Certificate-based authentication for LDAP
Learn how to set up certificate-based authentication for LDAP in Redis Software.
You can configure Redis Software to use certificate-based authentication in combination with LDAP to authenticate and authorize users.
Here's how it works:
-
Users authenticate to the database using client certificates.
-
Redis Software extracts the user identity from the certificate.
-
Redis Software looks up the user in LDAP.
-
LDAP group mappings and database ACLs determine authorization.
Prerequisites
Before enabling certificate-based authentication for LDAP, you must complete the following prerequisites:
-
Enable mutual TLS for the relevant databases to set up certificate-based authentication.
-
Configure database ACLs to authorize LDAP users.
Set up certificate-based authentication for LDAP
To set up certificate-based authentication for LDAP:
-
Enable certificate-based authentication in the cluster LDAP configuration using an update LDAP configuration REST API request.
To perform LDAP lookup for certificate-authenticated users:
-
Redis Software must extract an identity from the client certificate's subject line, using either the subject CN or a custom OID. Extracting user identity from SAN is not currently supported.
-
The certificate subject must follow RFC 4514 formatting.
-
Do not create local user accounts for LDAP users.
To enable certificate-based authentication and use the certificate subject CN as the LDAP identifier:
PUT https://<host>:<port>/v1/cluster/ldap { "cba": true, "cba_identity_source": "subject_cn", "control_plane": true, "data_plane": true } -
-
Enable external certificate-based authentication in cluster settings using an update cluster settings REST API request:
PUT https://<host>:<port>/v1/cluster { "dmc_external_cba_authentication": true }
Verify your setup
After configuration is complete, try to connect to the database with certificate-based authentication and verify your setup.