Enable LDAP authentication
Enable LDAP authentication for Redis Enterprise for Kubernetes.
| Redis Enterprise for Kubernetes | 
|---|
LDAP support for Redis Enterprise Software
Redis Enterprise Software supports LDAP authentication and authorization through role-based access controls (RBAC). You can map LDAP groups to Redis Enterprise roles to control access to your database and the Cluster Manager UI. For more details on how LDAP works with Redis Enterprise, see LDAP authentication.
Redis Enterprise for Kubernetes supports enabling and configuring LDAP authentication using the RedisEnterpriseCluster (REC) custom resource. Currently, the Redis Enterprise cluster (REC) only supports configuration related to the LDAP server, such as server addresses, connection details, credentials, and query configuration.
To map LDAP groups to Redis Enterprise access control roles, you'll need to use the Redis Enterprise API or admin console.
Enable LDAP
To enable LDAP for your REC, use the .spec.ldap field in the RedisEnterpriseCluster custom resource.
The following RedisEnterpriseCluster example resource enables a basic LDAP configuration:
apiVersion: app.redislabs.com/v1
kind: RedisEnterpriseCluster
metadata:
  name: rec
spec:
  nodes: 3
  ldap:
    protocol: LDAP
    servers:
    - host: openldap.openldap.svc
      port: 389
    bindCredentialsSecretName: ldap-bind-credentials
    cacheTTLSeconds: 600
    enabledForControlPlane: true
    enabledForDataPlane: true
    authenticationQuery:
      template: cn=%u,ou=default,dc=example,dc=org
    authorizationQuery:
      attribute: memberOf
Refer to the RedisEnterpriseCluster API reference for full details on the available fields.
Bind credentials
For LDAP servers that require authentication for client queries, store the bind credentials in a secret and reference them in the RedisEnterpriseCluster custom resource.
- 
Create a secret to store the bind credentials. kubectl -n <rec-namespace> create secret generic <bind-secret-name> \ --from-literal=dn='<disinguished-name>' \ --from-literal=password=<password>The secret must: - Reside within the same namespace as the RedisEnterpriseClustercustom resource.
- Include a dnkey with the distinguished name for the user performing the query (such ascn=admin,dc=example,dc=org).
- Include a passwordkey with the bind password.
 Replace the <placeholders>in the command above with your own values.
- Reside within the same namespace as the 
- 
Reference the secret name in the .spec.ldap.bindCredentialsSecretNamefield of theRedisEnterpriseClustercustom resource.spec: ldap: bindCredentialsSecretName: <bind-secret-name>
LDAPS or STARTTLS protocols
In addition to plain LDAP protocol, Redis Enterprise Software also supports LDAPS and STARTTLS protocols for secure communication with the LDAP server.
To enable one of these protocols, edit the spec.ldap.protocol field in the RedisEnterpriseCluster custom resource:
  Enable LDAPS
  
    
  
    spec:
      ldap:
        protocol: LDAPS
Default port: 636
  Enable STARTTLS
  
    
  
    spec:
      ldap:
        protocol: STARTTLS
Default port: 389
CA certificate
To use a custom CA certificate for validating the LDAP server certificate, store the CA certificate in a secret and reference the secret in the RedisEnterpriseCluster custom resource.
- 
Create a secret to hold the CA certificate. kubectl -n <rec-namespace> create secret generic <ca-secret-name> \ --from-file=cert=<ca-cert>.pemThe secret must: - Reside within the same namespace as the RedisEnterpriseClustercustom resource.
- Include a certkey with a PEM-encoded CA certificate (such ascacert.pem).
 Replace the <placeholders>in the command above with your own values.
- Reside within the same namespace as the 
- 
Reference the secret name in the spec.ldap.caCertificateSecretNamefield of theRedisEnterpriseClustercustom resource.spec: ldap: caCertificateSecretName: <ca-secret-name>
Client certificates
To use an LDAP client certificate, store the certificate in a secret and reference the secret in the RedisEnterpriseCluster custom resource.
- 
Create a secret to hold the client certificate. kubectl -n <rec-namespace> create secret generic <client-secret-name> \ --from-literal=name=ldap_client \ --from-file=certificate=<client-cert-file> \ --from-file=key=<private-key-file>The secret must: - Reside within the same namespace as the RedisEnterpriseClustercustom resource.
- Include a namekey explicitly set toldap_client.
- Include a certificatekey for the public key (such ascert.pem).
- Include a keykey for the private key (such askey.pem).
 Replace the <placeholders>in the command above with your own values.
- Reside within the same namespace as the 
- 
Reference the secret name in the .spec.certificates.ldapClientCertificateSecretNamefield of theRedisEnterpriseClustercustom resource, substituting your own values for<placeholders>.spec: certificates: ldapClientCertificateSecretName: <client-secret-name>
Known limitations
Redis Enterprise Software can't resolve DNS names with a .local suffix.
If your LDAP server is in the same Kubernetes cluster and exposed via a Service object, avoid addresses such as openldap.openldap.svc.cluster.local. Instead, use short-form addresses such as openldap.openldap.svc.
Next steps
To map LDAP groups to Redis Enterprise access control roles, you'll need to use the Redis Enterprise API or admin console.
For more details on how LDAP works with Redis Enterprise, see LDAP authentication.