Introduction

This page provides an overview of authentication and authorization in Neo4j. Authorization is managed using role-based access control (RBAC). Permissions that define access control are assigned to roles, which are in turn assigned to users.

Neo4j has the following auth providers, that can perform user authentication and authorization:

Native auth provider

Neo4j provides a native auth provider that stores user and role information in the system database. The following parameters control this provider:

  • dbms.security.auth_enabled (Default: true) — Enable auth requirement to access Neo4j.

    If you need to disable authentication, for example, to recover an admin user password or assign a user to the admin role, make sure you block all network connections during the recovery phase so users can connect to Neo4j only via localhost. For more information, see Password and user recovery.

  • dbms.security.auth_lock_time (Default: 5s) — The amount of time a user account is locked after a configured number of unsuccessful authentication attempts.

  • dbms.security.auth_max_failed_attempts (Default: 3) — The maximum number of unsuccessful authentication attempts before imposing a user lock for a configured amount of time.
    When triggered, Neo4j logs an error containing a timestamp and the message failed to log in: too many failed attempts in the security.log.

The Cypher commands to manage users, roles, and permissions are described in detail in Cypher Manual → Access control. Various scenarios that illustrate the use of the native auth provider are available in Fine-grained access control.

LDAP auth provider

Another way of controlling authentication and authorization is through external security software such as Active Directory or OpenLDAP, which is accessed via the built-in LDAP connector. A description of the LDAP plugin using Active Directory is available in Integration with LDAP directory services.

Single Sign-On provider

Some clients wish to centrally manage authentication and authorization for their systems in an identity provider which provides single sign-on for their other systems. Neo4j supports the popular OpenID Connect mechanism for integrating with identity providers and configuration for that is described in Integration with Single Sign-On Services.

Custom-built plugin auth providers

For clients with specific requirements not satisfied with either native or LDAP, Neo4j provides a plugin option for building custom integrations. It is recommended that this option is used as part of a custom delivery as negotiated with Neo4j Professional Services. The plugin is described in Java Reference → Authentication and authorization plugins.

Kerberos authentication and single sign-on

In addition to LDAP, Native and custom providers, Neo4j supports Kerberos for authentication and single sign-on. Kerberos support is provided via the Neo4j Kerberos Add-On.

Mixed-mode authentication

Neo4j also supports mixed-mode authentication that allows you to use multiple authentication providers in your database setup. For more information and examples, see Set Neo4j to use LDAP and Configure Neo4j to use OpenID Connect.