diff --git a/content/operate/rs/references/rest-api/objects/cluster/_index.md b/content/operate/rs/references/rest-api/objects/cluster/_index.md
index aa45c5700a..fa1c77279e 100644
--- a/content/operate/rs/references/rest-api/objects/cluster/_index.md
+++ b/content/operate/rs/references/rest-api/objects/cluster/_index.md
@@ -38,6 +38,10 @@ An API object that represents the cluster.
 | <span class="break-all">default_non_sharded_proxy_policy</span> | string (default: single) | Default proxy_policy for newly created non-sharded databases' endpoints (read-only) |
 | <span class="break-all">default_sharded_proxy_policy</span> | string (default: all-master-shards) | Default proxy_policy for newly created sharded databases' endpoints (read-only) |
 | <span class="break-all">disconnect_clients_on_password_removal</span> | "enabled"<br />"disabled"<br />**"auto"** | This flag controls whether client connections using removed, revoked, or rotated passwords are actively disconnected |
+| <span class="break-all">dmc_external_authentication</span> | boolean (default: false) | Enable DMC to call the authentication_service for basic authentication |
+| <span class="break-all">dmc_external_cba_authentication</span> | boolean (default: false) | Enable DMC to call the authentication_service for certificate-based authentication |
+| <span class="break-all">dmc_external_entraid_authentication</span> | boolean (default: false) | Enable DMC to call the authentication_service for entraid authentication |
+| <span class="break-all">dmc_external_ldap_authentication</span> | boolean (default: false) | Enable DMC to call the authentication_service for LDAP-based authentication |
 | email_alerts | boolean (default: false) | Send node/cluster email alerts (requires valid SMTP and email_from settings) |
 | email_from | string | Sender email for automated emails |
 | encrypt_pkeys | boolean (default: false) | Enable or turn off encryption of private keys |
diff --git a/content/operate/rs/references/rest-api/objects/ldap.md b/content/operate/rs/references/rest-api/objects/ldap.md
index 6386dbc908..ef506ab137 100644
--- a/content/operate/rs/references/rest-api/objects/ldap.md
+++ b/content/operate/rs/references/rest-api/objects/ldap.md
@@ -18,6 +18,9 @@ An API object that represents the cluster's [LDAP]({{< relref "/operate/rs/secur
 | bind_pass | string | Password used when binding with the LDAP server to run queries |
 | ca_cert | string | PEM-encoded CA certificate(s) used to validate TLS connections to the LDAP server |
 | cache_ttl | integer (default: 300) | Maximum TTL (in seconds) of cached entries |
+| cba | boolean (default: false) | Whether to allow LDAP as an identity source for certificate-based authentication |
+| cba_identity_oid | string | The certificate subject OID to use when `cba_identity_source` is set to `subject_oid` |
+| cba_identity_source | "subject_cn"<br />"subject_oid" | The certificate subject identity source to use for LDAP lookup |
 | control_plane | boolean (default: false) | Use LDAP for user authentication/authorization in the control plane |
 | data_plane | boolean (default: false) | Use LDAP for user authentication/authorization in the data plane |
 | directory_timeout_s | integer (range: 5-60) (default: 5) | The connection timeout to the LDAP server when authenticating a user, in seconds |
diff --git a/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
new file mode 100644
index 0000000000..7f5e488193
--- /dev/null
+++ b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
@@ -0,0 +1,90 @@
+---
+title: Certificate-based authentication for LDAP
+linkTitle: Certificate-based authentication for LDAP
+description: Learn how to set up certificate-based authentication for LDAP in Redis Software.
+weight: 40
+---
+
+You can configure Redis Software to use certificate-based authentication in combination with LDAP to authenticate and authorize users.
+
+Here's how it works:
+
+1. Users authenticate to the database using client certificates.
+
+1. Redis Software extracts the user identity from the certificate.
+
+1. Redis Software looks up the user in LDAP.
+
+1. LDAP group mappings and database ACLs determine authorization.
+
+## Prerequisites
+
+Before enabling certificate-based authentication for LDAP, you must complete the following prerequisites:
+
+1. [Enable mutual TLS]({{<relref "/operate/rs/security/encryption/tls/enable-tls">}}) for the relevant databases to set up certificate-based authentication.
+
+1. [Set up LDAP for the cluster]({{< relref "/operate/rs/security/access-control/ldap/enable-role-based-ldap#set-up-ldap-connection" >}}).
+
+1. [Map LDAP users to appropriate cluster roles]({{< relref "/operate/rs/security/access-control/ldap/map-ldap-groups-to-roles" >}}).
+
+1. [Configure database ACLs]({{< relref "/operate/rs/security/access-control/ldap/update-database-acls" >}}) to authorize LDAP users.
+
+## Set up certificate-based authentication for LDAP
+
+To set up certificate-based authentication for LDAP:
+
+1. Enable certificate-based authentication in the cluster LDAP configuration using an [update LDAP configuration]({{<relref "/operate/rs/references/rest-api/api-reference/#tag/Cluster/operation/cluster_update_ldap_config">}}) REST API request.
+
+    To perform LDAP lookup for certificate-authenticated users:
+    
+    - Redis Software must extract an identity from the client certificate's subject line, using either the subject CN or a custom OID. Extracting user identity from SAN is not currently supported.
+    
+    - The certificate subject must follow [RFC 4514](https://datatracker.ietf.org/doc/html/rfc4514) formatting.
+
+    {{<multitabs id="set-up-cba-ldap"
+        tab1="Subject CN"
+        tab2="Subject OID" >}}
+
+To enable certificate-based authentication and use the certificate subject CN as the LDAP identifier:
+
+```sh
+PUT https://<host>:<port>/v1/cluster/ldap
+{
+  "cba": true,
+  "cba_identity_source": "subject_cn",
+  "control_plane": true,
+  "data_plane": true
+}
+```
+
+-tab-sep-
+
+To enable certificate-based authentication and use a custom subject OID as the LDAP identifier:
+
+```sh
+PUT https://<host>:<port>/v1/cluster/ldap
+{
+  "cba": true,
+  "cba_identity_source": "subject_oid",
+  "cba_identity_oid": "1.2.3.4",
+  "control_plane": true,
+  "data_plane": true
+}
+```
+
+The certificate subject must include the OID.
+
+    {{</multitabs>}}
+
+1. Enable external certificate-based authentication in cluster settings using an [update cluster settings]({{<relref "/operate/rs/references/rest-api/requests/cluster#put-cluster">}}) REST API request:
+
+    ```sh
+    PUT https://<host>:<port>/v1/cluster
+    {
+      "dmc_external_cba_authentication": true
+    }
+    ```
+
+## Verify your setup
+
+After configuration is complete, try to [connect to the database with certificate-based authentication]({{<relref "/operate/rs/security/certificates/certificate-based-authentication#authenticate-database-connections">}}) and verify your setup.