{
  "id": "certificate-based-authentication",
  "title": "Certificate-based authentication for LDAP",
  "url": "https://redis.io/docs/latest/operate/rs/security/access-control/ldap/certificate-based-authentication/",
  "summary": "Learn how to set up certificate-based authentication for LDAP in Redis Software.",
  "tags": [],
  "last_updated": "2026-05-14T08:58:05-05:00",
  "page_type": "content",
  "content_hash": "bb3f23d0cca4790b6d70aeb322a986ad5399866188af552636c9739f0b0ffb55",
  "sections": [
    {
      "id": "overview",
      "title": "Overview",
      "role": "overview",
      "text": "You can configure Redis Software to use certificate-based authentication in combination with LDAP to authenticate and authorize users.\n\nHere's how it works:\n\n1. Users authenticate to the database using client certificates.\n\n1. Redis Software extracts the user identity from the certificate.\n\n1. Redis Software looks up the user in LDAP.\n\n1. LDAP group mappings and database ACLs determine authorization."
    },
    {
      "id": "prerequisites",
      "title": "Prerequisites",
      "role": "content",
      "text": "Before enabling certificate-based authentication for LDAP, you must complete the following prerequisites:\n\n1. [Enable mutual TLS](https://redis.io/docs/latest/operate/rs/security/encryption/tls/enable-tls) for the relevant databases to set up certificate-based authentication.\n\n1. [Set up LDAP for the cluster](https://redis.io/docs/latest/operate/rs/security/access-control/ldap/enable-role-based-ldap#set-up-ldap-connection).\n\n1. [Map LDAP users to appropriate cluster roles](https://redis.io/docs/latest/operate/rs/security/access-control/ldap/map-ldap-groups-to-roles).\n\n1. [Configure database ACLs](https://redis.io/docs/latest/operate/rs/security/access-control/ldap/update-database-acls) to authorize LDAP users."
    },
    {
      "id": "set-up-certificate-based-authentication-for-ldap",
      "title": "Set up certificate-based authentication for LDAP",
      "role": "content",
      "text": "To set up certificate-based authentication for LDAP:\n\n1. Enable certificate-based authentication in the cluster LDAP configuration using an [update LDAP configuration](https://redis.io/docs/latest/operate/rs/references/rest-api/api-reference/#tag/Cluster/operation/cluster_update_ldap_config) REST API request.\n\n    To perform LDAP lookup for certificate-authenticated users:\n    \n    - Redis Software must extract an identity from the client certificate's subject line, using either the subject CN or a custom OID. Extracting user identity from SAN is not currently supported.\n    \n    - The certificate subject must follow [RFC 4514](https://datatracker.ietf.org/doc/html/rfc4514) formatting.\n\n    - Do not create local user accounts for LDAP users.\n\n    **Subject CN:**\n\nTo enable certificate-based authentication and use the certificate subject CN as the LDAP identifier:\n\n[code example]\n\n**Subject OID:**\n\nTo enable certificate-based authentication and use a custom subject OID as the LDAP identifier:\n\n[code example]\n\nThe certificate subject must include the OID.\n\n\n\n1. Enable external certificate-based authentication in cluster settings using an [update cluster settings](https://redis.io/docs/latest/operate/rs/references/rest-api/requests/cluster#put-cluster) REST API request:\n\n    [code example]"
    },
    {
      "id": "verify-your-setup",
      "title": "Verify your setup",
      "role": "content",
      "text": "After configuration is complete, try to [connect to the database with certificate-based authentication](https://redis.io/docs/latest/operate/rs/security/certificates/certificate-based-authentication#authenticate-database-connections) and verify your setup."
    }
  ],
  "examples": [
    {
      "id": "set-up-certificate-based-authentication-for-ldap-ex0",
      "language": "sh",
      "code": "PUT https://<host>:<port>/v1/cluster/ldap\n{\n  \"cba\": true,\n  \"cba_identity_source\": \"subject_cn\",\n  \"control_plane\": true,\n  \"data_plane\": true\n}",
      "section_id": "set-up-certificate-based-authentication-for-ldap"
    },
    {
      "id": "set-up-certificate-based-authentication-for-ldap-ex1",
      "language": "sh",
      "code": "PUT https://<host>:<port>/v1/cluster/ldap\n{\n  \"cba\": true,\n  \"cba_identity_source\": \"subject_oid\",\n  \"cba_identity_oid\": \"1.2.3.4\",\n  \"control_plane\": true,\n  \"data_plane\": true\n}",
      "section_id": "set-up-certificate-based-authentication-for-ldap"
    },
    {
      "id": "set-up-certificate-based-authentication-for-ldap-ex2",
      "language": "sh",
      "code": "PUT https://<host>:<port>/v1/cluster\n    {\n      \"dmc_external_cba_authentication\": true\n    }",
      "section_id": "set-up-certificate-based-authentication-for-ldap"
    }
  ]
}