Enable role-based LDAP
Redis Enterprise Software uses a role-based mechanism to enable LDAP authentication and authorization.
When a user attempts to access Redis Software resources using LDAP credentials, the credentials are passed to the LDAP server in a bind request. If the request succeeds, the user’s groups are searched for one authorizing access to the original resource.
Role-based LDAP lets you authorize admin console admins (previously known as external users) as well as database users. As with any access control role, you can define the level of access authorized by the role.
Enable and set up LDAP connection
To enable and configure LDAP, sign into the Redis Software admin console and then select Settings | LDAP.
When LDAP is enabled, use the info you gathered to populate the following settings:
LDAP Server settings
The LDAP Server settings define the communiction settings used for LDAP authentication and authorization. These include:
| Setting | Description |
|---|---|
| Protocol | Underlying communication protocol; must be LDAP, LDAPS, or STARTTLS |
| Host | URL of the LDAP server |
| Port | LDAP server port number |
| Trusted CA certificate | (LDAPS or STARTTLS protocols only) Certificate for the trusted certificate authority (CA) |
When defining multiple LDAP hosts, the organization tree structure must be identical for all hosts.
Bind credentials
These settings define the credentials for the bind query:
| Setting | Description |
|---|---|
| Distinguished Name | Example: cd=admin,dc=example,dc=org |
| Password | Example: admin1 |
| Client certificate authentication | (LDAPS or STARTTLS protocols only) Place checkmark to enable |
| Client public key | (LDAPS or STARTTLS protocols only) The client public key for authentication |
| Client private key | (LDAPS or STARTTLS protocols only) The client private key for authentication |
Authentication Query
These settings define the authentication query:
| Setting | Description |
|---|---|
| Search user by | Either Template or Query |
| Template | (template search) Example: cn=%u,ou=dev,dc=example,dc=com |
| Base | (query search) Example: ou=dev,dc=example,dc=com |
| Filter | (query search) Example: (cn=%u) |
| Scope | (query search) Must be baseObject, singleLevel, or wholeSubtree |
In this example, %u is replaced by the username attempting to access the Redis Software resource.
Authorization Query
These settings define the group authorization query:
| Setting | Description |
|---|---|
| Search groups by | Either Attribute or Query |
| Attribute | (attribute search) Example: memberOf (case-sensitive) |
| Base | (query search) Example: ou=groups,dc=example,dc=com |
| Filter | (query search) Example: (members=%D) |
| Scope | (query search) Must be baseObject, singleLevel, or wholeSubtree |
In this example, %D is replaced by the Distinguished Name of the user attempting to access the Redis Software resource.
Saving results
When finished, use the Save button to save your changes.
Related info
- Map LDAP groups to access control roles
- Update database ACLs to authorize LDAP access
- Learn more about Redis Software security & practices