Skip to main content

Securing MarkLogic Server

LDAP Authentication

If you use LDAP authentication, set the fields described in this section.

Screenshot of the LDAP server fields

Note

The MarkLogic SSL App Server can work with SAN or Wild Card certificates. However, the MarkLogic LDAP client will not accept or work with a SAN or Wildcard-based certificate.

Field	Description
ldap server uri	If authorization is set to `ldap`, then enter the URI for the LDAP server. Required if authentication or authorization is `ldap`.
ldap base	If authorization is set to `ldap`, then enter the base DN for user lookup. Required if authentication or authorization is `ldap`.
ldap attribute	If authorization is set to `ldap`, then enter the name of the attribute used to identify the user on the LDAP server. Required if authentication or authorization is `ldap`.
ldap default user	The LDAP default user. Required if authentication is kerberos and authorization is ldap or bind method is simple. If you specify an ldap-bind-method of simple, this must be a Distinguished Name (DN). If you specify an ldap-bind-method of MD5, this must be the name of a user registered with the LDAP
ldap password confirm ldap password	The password and confirmation password for the LDAP default user. Required if authentication is kerberos and authorization is ldap or bind method is `simple`.
ldap bind method	The LDAP bind method to use. This can be either `MD5`, `simple`, or `external`. MD5 makes use of the DIGEST-MD5 authentication method. If the bind method is `simple`, then the `ldap default user` must be a Distinguished Name (DN). If MD5, then the `ldap default user` must be the name of a valid LDAP user. When using a bind method of `simple`, the password is not encrypted, so it is recommended you use secure ldaps (LDAP with SSL). A bind method of `external` makes use of a certificate to authenticate with the LDAP server. If the bind method is `external`, `ldap-start-tls` should be set to `true`.
ldap memberof attribute	The optional ldap attribute for group lookup. If not specified, `memberOf` is used for search for the groups of a user.
ldap member attribute	The optional ldap attribute for group lookup. If not specified, `member` is used for search for the group of a group.
ldap start tls	Whether or not to use start TLS request to the LDAP server. Set to `true` to use start TLS request. If set to `true`, the LDAP server URI should start with `ldap://` instead of `ldaps://`.
ldap certificate	The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server using mutual authentication. Required if bind method is `external`. Optional if bind method is `MD5` or `simple`.
ldap private key	The PEM encoded private key corresponding to the certificate. Required if bind method is `external`. Optional if bind method is `MD5` or `simple`.
ldap nested lookup	Whether or not to perform nested group lookup.
ldap remove domain	Whether or not to remove domain before matching with ldap-attribute.

In this section: