.

ldap-private-key

The PEM encoded private key corresponding to the certificate.

ldap-nested-lookup

Whether or not to perform nested group lookup.

ldap-remove-domain

Whether or not to remove domain before matching with ldap-attribute.

ldap-server

An LDAP server configuration.

This is a complex structure with the following children:

ldap-server-uri

URI of the ldap server. Required if authentication or authorization is ldap.

ldap-base

starting point for search. Required if authentication or authorization is ldap.

ldap-attribute

ldap attribute for user lookup. Required if authentication or authorization is ldap.

ldap-default-user

ldap user used by MarkLogic server. Required if authentication is kerberos and authorization is ldap or bind method is simple.

ldap-password

password of the default ldap user. Required if authentication is kerberos and authorization is ldap or bind method is simple.

ldap-bind-method

ldap bind method.

ldap-memberof-attribute

ldap attribute for group lookup. This is optional. If it is not specified, "memberOf" will be used for search for the groups of a user.

ldap-member-attribute

ldap attribute for group lookup. This is optional. If it is not specified, "member" will be used for search for the group of a group.

ldap-start-tls

Whether or not to use start TLS request to the ldap server.

ldap-certificate

The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server. It can be used for mutual authentication if bind method is MD5 or simple. Or it can be used for external binding.

ldap-private-key

The PEM encoded private key corresponding to the certificate.

ldap-nested-lookup

Whether or not to perform nested group lookup.

ldap-remove-domain

Whether or not to remove domain before matching with ldap-attribute.

saml-server

An SAML server configuration.

This is a complex structure with the following children:

saml-entity-id

SAML entity id. Required if authorization is SAML.

saml-destination

SAML destination.

saml-issuer

SAML issuer.

saml-assertion-host

SAML assertion host.

saml-idp-certificate-authority

The PEM encoded X509 certificate authority for SAML IDP.

saml-sp-certificate

The PEM encoded X509 certificate for SAML SP.

saml-sp-private-key

The PEM encoded private key for SAML SP.

saml-attribute-names

A list of SAML attribute names.

This is a complex structure with the following children:

saml-attribute-name

SAML attribute name.

saml-privilege-attribute-name

SAML privilege attribute name.

http-options

The HTTP options to use when connecting to the replication application server.

This is a complex structure with the following children:

timeout

The timeout

data

headers

The headers.

method

The method to use.

username

password

credential-id

The credential id.

client-cert

client-key

pass-phrase

verify-cert

Whether the server's certificate should be verified.

proxy

The network location of the proxy server.

kerberos-ticket-forwarding

The option for kerberos ticket forwarding. If it is "disabled", the user ticket is not used. This is the default. If it is "required", the user ticket is forwarded. If the user ticket is not forwardable, XDMP-NOFORWARDTICKET is thrown. If it is "optional", the user ticket is forwarded if it is forwardable. But no error if it is not forwardable.

ssl-client-certificate-authorities

This is a complex structure with the following children:

ssl-client-certificate-authority

An SSL certificate authority

ssl-require-client-certificate

Example

http://localhost:8002/manage/v2/external-security/MyExternalName/properties

==> Returns the properties of the external-security configuration, "MyExternalName," 
    from the Security database.