[httpd_global_handlers]
    _session = {ldap_auth, handle_session_req}

[httpd]
    authentication_handlers = {ldap_auth, handle_admin_role}

[ldap_auth]
    ; NOTE: for all of the following configurations, if the key is suffixed in "DN", ldap_auth
    ; will expect you to provide a real LDAP Distinguished Name.

    ; If you use handle_admin_role to assign your system admins, specify the authentication handlers it should
    ; query here. See SystemAdminRoleName for more details.
    AuthenticationHandlers = {couch_httpd_auth, cookie_authentication_handler}, {ldap_auth, handle_basic_auth_req}

    ; Enable SSL to the LDAP server.
    UseSsl = false

    ; The LDAP servers to use for searches and authentication, separated by commas. These will be tried in-order.
    LdapServers = first.ldap.example.com, second.ldap.example.com, third.ldap.example.com

    ; The DN to narrow the scope of searches for users and groups.
    BaseDN = DC=example,DC=com

    ; ldap_auth will use this user DN and password to search for users trying to authenticate.
    ; if you have anonymous LDAP queries enabled (not recommended) you may simply provide the
    ; `anon` CN and a blank password.
    SearchUserDN = CN=ldapsearch,CN=Users,DC=example,DC=com
    SearchUserPassword = ldapsearch_password_here

    ; On ActiveDirectory, you might choose from:
    ; - sAMAccountName, e.g. jsmith
    ; - userPrincipalName, e.g. jsmith@example.com
    ;   NOTE: if you use userPrincipalName, be sure to URL-encode the username when using basic auth.
    ;   e.g. http://jsmith%40example.com:password@example.com:5984
    UserDNMapAttr = sAMAccountName

    ; The LDAP attribute of the group to use as the role name.
    GroupDNMapAttr = name

    ; The role to grant system administrative privileges to.
    ; If you include {ldap_auth, handle_admin_role} in your authentication_handlers, it will
    ; grant the system admin role to anyone who has this role assigned. BE CAREFUL.
    SystemAdminRoleName = admin