Skip to main content

Securing MarkLogic Server

Example External Authorization Configurations

This section provides an example of how Kerberos and LDAP users and groups might be mapped to MarkLogic Server users and roles.

On Active Directory, there is a Kerberos user and an LDAP user assigned to an LDAP group:

  • Kerberos Principal: jsmith@MLTEST1.LOCAL

  • LDAP DN: CN=John Smith,CN=Users,DC=MLTEST1,DC=LOCAL

  • LDAP memberOf: CN=TestGroup Admin,CN=Users,DC=MLTEST1,DC=LOCAL

On MarkLogic Server, the two users and the ldaprole1 role are assigned external names that map them to the above users and LDAP group.

Kerberos User:

  • User name: krbuser1

  • External names: jsmith@MLTEST1.LOCAL

LDAP User:

  • User name: ldapuser1

  • External names: CN=John Smith,CN=Users,DC=MLTEST1,DC=LOCAL

Role:

  • Role name: ldaprole1

  • External names: CN=TestGroup Admin,CN=Users,DC=MLTEST1,DC=LOCAL

After authentication, xdmp:get-current-user() returns a different username, depending on the external authorization configuration. The possible combinations of configurations and returned names is shown in this table:

AuthenticationProtocol

AuthorizationScheme

Name Returned

kerberos

internal

krbuser1

kerberos

ldap

jsmith@MLTEST1.LOCAL(TEMP user with role ldaprole1)

ldap

internal

ldapuser1

ldap

ldap

jsmith (TEMP user with role ldaprole1)
In this section: