启用 LDAP 身份验证

为 Redis Enterprise for Kubernetes 启用 LDAP 身份验证。

适用于 Kubernetes 的 Redis Enterprise

Redis Enterprise Software 的 LDAP 支持

Redis Enterprise Software 通过基于角色的访问控制 (RBAC) 支持 LDAP 身份验证和授权。您可以将 LDAP 组映射到 Redis Enterprise 角色,以控制对数据库和集群管理器 UI 的访问。有关 LDAP 如何与 Redis Enterprise 配合使用的更多详细信息,请参阅 LDAP 身份验证

Redis Enterprise for Kubernetes 支持使用RedisEnterpriseCluster(REC) 自定义资源。目前,Redis Enterprise 集群 (REC) 仅支持与 LDAP 服务器相关的配置,例如服务器地址、连接详细信息、凭证和查询配置。

要将 LDAP 组映射到 Redis Enterprise 访问控制角色,您需要使用 Redis Enterprise APIAdmin Console

启用 LDAP

要为您的 REC 启用 LDAP,请使用.spec.ldap字段中的RedisEnterpriseCluster自定义资源。

以下内容RedisEnterpriseClusterexample 资源启用基本 LDAP 配置:

apiVersion: app.redislabs.com/v1
kind: RedisEnterpriseCluster
metadata:
  name: rec
spec:
  nodes: 3
  ldap:
    protocol: LDAP
    servers:
    - host: openldap.openldap.svc
      port: 389
    bindCredentialsSecretName: ldap-bind-credentials
    cacheTTLSeconds: 600
    enabledForControlPlane: true
    enabledForDataPlane: true
    authenticationQuery:
      template: cn=%u,ou=default,dc=example,dc=org
    authorizationQuery:
      attribute: memberOf

Refer to the RedisEnterpriseCluster API reference for full details on the available fields.

Bind credentials

For LDAP servers that require authentication for client queries, store the bind credentials in a secret and reference them in the RedisEnterpriseCluster custom resource.

  1. Create a secret to store the bind credentials.

    kubectl -n <rec-namespace> create secret generic <bind-secret-name> \
    --from-literal=dn='<disinguished-name>' \
    --from-literal=password=<password>

    The secret must:

    • Reside within the same namespace as the RedisEnterpriseCluster custom resource.
    • Include a dn key with the distinguished name for the user performing the query (such as cn=admin,dc=example,dc=org).
    • Include a password key with the bind password.

    Replace the <placeholders> in the command above with your own values.

  2. Reference the secret name in the .spec.ldap.bindCredentialsSecretName field of the RedisEnterpriseCluster custom resource.

    spec:
  ldap:
    bindCredentialsSecretName: <bind-secret-name>

LDAPS or STARTTLS protocols

In addition to plain LDAP protocol, Redis Enterprise Software also supports LDAPS and STARTTLS protocols for secure communication with the LDAP server.

To enable one of these protocols, edit the spec.ldap.protocol field in the RedisEnterpriseCluster custom resource:

Enable LDAPS

    spec:
      ldap:
        protocol: LDAPS

Default port: 636

Enable STARTTLS

    spec:
      ldap:
        protocol: STARTTLS

Default port: 389

CA certificate

To use a custom CA certificate for validating the LDAP server certificate, store the CA certificate in a secret and reference the secret in the RedisEnterpriseCluster custom resource.

  1. Create a secret to hold the CA certificate.

    kubectl -n <rec-namespace> create secret generic <ca-secret-name> \
    --from-file=cert=<ca-cert>.pem

    The secret must:

    • Reside within the same namespace as the RedisEnterpriseCluster custom resource.
    • Include a cert key with a PEM-encoded CA certificate (such as cacert.pem).

    Replace the <placeholders> in the command above with your own values.

  2. Reference the secret name in the spec.ldap.caCertificateSecretName field of the RedisEnterpriseCluster custom resource.

    spec:
  ldap:
    caCertificateSecretName: <ca-secret-name>

Client certificates

To use an LDAP client certificate, store the certificate in a secret and reference the secret in the RedisEnterpriseCluster custom resource.

  1. Create a secret to hold the client certificate.

    kubectl -n <rec-namespace> create secret generic <client-secret-name> \
  --from-literal=name=ldap_client \
  --from-file=certificate=<client-cert-file> \
  --from-file=key=<private-key-file>

    The secret must:

    • Reside within the same namespace as the RedisEnterpriseCluster custom resource.
    • Include a name key explicitly set to ldap_client.
    • Include a certificate key for the public key (such as cert.pem).
    • Include a key key for the private key (such as key.pem).

    Replace the <placeholders> in the command above with your own values.

  2. Reference the secret name in the .spec.certificates.ldapClientCertificateSecretName field of the RedisEnterpriseCluster custom resource, substituting your own values for <placeholders>.

    spec:
  certificates:
    ldapClientCertificateSecretName: <client-secret-name>

Known limitations

Redis Enterprise Software can't resolve DNS names with a .local suffix. If your LDAP server is in the same Kubernetes cluster and exposed via a Service object, avoid addresses such as openldap.openldap.svc.cluster.local. Instead, use short-form addresses such as openldap.openldap.svc.

Next steps

To map LDAP groups to Redis Enterprise access control roles, you'll need to use the Redis Enterprise API or admin console.

For more details on how LDAP works with Redis Enterprise, see LDAP authentication.

RATE THIS PAGE
Back to top ↑