Authentication Resources

The following table provides a list of resources required for LDAP configuration.

Field Description
Network The name of the preconfigured network to use. The network can be peered or public.
Important: To assign your LDAP configuration to your service, the LDAP configuration and service must be in the same network. Make note of the network that hosts your service before creating your LDAP configuration.
Region Not configurable. The region where your preconfigured network is located.
Name Name for this LDAP configuration.
Security Admin DN The distinguished name (DN) for the Security Admin group in your external LDAP server. After you assign an LDAP configuration to a service, the Security Admin DN will be mapped to the data-hub-security-admin service role in the MarkLogic security database. For details about this service role, see Service Roles. Example: CN=AWS Security Administrators,OU=AWS Delegated Groups,DC=example,DC=com
Important: Only users in your external LDAP server assigned the data-hub-security-admin service role can execute the curl commands that map service roles to LDAP roles. If your service was created before 10/1/2020, the Service Security Admin service role maps the service roles to LDAP roles. For details, see Service Roles.
Tip: A Distinguished Name (DN) is a sequence of Relative Distinguished Names (RDNs), which are attributes with associated values expressed by the form attribute=value. Each RDN attribute is separated by a comma in a DN. For details on LDAP DNs, see
DNS Address The IP address of your external LDAP server. The DNS Address can be public or private, and include more than one IP address. Example:
Important: If using more than one IP address, separate each IP address with a comma. Example:,
Server URI The URI of your external LDAP server. Must include either the ldap:// or ldaps:// prefix. Example: ldaps://
Note: The URI must not contain a port number.
The port number is defined by the prefix.
URI Prefix Port Number
ldap:// 389
ldaps:// 636
Base The location in your external LDAP server's directory information tree where MarkLogic will begin searching for DNs. Example: DC=example,DC=com
Default User The DN for the user in your external LDAP server that MarkLogic uses to search your external LDAP server. MarkLogic uses the Default User to locate DNs that match the external names (ROLE_DN) you provided. If Bind is set to Simple, Default User must be entered as a DN. Example: CN=MarkLogicUser,OU=Users,OU=example,DC=example,DC=com
Important: Default User must be able to access the Base DN.
Password / Re-Enter Password The password for the Default User. Provide the password you defined for this user in your external LDAP server.
Bind Method The bind method to use. Default: Simple
LDAP Attribute The LDAP attribute for user lookup. The name of the attribute used to identify the user on the LDAP server. Default: sAMAccountName
Memberof Attribute The LDAP attribute for group lookup. Used to search for the groups of a user. Default: memberOf
Member Attribute The LDAP attribute for group lookup. Used to search for the group of a group. Default: member