arangodb/Documentation/Books/Manual/Administration/Configuration/Ldap.mdpp

LDAP
====

__This feature is available in the Enterprise Edition.__

The basic options are `--ldap.enabled`, `--ldap.tls`, `--ldap.port`, `--ldap.server` and `--ldap.permissions-attribute-name`.

`--ldap.server` and `--ldap.port` can be replace by `--ldap.url`.

`--ldap.permissions-attribute-name` has the format *databse-name=(*|rw|none)[,database-name=(*|rw|none)]*.

There are two modes of operation: *simple auth* and *bind+search*.

### simple auth

Example:

    --ldap.enabled true --ldap.server 192.168.2.119 --ldap.permissions-attribute-name description \
    --ldap.prefix uid= --ldap.suffix ,dc=example,dc=com

`--ldap.prefix` and `--ldap.suffix` build the distinguished name (DN). ArangoDB trys to authenticate
with *prefix* + *ArangoDB username* + *suffix* against the ldap server and search for the database permissions.

### bind+search








--ldap.enabled true --ldap.server 192.168.2.119 --ldap.basedn dc=example,dc=com  --ldap.searchfilter "objectClass=simpleSecurityObject"
--ldap.searchattribute "uid" --ldap.binddn cn=admin,dc=example,dc=com --ldap.bindpasswd hallo --ldap.permissionsattributename description





    --ldap.permissionsattributename <string>              ldap attributename where the permissions for the database are located. Format: database=(*|rw|none)[,database=(*|rw|none)] (default: "")



    // simple mode
    --ldap.prefix <string>                                ldap prefix, eg. uid= xor dn= xor cn= (default: "")
    --ldap.suffix <string>                                ldap suffix, eg. ,dc=example,dc=com (default: "")



    // search + bind

    --ldap.basedn <string>                                ldap basedn, eg. dc=example,dc=com (default: "")

    --ldap.binddn <string>                                ldap binddn, eg. cn=admin,dc=example,dc=com (default: "")
    --ldap.bindpasswd <string>                            ldap bindpassword, eg. admin (default: "")

    --ldap.searchattribute <string>                       ldap searchattribute, eg. uid (default: "uid")
    --ldap.searchfilter <string>                          ldap searchfilter, eg. (objectClass=simpleSecurityObject) (default: "objectClass=*")

    --ldap.url <string>                                   ldap url, eg. TBD (default: "")