Skip to main content

Securing MarkLogic Server

The LDAP Server Fields

[v11.2.0 and up] The LDAP Server fields appear when either Authentication or Authorization is ldap.

Field	Description
LDAP Server URI	The URI for the LDAP server. Required if either Authentication or Authorization is `ldap`.
LDAP Base	The base DN for user lookup. Required if either Authentication or Authorization is `ldap`.
LDAP Attribute	The name of the attribute (for example, `sAMAccountName`) used to identify the user on the LDAP server. Required if either Authentication or Authorization is `ldap`.
LDAP Default User	The LDAP default user. Required if either Authorization = `ldap` or LDAP Bind Method is `simple`.
LDAP Password	The password for the LDAP Default User. Required if either Authorization is `ldap` or LDAP Bind Method is `simple`.
Confirm LDAP Password	Field to confirm the LDAP Password.
LDAP Bind Method	`MD5` (default): Uses the DIGEST-MD5 authentication method with the LDAP server. Set LDAP Default User to the name of a valid LDAP user. `simple` Uses simple bind authentication with the LDAP server. Set LDAP Default User to a DN (Distinguished Name). Set LDAP Password. Use LDAPS (LDAP with SSL) because the password is not encrypted. (That is, make sure LDAP Server URI begins with `ldaps://` instead of `ldap://`.) `external` Uses a certificate to authenticate with the LDAP server. Set LDAP Start TLS to true. Enter the certificate into LDAP Certificate.
LDAP Memberof Attribute	(Optional) The LDAP attribute for group lookup. If not specified, `memberOf` is used for search for the groups of a user.
LDAP Member Attribute	(Optional) The LDAP attribute for group lookup. If not specified, `member` is used for search for the group of a group.
LDAP Start TLS	Whether or not to use start TLS request to the LDAP server. Set to `true` to use start TLS request. If set to `true`, the LDAP server URI should start with `ldap://` instead of `ldaps://`.
LDAP Certificate	The PEM-encoded X.509 certificate for MarkLogic Server to connect the LDAP server using mutual authentication. Required if LDAP Bind Method is `external`. Optional if LDAP Bind Method is either `MD5` or `simple`.
LDAP Private Key	The PEM-encoded private key corresponding to the LDAP Certificate. Required if LDAP Bind Method is `external`. Optional if LDAP Bind Method is either `MD5` or `simple`.
LDAP Nested Lookup	Whether or not to perform nested group lookup.
LDAP Remove Domain	Whether or not to remove `domain` before matching with `ldap-attribute`.
LDAP Negative Cache Timeout	The LDAP negative cache timeout in seconds. MarkLogic Server caches negative lookups to avoid overloading the external LDAP server. Note Clear the cache by calling sec:external-security-clear-cache().

In this section: