ArangoDB v3.2 reached End of Life (EOL) and is no longer supported.

This documentation is outdated. Please see the most recent version here: Try latest

LDAP

This feature is available in the Enterprise Edition.

The basic options are --ldap.enabled, --ldap.tls, --ldap.port, --ldap.server and --ldap.permissions-attribute-name.

--ldap.server and --ldap.port can be replace by --ldap.url.

The default for --ldap.port is 389.

--ldap.permissions-attribute-name has the format *databse-name=(* rw none)[,database-name=(* rw none)]*.

There are two modes of operation: simple auth and bind+search.

simple auth

ArangoDB connects to the ldap server and authenticates with the username and password provided by the api authentication request and searches for the database permissions using the attribute name provided by --ldap.permissions-attribute-name.

Example:

--ldap.enabled true --ldap.server ldap.company.com \
--ldap.permissions-attribute-name arangodbPermissions \
--ldap.prefix uid= --ldap.suffix ,dc=company,dc=com

--ldap.prefix and --ldap.suffix build the distinguished name (DN). ArangoDB trys to authenticate with prefix + ArangoDB username + suffix against the ldap server and searches for the database permissions.

bind+search

Example with anonymous auth:

--ldap.enabled true --ldap.server ldap.company.com \
--ldap.basedn dc=company,dc=com \
--ldap.permissions-attribute-name arangodbPermissions

With this configuration ArangoDB binds anonymously to the ldap server and searches for the user. If the user is found a authentication is done with the users DN and password and then database permissions are fetched.

Example with DN and password:

--ldap.enabled true --ldap.server ldap.company.com \
--ldap.basedn dc=company,dc=com \
--ldap.permissions-attribute-name arangodbPermissions
--ldap.binddn cn=admin,dc=company,dc=com --ldap.bindpasswd admin

With this configuration ArangoDB binds with --ldap.bindn and --ldap.bindpasswd to the ldap server and searches for the user. If the user is found a authentication is done with the users DN and password and then database permissions are fetched.

additional options

--ldap.search-filter "objectClass=*"

Restrict the search to specific object classes. The default is objectClass=*.

--ldap.search-attribute "uid"

--ldap.search-attribute specifies which attribute to compare with the username. The default is uid.

--ldap.search-scope sub

`--ldap.search-scope specifies in which scope to search for a user. Valid are one of base, one or sub. The default is sub.

ldap url

--ldap.url ldap://ldap.server.com:1234/dc=example,dc=com?uid?sub

The ldap url consists of the ldap server and port, a basedn, a search attribute and a scope which can be one of base, one or sub.

TLS options

A encrypted connection can be established with --ldap.tls true under UNIX and GNU/Linux platforms.

All following options are not available under Windows.

--ldap.tls

The default is false. With true a tls connection is established.

--ldap.tls-version

The default is 1.2. Available versions are 1.0, 1.1 and 1.2.

--ldap.tls-cert-check-strategy

The default is hard. Available strategies are never, hard, demand, allow and try.

--ldap.tls-cacert-file

A file path to one or more (concatenated) certificate authority certificates in pem format. As default no file path is configured.

Following option has no effect / does not work under macOS.

--ldap.tls-cacert-dir

A directory path to certificate authority certificates in c_rehash format. As default no directory path is configured.