Skip to content


Whenever a client connects to Nebula Graph, a session is created. The session stores various contextual information about the connection. Each session is always associated with a single user.

Authentication is the process of mapping this session to a specific user. Once the session is mapped to a user, a set of permissions can be associated with it, using authorization.

Nebula Graph supports two authentication methods, explained in detail below - local and LDAP.

Local authentication

The local database stores usernames, encrypted passwords, local user settings and remote LDAP user settings. When a user tries to access the database, they will be met with a security challenge.

To enable the local authentication, follow these steps:

  1. Set the --enable_authorize property in the nebula-graphd.conf configuration file (the directory is /usr/local/nebula/etc/ by default) to true.
  2. Save your modification in step one and close the nebula-graphd.conf configuration file.
  3. Restart the Nebula Graph services.

LDAP authentication

Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services. Users stored inside LDAP take precedence over the local database users. For example, if both providers have a user called “Amber”, the settings and roles for this user will be sourced from LDAP.

Unlike local authentication, besides enabling the --enable_authorize parameter, LDAP needs to be configured in the nebula-graphd.conf file (the directory is /usr/local/nebula/etc/ by default). Refer to the Integrating LDAP Document for details.

LDAP parameters

Parameter Type Default Value Description
ldap_server string "" A list of ldap server addresses. Multiple addresses are separated with commas.
ldap_port INT32 Ldap server port. If no port is specified, the default port will be used.
ldap_scheme string "ldap" Only supports ldap.
ldap_tls bool false Enable/disable the TLS encryption between graphd and the LDAP server.
ldap_suffix string "" Specifies the root suffix (naming context) to use for all LDAP operations.
ldap_basedn string "" The LDAP distinguished name (DN) of the search base.
ldap_binddn string "" The LDAP user who is allowed to search the base DN.
ldap_bindpasswd string "" The password of the user who is mentioned in the bind DN.
ldap_searchattribute string "" An array of the required attributes.
ldap_searchfilter string "" Specifies a search filter by defining what to search for. It is more flexible than the searchattribut.


Error information: Authentication fails, Invalid data length

Authentication fails because you had not enable the authentication. Follow the preceding steps to enable the authentication.

Last update: April 8, 2021