Migrate to role-based LDAP
As of v6.0.20, Redis Enterprise Software supports two LDAP authentication mechanisms: the cluster-based mechanism supported in earlier versions and a role-based mechanism.
If you currently rely on the cluster-based mechanism, you can continue to use it in the short term. However:
-
You can only use one LDAP authorization mechanism at a time.
-
Support for the cluster-based mechanism is deprecated and will be removed in a future version.
At some point, you’ll want to migrate to role-based LDAP.
Migration checklist
This checklist covers the basic process:
-
Identify accounts per app on the customer end.
-
Create or identify an LDAP user account on the server that is responsible for LDAP authentication and authorization.
-
Create or identify an LDAP group that contains the app team members.
-
Verify or configure the Redis Enterprise ACLs.
-
Configure each database ACL.
-
Remove the earlier “external” (LDAP) users from Redis Enterprise.
-
Use Settings > LDAP to enable role-based LDAP.
-
Map your LDAP groups to access control roles.
-
Test application connectivity using the LDAP credentials of an app team member.
-
(Recommended) Turn off default access for the database to avoid anonymous client connections.
Because deployments and requirements vary, you’ll likely need to adjust these guidelines.
Test LDAP access
To test your LDAP integration, you can:
-
Connect with
redis-cli
and use theAUTH
command to test LDAP username/password credentials. -
Sign in to the admin console using LDAP credentials authorized for admin access.
-
Use RedisInsight to access a database using authorized LDAP credentials.
-
Use the REST API to connect using authorized LDAP credentials.
More info
- Enable and configure role-based LDAP
- Map LDAP groups to access control roles
- Update database ACLs to authorize LDAP access
- Learn more about Redis Enterprise Software security and practices