Documentation - Redise Pack

A guide to Redise Pack installation, operation and administration

open all | close all

Integrating LDAP Authentication

Note: This page only pertains to Redis Enterprise Pack v5.0 Preview.

Redis Enterprise Pack (RP) provides you with the ability to integrate your existing LDAP server for authentication for account management in RP. LDAP authentication for RP administrator accounts requires minimal manual steps to configure the systems to interact. This starts by configuring the saslauthd service for the cluster, setting up accounts on the LDAP Server, then mapping those IDs in RP.

The steps include:

  1. Configuring the saslauthd service
  2. Set up accounts on the LDAP server if not already there
  3. Mapping user IDs using the RP web UI to the LDAP server
  4. Using the REST API or rladmin to propagate configurations to cluster

Warning: Use a secure/encrypted connections between RP nodes and between RP nodes and LDAP servers. The LDAP server uses SASL PLAIN, sending and receiving data in the clear. You should use only a trusted network such as a VPN, a connection encrypted with TLS v1.2, or some other trusted network.

Configuring the saslauthd Service

saslauthd is a process that handles authentication requests to support Redis Enterprise Pack while the LDAP protocol is utilized to connect the LDAP server.

Step #1: Configure LDAP options in config file

>$ vi /tmp/saslauthd.conf

Note: If you change the path for the conf file, be sure to change the system config file we configured in the previous step.

You must specify the URIs for the LDAP servers you will be authenticating with. You can specify multiple LDAP servers by listing them separated by a space. If you are using LDAP over SSL, then replace ldap:// in the URL with ldaps://.

# Add the following, but with your LDAP Server FQDNs or IPs:
ldap_servers: ldap://ldap1.mydomain.com:389 ldap://ldap2.mydomain.com:389

# You must specify the LDAP distinguished name for the search to be relative to.
# It should include the base domain component (dc)
ldap_search_base: ou=coolUsers,dc=company,dc=com

# Specify a search filter. The value for the configuration option (%u)
# should correspond to parameters (uid) specific for your installation.
ldap_filter: (uid=%u)

# If your LDAP servers require a password to connect, add that to the conf file.
ldap_password: <your password here>
Example saslauthd.conf file
ldap_servers: ldap://ldap1.mydomain.com ldap://ldap2.mydomain.com
ldap_search_base: ou=coolUsers,dc=company,dc=com
ldap_filter: (uid=%u)
ldap_password: secretSquirrel

Step #2: Distribute saslauthd.conf to all nodes in the cluster

>$ sudo /opt/redislabs/bin/rladmin cluster config saslauthd_ldap_conf /tmp/saslauthd.conf
Cluster configured successfully

Note: If this is a new server installation, for this command to work, a cluster must be set up already.

Step #3: Confirm saslauthd is configured

Now that we have saslauthd configured, let’s test with a known LDAP user before we finish the configurations in RP.

>$ testsaslauthd -u user -p password
0: OK "Success."

With that return of “Success”, we know that saslauthd is configured and connecting to the LDAP server.

Note: If you are using Multi-Master Replication and wish to use LDAP for administrators, the LDAP set up process must be performed on each cluster.

For more generic information about using saslauthd and OpenLDAP, go here.

Step #4: Create a RP User to Authenticate with LDAP

To have a user authenticate with LDAP, you need to create a new user via the REST API call like this:

$ curl -k -L -v -u "<your_admin_acct>:<your_pword>" --location-trusted \
-H "Content-Type: application/json" -X POST http://<your-rp-cluster>:8080/v1/users \
-d "{\"auth_method\": \"external\", \"name\": \"<internal user name>\", \"role\": \"<user-role>\"}"

For the user-role, put in one of the following roles:

  • admin
  • cluster_member
  • db_viewer
  • db_member
  • cluster_viewer

Note: At this time, there is no way to convert an existing account to use LDAP. You must delete the existing and create a new account to use.

At this point you should be able to log into the Redis Enterprise Pack web UI with the user you just created.


Previous