{
  "id": "ldap",
  "title": "Enable LDAP authentication",
  "url": "https://redis.io/docs/latest/operate/kubernetes/7.8.4/security/ldap/",
  "summary": "Enable LDAP authentication for Redis Enterprise for Kubernetes.",
  "content": "\n## LDAP support for Redis Enterprise Software\n\nRedis Enterprise Software supports LDAP authentication and authorization through [role-based access controls]() (RBAC). You can map LDAP groups to [Redis Enterprise roles]() to control access to your database and the Cluster Manager UI. For more details on how LDAP works with Redis Enterprise, see [LDAP authentication]().\n\nRedis Enterprise for Kubernetes supports enabling and configuring LDAP authentication using the `RedisEnterpriseCluster` (REC) custom resource. Currently, the Redis Enterprise cluster (REC) only supports configuration related to the LDAP server, such as server addresses, connection details, credentials, and query configuration.\n\nTo [map LDAP groups to Redis Enterprise access control roles](), you'll need to use the Redis Enterprise [API]() or [admin console]().\n\n## Enable LDAP \n\nTo enable LDAP for your REC, use the `.spec.ldap` field in the `RedisEnterpriseCluster` custom resource.\n\nThe following `RedisEnterpriseCluster` example resource enables a basic LDAP configuration:\n\n```yaml\napiVersion: app.redislabs.com/v1\nkind: RedisEnterpriseCluster\nmetadata:\n  name: rec\nspec:\n  nodes: 3\n  ldap:\n    protocol: LDAP\n    servers:\n    - host: openldap.openldap.svc\n      port: 389\n    bindCredentialsSecretName: ldap-bind-credentials\n    cacheTTLSeconds: 600\n    enabledForControlPlane: true\n    enabledForDataPlane: true\n    authenticationQuery:\n      template: cn=%u,ou=default,dc=example,dc=org\n    authorizationQuery:\n      attribute: memberOf\n```\n\nRefer to the `RedisEnterpriseCluster` [API reference](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/redis_enterprise_cluster_api.md#ldapspec) for full details on the available fields.\n\n### Bind credentials\n\nFor LDAP servers that require authentication for client queries, store the bind credentials in a secret and reference them in the `RedisEnterpriseCluster` custom resource.\n\n1. Create a secret to store the bind credentials.\n    \n    ```sh\n    kubectl -n \u003crec-namespace\u003e create secret generic \u003cbind-secret-name\u003e \\\n        --from-literal=dn='\u003cdisinguished-name\u003e' \\\n        --from-literal=password=\u003cpassword\u003e\n    ```\n    The secret must:\n    - Reside within the same namespace as the `RedisEnterpriseCluster` custom resource.\n    - Include a `dn` key with the distinguished name for the user performing the query (such as `cn=admin,dc=example,dc=org`).\n    - Include a `password` key with the bind password.\n\n    Replace the `\u003cplaceholders\u003e` in the command above with your own values.\n\n1. Reference the secret name in the `.spec.ldap.bindCredentialsSecretName` field of the `RedisEnterpriseCluster` custom resource.\n\n    ```yaml\n    spec:\n      ldap:\n        bindCredentialsSecretName: \u003cbind-secret-name\u003e\n    ```\n\n### LDAPS or STARTTLS protocols\n\nIn addition to plain LDAP protocol, Redis Enterprise Software also supports LDAPS and STARTTLS protocols for secure communication with the LDAP server.\n\nTo enable one of these protocols, edit the `spec.ldap.protocol` field in the `RedisEnterpriseCluster` custom resource:\n\n#### Enable `LDAPS`\n\n  ```yaml\n      spec:\n        ldap:\n          protocol: LDAPS\n  ```\n\n  Default port: 636\n\n#### Enable `STARTTLS`\n\n  ```yaml\n      spec:\n        ldap:\n          protocol: STARTTLS\n  ```\n\n  Default port: 389\n\n### CA certificate\n\nTo use a custom CA certificate for validating the LDAP server certificate, store the CA certificate in a secret and reference the secret in the `RedisEnterpriseCluster` custom resource.\n\n1. Create a secret to hold the CA certificate.\n\n    ```sh\n    kubectl -n \u003crec-namespace\u003e create secret generic \u003cca-secret-name\u003e \\\n        --from-file=cert=\u003cca-cert\u003e.pem\n    ```\n\n    The secret must:\n    - Reside within the same namespace as the `RedisEnterpriseCluster` custom resource.\n    - Include a `cert` key with a PEM-encoded CA certificate (such as `cacert.pem`).\n\n    Replace the `\u003cplaceholders\u003e` in the command above with your own values.\n\n1. Reference the secret name in the `spec.ldap.caCertificateSecretName` field of the `RedisEnterpriseCluster` custom resource.\n\n    ```yaml\n    spec:\n      ldap:\n        caCertificateSecretName: \u003cca-secret-name\u003e\n    ```\n\n### Client certificates\n\nTo use an LDAP client certificate, store the certificate in a secret and reference the secret in the `RedisEnterpriseCluster` custom resource.\n\n1. Create a secret to hold the client certificate.\n\n    ```sh\n    kubectl -n \u003crec-namespace\u003e create secret generic \u003cclient-secret-name\u003e \\\n      --from-literal=name=ldap_client \\\n      --from-file=certificate=\u003cclient-cert-file\u003e \\\n      --from-file=key=\u003cprivate-key-file\u003e\n    ```\n\n    The secret must:\n    - Reside within the same namespace as the `RedisEnterpriseCluster` custom resource.\n    - Include a `name` key explicitly set to `ldap_client`.\n    - Include a `certificate` key for the public key (such as `cert.pem`).\n    - Include a `key` key for the private key (such as `key.pem`).\n    \n\n    Replace the `\u003cplaceholders\u003e` in the command above with your own values.\n\n1. Reference the secret name in the `.spec.certificates.ldapClientCertificateSecretName` field of the `RedisEnterpriseCluster` custom resource, substituting your own values for `\u003cplaceholders\u003e`.\n\n    ```yaml\n    spec:\n      certificates:\n        ldapClientCertificateSecretName: \u003cclient-secret-name\u003e\n    ```\n\n## Known limitations\n\nRedis Enterprise Software can't resolve DNS names with a `.local` suffix.\n  If your LDAP server is in the same Kubernetes cluster and exposed via a Service object, *avoid* addresses such as `openldap.openldap.svc.cluster.local`. Instead, *use short-form addresses* such as `openldap.openldap.svc`.\n\n## Next steps\n\nTo [map LDAP groups to Redis Enterprise access control roles](), you'll need to use the Redis Enterprise [API]() or [admin console]().\n\nFor more details on how LDAP works with Redis Enterprise, see [LDAP authentication]().\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-04-08T12:21:52-07:00"
}