habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: add LDAP 'Lookup using user attribute' docs (#13966)

Browse Source 
* website/docs: add LDAP 'Lookup using user attribute' docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Updated the doc to new template, removed incorrect screenshot, clarified instructions

* Change in group field explanation as per Marc's comment

* Added examples for filters and changed some language.

* Removed additional info link

* fixup

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Minor formatting changes

* Update website/docs/users-sources/sources/protocols/ldap/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/users-sources/sources/directory-sync/active-directory/index.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/users-sources/sources/directory-sync/active-directory/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Added more information to service account creation and LDAPS testing

* Added examples for fields based on issue #3801

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dominic R <dominic@sdko.org>
This commit is contained in:
Marc 'risson' Schmitt
2025-04-29 20:32:59 +02:00
committed by Marcelo Elizeche Landó
parent 29884cbf81
commit 6c0e827677
2 changed files with 70 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
website/docs/users-sources/sources/directory-sync/active-directory/index.md
View File

@ -7,66 +7,79 @@ support_level: community
The following placeholders are used in this guide:
- `ad.company` is the Name of the Active Directory domain.
- `ad.company` is the name of the Active Directory domain.
- `authentik.company` is the FQDN of the authentik install.
## Active Directory setup
## Active Directory configuration
1. Open Active Directory Users and Computers
To support the integration of Active Directory with authentik, you need to create a service account in Active Directory.
2. Create a user in Active Directory, matching your naming scheme
1. Open **Active Directory Users and Computers** on a domain controller or computer with **Active Directory Remote Server Administration Tools** installed.
2. Navigate to an Organizational Unit, right click on it, and select **New** > **User**.
3. Create a service account, matching your naming scheme, for example:
![](./01_user_create.png)
3. Give the User a password, generated using for example `pwgen 64 1` or `openssl rand 36 | base64 -w 0`.
4. Set the password for the service account. Ensure that the **Reset user password and force password change at next logon** option is not checked.
4. Open the Delegation of Control Wizard by right-clicking the domain and selecting "All Tasks".
Either one of the following commands can be used to generate the password:
5. Select the authentik service user you've just created.
```sh
pwgen 64 1
```
6. Ensure the "Reset user password and force password change at next logon" Option is checked.
```sh
openssl rand 36 | base64 -w 0
```
5. Open the **Delegation of Control Wizard** by right-clicking the domain Active Directory Users and Computers, and selecting **All Tasks**.
6. Select the authentik service account that you've just created.
7. Grant these additional permissions (only required when _User password writeback_ is enabled on the LDAP source in authentik, and dependent on your AD Domain)
![](./02_delegate.png)
7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
## authentik Setup
To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Directory** > **Federation & Social login**.
3. Click **Create** and select **LDAP Source** as the type.
4. Provide a name, slug, and the following required configurations:
Under **Connection Settings**:
- **Server URI**: `ldap://ad.company`
:::note
For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://` as a prefix. You can verify that LDAPS is working by opening the `ldp.exe` tool on a domain controller and attempting a connection to the server via port 636. If a connection can be established, LDAPS is functioning as expected. More information can be found in the [Microsoft LDAPS documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-over-ssl-connection-issues).
Multiple servers can be specified by separating URIs with a comma (e.g. `ldap://dc1.ad.company,ldap://dc2.ad.company`). If a DNS entry with multiple records is used, authentik will select a random entry when first connecting.
:::
- **Bind CN**: `<service account>@ad.company`
- **Bind Password**: the password of the service account created in the previous section.
- **Base DN**: the base DN which you want authentik to sync.
Under **LDAP Attribute Mapping**:
- **User Property Mappings**: select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
- **Group Property Mappings**: select "authentik default LDAP Mapping: Name"
Under **Additional Settings** _(optional)_ configurations that may need to be adjusted based on the setup of your domain:
- **Group**: if enabled, all synchronized groups will be given this group as a parent.
- **Addition User/Group DN**: additional DN which is _prepended_ to your Base DN configured above, to limit the scope of synchronization for Users and Groups.
- **User object filter**: which objects should be considered users (e.g. `(objectClass=user)`). For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
- **Group object filter**: which objects should be considered groups (e.g `(objectClass=group)`).
- **Lookup using a user attribute**: acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories and nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field.
- **Group membership field**: the user object attribute or the group object attribute that determines the group membership of a user (e.g. `member`). If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute.
- **Object uniqueness field**: a user attribute that contains a unique identifier (e.g. `objectSid`).
5. Click **Finish** to save the LDAP Source. An LDAP synchronization will begin in the background. Once completed, you can view the summary by navigating to **Dashboards** > **System Tasks**:
![](./03_additional_perms.png)
Additional info: https://support.microfocus.com/kb/doc.php?id=7023371
6. To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
## authentik Setup
In authentik, create a new LDAP Source in Directory -> Federation & Social login.
Use these settings:
- Server URI: `ldap://ad.company`
For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`. You can test to verify LDAPS is working using `ldp.exe`.
You can specify multiple servers by separating URIs with a comma, like `ldap://dc1.ad.company,ldap://dc2.ad.company`.
When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
- Bind CN: `<name of your service user>@ad.company`
- Bind Password: The password you've given the user above
- Base DN: The base DN which you want authentik to sync
- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
- Group property mappings: Select "authentik default LDAP Mapping: Name"
Additional settings that might need to be adjusted based on the setup of your domain:
- Group: If enabled, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups
- User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
- Group object filter: Which objects should be considered groups.
- Group membership field: Which user field saves the group membership
- Object uniqueness field: A user field which contains a unique Identifier
After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks.
![](./03_additional_perms.png)
To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
![](./11_ak_stage.png)
![](./11_ak_stage.png)