Redis Enterprise Software supports Lightweight Directory Access Protocol (LDAP) authentication and authorization through its role-based access controls (RBAC). You can use LDAP to authorize access to the admin console and to control database access.
You can configure LDAP roles using the Redis Enterprise admin console or REST API.
Previously, Redis Enterprise Software supported a cluster-based LDAP integration; however, support for this approach was removed in v6.2.12.
If you are using the earlier cluster-based LDAP mechanism, you need to migrate to role-based LDAP before upgrading to v6.2.12.
How it works
Here’s how role-based LDAP integration works:
A user signs in with their LDAP credentials.
Based on the LDAP configuration details, the username is mapped to an LDAP Distinguished Name.
A simple LDAP bind request is attempted using the Distinguished Name and the password. The sign-in fails if the bind fails.
Obtain the user’s LDAP group memberships.
Using configured LDAP details, obtain a list of the user’s group memberships.
Compare the user’s LDAP group memberships to those mapped to local roles.
Determine if one of the user’s groups is authorized to access the target resource. If so, the user is granted the level of access authorized to the role.
To access the admin console, the user needs to belong to an LDAP group mapped to an administrative role.
For database access, the user needs to belong to an LDAP group mapped to a role listed in the database’s access control list (ACL). The rights granted to the group determine the user’s level of access.
Before you enable LDAP in Redis Enterprise, you need:
The LDAP groups that correspond to the levels of access you wish to authorize. Each LDAP group will be mapped to a Redis Enterprise access control role.
A Redis Enterprise access control role for each LDAP group. Before you enable LDAP, you need to set up role-based access controls (RBAC).
The following LDAP details:
- Server URI, including host, port, and protocol details.
- Certificate details for secure protocols.
- Bind credentials, including Distinguished Name, password, and (optionally) client public and private keys for certificate authentication.
- Authentication query details, whether template or query.
- Authorization query details, whether attribute or query.
- The Distinguished Names of LDAP groups you’ll use to authorize access to Redis Enterprise resources.
To enable LDAP:
From Settings > LDAP in the admin console, enable LDAP access.
Map LDAP groups to access control roles.
Update database access control lists (ACLs) to authorize role access.
If you already have appropriate roles, you can update them to include LDAP groups.