As of version 6.0.20, Redis Enterprise Software integrates Lightweight Directory Access Protocol (LDAP) authentication and authorization into its role-based access controls (RBAC). You can now use LDAP to authorize access to the admin console and to authorize database access.
Furthermore, you can configure LDAP roles using the Redis Enterprise admin console or REST API.
Previously, you could enable LDAP authentication for admin console users by configuring a cluster either through the command line or the REST API.
The cluster-based LDAP mechanism is supported in v6.0.20; however, the mechanism is deprecated and will be removed in a future update.
Note that the cluster-based mechanism is not compatible with the new role-based approach. You can use either for now, but not both at the same time.
If you are using the earlier LDAP mechanism, you will need to migrate to role-based LDAP at some point in the near future. For help, see Migrate to role-based LDAP.
How it works
Here’s how role-based LDAP integration works:
A user signs in with their LDAP credentials.
Based on the LDAP configuration details, the username is mapped to an LDAP Distinguished Name.
A simple LDAP bind request is attempted using the Distinguished Name and the password. The sign-in fails if the bind fails.
Obtain the user’s LDAP group memberships.
Using configured LDAP details, obtain a list of the user’s group memberships.
Compare the user’s LDAP group memberships to those mapped to local roles.
Determine if one of the user’s groups is authorized to access the target resource. If so, the user is granted the level of access authorized to the role.
To access the admin console, the user needs to belong to an LDAP group mapped to an administrative role.
For database access, the user needs to belong to an LDAP group mapped to a role listed in the database’s access control list (ACL). The rights granted to the group determine the user’s level of access.
Before you enable LDAP in Redis Enterprise, you need:
The LDAP groups that correspond to the levels of access you wish to authorize. Each LDAP group will be mapped to a Redis Enterprise access control role.
A Redis Enterprise access control role for each LDAP group. Before you enable LDAP, you need to set up role-based access controls (RBAC).
The following LDAP details:
- Server URI, including host, port, and protocol details.
- Certificate details for secure protocols.
- Bind credentials, including Distinguished Name, password, and (optionally) client public and private keys for certificate authentication.
- Authentication query details, whether template or query.
- Authorization query details, whether attribute or query.
- The Distinguished Names of LDAP groups you’ll use to authorize access to Redis Enterprise resources.
To enable LDAP:
From Settings > LDAP in the admin console, enable LDAP access.
Map LDAP groups to access control roles.
Update database access control lists (ACLs) to authorize role access.
If you already have appropriate roles, you can update them to include LDAP groups.