MarkLogic Server 11.0 Product Documentation
POST /manage/v2/external-securitySummary
This resource address creates a new external-security configuration in the
security database.
For more information on external security, see
External Security in the Security Guide.
URL Parameters |
format |
The format of the posted data. Can be either
html , json , or xml (default). This value overrides
the Accept header if both are present. |
Request Headers |
Accept |
The expected MIME type of the request body. If
the format? parameter is present, it takes precedence over the Accept header. |
Content-type |
The MIME type of the data in the request
body. Depending upon the value of the format parameter or Accept header, one of
application/xml , application/json , or text/html . |
Response Headers |
Content-type |
The MIME type of the data in the response
body. Depending upon the value of the format parameter or Accept header, one of
application/xml , application/json , or text/html . |
Location |
If the request causes a restart, a Location
header is included in the reponse. The header contains a path with which to construct a URL
to usable to test when the restart has completed. |
Response
Upon success, MarkLogic Server returns status code 201 (Created). If the
external-security configuration already exists or if the payload is malformed, a status code
of 400 (Bad Request) is returned. A status code of 401 (Unauthorized) is returned if the user
does not have the necessary privileges.
Required Privileges
This operation requires one of the following:
- the
manage-admin
and security
role
- the following privileges:
http://marklogic.com/xdmp/privileges/manage
http://marklogic.com/xdmp/privileges/manage-admin
http://marklogic.com/xdmp/privileges/external-security-get-authentication
Usage Notes
The structure of the data in the request body is as follows. The name
,
authentication
, and authorization
properties are required. If
either the authentication
or authorization
is ldap
,
then all of the ldap-*
properties are also required.
external-security-id
An external security id (unique key).
external-security-name
External security name (unique)
description
An object's description.
authentication
Authentication
cache-timeout
The login cache timeout, in seconds.
authorization
An authorization scheme.
ldap-server-uri
URI of the LDAP server. Required if authentication or authorization is LDAP.
ldap-base
starting point for search. Required if authentication or authorization is LDAP.
ldap-attribute
LDAP attribute for user lookup. Required if authentication or authorization is LDAP.
ldap-default-user
LDAP user used by MarkLogic server.
Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-password
password of the default LDAP user.
Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-bind-method
LDAP bind method.
ldap-memberof-attribute
LDAP attribute for group lookup. This is optional. If it is not specified,
"memberOf" will be used for search for the groups of a user.
ldap-member-attribute
LDAP attribute for group lookup. This is optional. If it is not specified,
"member" will be used for search for the group of a group.
ldap-start-tls
Whether or not to use start TLS request to the LDAP server.
ldap-certificate
The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server.
It can be used for mutual authentication if bind method is MD5 or simple.
Or it can be used for external binding.
ldap-private-key
The PEM encoded private key corresponding to the certificate.
ldap-nested-lookup
Whether or not to perform nested group lookup.
ldap-remove-domain
Whether or not to remove domain before matching with ldap-attribute.
ldap-negative-cache-timeout
The LDAP negative cache timeout, in seconds.
ldap-server
An LDAP server configuration.
This is a complex structure with the following children:
ldap-server-uri
URI of the LDAP server. Required if authentication or authorization is LDAP.
ldap-base
starting point for search. Required if authentication or authorization is LDAP.
ldap-attribute
LDAP attribute for user lookup. Required if authentication or authorization is LDAP.
ldap-default-user
LDAP user used by MarkLogic server.
Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-password
password of the default LDAP user.
Required if authentication is kerberos and authorization is LDAP or bind method is simple.
ldap-bind-method
LDAP bind method.
ldap-memberof-attribute
LDAP attribute for group lookup. This is optional. If it is not specified,
"memberOf" will be used for search for the groups of a user.
ldap-member-attribute
LDAP attribute for group lookup. This is optional. If it is not specified,
"member" will be used for search for the group of a group.
ldap-start-tls
Whether or not to use start TLS request to the LDAP server.
ldap-certificate
The PEM encoded X509 certificate for MarkLogic server to connect the LDAP server.
It can be used for mutual authentication if bind method is MD5 or simple.
Or it can be used for external binding.
ldap-private-key
The PEM encoded private key corresponding to the certificate.
ldap-nested-lookup
Whether or not to perform nested group lookup.
ldap-remove-domain
Whether or not to remove domain before matching with ldap-attribute.
ldap-negative-cache-timeout
The LDAP negative cache timeout, in seconds.
saml-server
An SAML server configuration.
This is a complex structure with the following children:
saml-entity-id
SAML entity id. Required if authorization is SAML.
saml-destination
SAML destination.
saml-issuer
SAML issuer.
saml-assertion-host
SAML assertion host.
saml-idp-certificate-authority
The PEM encoded X509 certificate authority for SAML IDP.
saml-sp-certificate
The PEM encoded X509 certificate for SAML SP.
saml-sp-private-key
The PEM encoded private key for SAML SP.
saml-authn-signature
saml-attribute-names
A list of SAML attribute names.
This is a complex structure with the following children:
saml-attribute-name
SAML attribute name.
saml-privilege-attribute-name
SAML privilege attribute name.
http-options
The HTTP options to use when connecting to the
replication application server.
This is a complex structure with the following children:
timeout
The timeout
data
headers
The headers.
method
The method to use.
username
password
credential-id
The credential id.
client-cert
client-key
pass-phrase
verify-cert
Whether the server's certificate should be verified.
proxy
The network location of the proxy server.
kerberos-ticket-forwarding
The option for kerberos ticket forwarding.
If it is "disabled", the user ticket is not used. This is the default.
If it is "required", the user ticket is forwarded. If the user ticket is not
forwardable, XDMP-NOFORWARDTICKET is thrown.
If it is "optional", the user ticket is forwarded if it is forwardable.
But no error if it is not forwardable.
ssl-client-certificate-authorities
This is a complex structure with the following children:
ssl-client-certificate-authority
An SSL certificate authority
ssl-require-client-certificate
oauth-server
OAuth server configuration.
This is a complex structure with the following children:
oauth-flow-type
OAuth 2.0 flow type.
oauth-vendor
Third-party OAuth 2.0 vendor.
oauth-server-uri
OAuth 2.0 server URI. TLS (HTTPS) required. Optional.
oauth-authorization-server-uri
OAuth 2.0 authorization endpoint. Required when "OAuth Flow Type" is "Authorization code". TLS (HTTPS) required.
oauth-token-server-uri
OAuth 2.0 token service endpoint. Required if "OAuth Flow Type" is not "Resource server". TLS (HTTPS) required.
oauth-introspection-server-uri
OAuth Introspection endpoint. Required if "OAuth Token Type" is "Internally managed reference tokens". TLS (HTTPS) required.
oauth-scope
OAuth 2.0 scopes. Optional.
oauth-client-authentication-method
OAuth 2.0 vendor client authentication method. Required if "OAuth Token Type" is "Internally managed reference tokens".
oauth-client-id
Required. OAuth 2.0 Client ID.
oauth-client-secret
OAuth 2.0 client secret. Required when OAuth Client Authentication Method is "Client secret".
oauth-redirect-uri
OAuth 2.0 redirect URI. Optional. TLS (HTTPS) required or be a loopback URI.
oauth-jwt-issuer-uri
OAuth 2.0 JWT Issuer URI. Required if "OAuth Vendor" is "Microsoft Entra" or "Amazon Cognito".
oauth-token-type
OAuth 2.0 access token format.
oauth-username-attribute
Required. The JSON claim name containing username information.
oauth-role-attribute
Required. The JSON claim name containing role information.
oauth-privilege-attribute
The JSON claim name containing privilege information. Optional.
oauth-jwt-alg
Signature algorithm for JWT access tokens. Required if "OAuth Token Type" is "JSON Web Tokens".
oauth-jwt-secrets
A list of OAuth JWT secrets. Secrets information will be updated after pressing the OK button. Required if "OAuth Token Type" is "JSON Web Tokens".
This is a complex structure with the following children:
oauth-jwt-secret
OAuth JWT secret for signing JWTs.
This is a complex structure with the following children:
oauth-jwt-key-id
OAuth JWT key-id used to find JWT keys used for signing.
oauth-jwt-internal-id
OAuth JWT internal-id used to find the JWT secret from the SoftHSM.
oauth-jwt-secret-value
OAuth JWT secret used to sign JWTs. Only used as a placeholder for REST and built-ins to work.
oauth-jwks-uri
JSON Web Key Sets endpoint. TLS (HTTPS) required. Optional.
Example
cat ExternalConfig.json
==>
{
"external-security-name": "LDAP-security",
"description": "Some description",
"authentication": "ldap",
"cache-timeout": "300",
"authorization": "ldap",
"ldap-server-uri": "LDAP uri",
"ldap-base": "LDAP base for user lookup",
"ldap-attribute": "LDAP attribute for user lookup",
"ldap-default-user": "default",
"ldap-password": "password",
"ldap-bind-method": "simple"
}
curl -X POST --anyauth -u admin:admin -H "Content-Type:application/json" \
-d @ExternalConfig.json http://localhost:8002/manage/v2/external-security
==> Creates an LDAP external security configuration, named "LDAP-security,"
in the Security database.
Stack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.