Redis Documentation > Redis Enterprise Software > Security > Access control > LDAP authentication > Enable role-based LDAP

Enable role-based LDAP

Redis Enterprise Software uses a role-based mechanism to enable LDAP authentication and authorization.

When a user attempts to access Redis Enterprise resources using LDAP credentials, the credentials are passed to the LDAP server in a bind request. If the request succeeds, the user’s groups are searched for a group that authorizes access to the original resource.

Role-based LDAP lets you authorize admin console admins (previously known as external users) as well as database users. As with any access control role, you can define the level of access authorized by the role.

Set up LDAP connection

To enable and configure LDAP, sign into the Redis Enterprise admin console and then select Settings > LDAP.

The LDAP configuration screen in the Redis Software admin console

Warning -

If LDAP is already enabled, you may already be using the cluster-based LDAP integration. If so, follow the migration process to enable role-based LDAP. You have to delete external users from the admin console before you enable role-based LDAP.

When LDAP is enabled, use the info you gathered to populate the following settings.

LDAP server settings

The LDAP Server settings define the communication settings used for LDAP authentication and authorization. These include:

Setting	Description
Protocol	Underlying communication protocol; must be LDAP, LDAPS, or STARTTLS
Host	URL of the LDAP server
Port	LDAP server port number
Trusted CA certificate	(LDAPS or STARTTLS protocols only) Certificate for the trusted certificate authority (CA)

When defining multiple LDAP hosts, the organization tree structure must be identical for all hosts.

Bind credentials

These settings define the credentials for the bind query:

Setting	Description
Distinguished Name	Example: `cd=admin,dc=example,dc=org`
Password	Example: `admin1`
Client certificate authentication	(LDAPS or STARTTLS protocols only) Place checkmark to enable
Client public key	(LDAPS or STARTTLS protocols only) The client public key for authentication
Client private key	(LDAPS or STARTTLS protocols only) The client private key for authentication

Authentication query

These settings define the authentication query:

Setting	Description
Search user by	Either Template or Query
Template	(template search) Example: `cn=%u,ou=dev,dc=example,dc=com`
Base	(query search) Example: `ou=dev,dc=example,dc=com`
Filter	(query search) Example: `(cn=%u)`
Scope	(query search) Must be baseObject, singleLevel, or wholeSubtree

In this example, %u is replaced by the username attempting to access the Redis Enterprise resource.

Authorization query

These settings define the group authorization query:

Setting	Description
Search groups by	Either Attribute or Query
Attribute	(attribute search) Example: `memberOf` (case-sensitive)
Base	(query search) Example: `ou=groups,dc=example,dc=com`
Filter	(query search) Example: `(members=%D)`
Scope	(query search) Must be baseObject, singleLevel, or wholeSubtree

In this example, %D is replaced by the Distinguished Name of the user attempting to access the Redis Enterprise resource.

Save settings

When finished, select the Save button to save your changes.

More info

Map LDAP groups to access control roles
Update database ACLs to authorize LDAP access
Learn more about Redis Software security and practices

Edit on GitHub

Updated: June 21, 2022

Download PDF

Top