providers/ldap: Remove search group (#10639)

* remove search_group Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make api operations cleaerer Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix migration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * actually use get Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use correct api client for ldap Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix migration Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix migration warning Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix styling issue in dark mode Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated-ish fix button order in wizard Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix missing css import Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Optimised images with calibre/image-actions * Update index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * Update index.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * update release notes based on new template Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2024-08-14 16:31:11 +02:00
parent 3815803264
commit 8f53d0b9f3
33 changed files with 238 additions and 204 deletions
--- a/website/docs/providers/ldap/general_setup14.png
+++ b/website/docs/providers/ldap/general_setup14.png
--- a/website/docs/providers/ldap/general_setup15.png
+++ b/website/docs/providers/ldap/general_setup15.png
--- a/website/docs/providers/ldap/general_setup16.png
+++ b/website/docs/providers/ldap/general_setup16.png
--- a/website/docs/providers/ldap/general_setup17.png
+++ b/website/docs/providers/ldap/general_setup17.png
--- a/website/docs/providers/ldap/generic_setup.md
+++ b/website/docs/providers/ldap/generic_setup.md
@ -1,17 +1,15 @@
 ---
-title: Generic Setup
+title: Create an LDAP provider
 ---

-### Create User/Group
+### Create Service account

 1. Create a new user account to bind with under _Directory_ -> _Users_ -> _Create_, in this example called `ldapservice`.

    Note the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io`

-2. Create a new group for LDAP searches. In this example `ldapsearch`. Add the `ldapservice` user to this new group.
-
 :::info
-Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Provider](#create-ldap-provider)
+Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
 :::

 ### LDAP Flow
@ -20,20 +18,20 @@ Note: The `default-authentication-flow` validates MFA by default, and currently

 1. Create a new identification stage. _Flows & Stage_ -> _Stages_ -> _Create_
   ![](./general_setup1.png)
-2. Name it something meaningful like `ldap-identification-stage`. Select User fields Username and Email (and UPN if it is relevant to your setup).
+2. Name it `ldap-identification-stage`. Select User fields Username and Email (and UPN if it is relevant to your setup).
   ![](./general_setup2.png)
 3. Create a new password stage. _Flows & Stage_ -> _Stages_ -> _Create_
   ![](./general_setup3.png)
-4. Name it something meaningful like `ldap-authentication-password`. Leave the defaults for Backends.
+4. Name it `ldap-authentication-password`. Leave the defaults for Backends.
   ![](./general_setup4.png)
 5. Create a new user login stage. _Flows & Stage_ -> _Stages_ -> _Create_
   ![](./general_setup5.png)
-6. Name it something meaningful like `ldap-authentication-login`.
+6. Name it `ldap-authentication-login`.
   ![](./general_setup6.png)

 #### Create Custom Flow

-1. Create a new authentication flow under _Flows & Stage_ -> _Flows_ -> _Create_, and name it something meaningful like `ldap-authentication-flow`
+1. Create a new authentication flow under _Flows & Stage_ -> _Flows_ -> _Create_, and name it `ldap-authentication-flow`
   ![](./general_setup7.png)
 2. Click the newly created flow and choose _Stage Bindings_.
   ![](./general_setup8.png)
@ -46,22 +44,23 @@ Note: The `default-authentication-flow` validates MFA by default, and currently
 6. Change the Password stage to `ldap-authentication-password`.
   ![](./general_setup13.png)

-### Create LDAP Provider
+### Create LDAP Application & Provider

-1. Create the LDAP Provider under _Applications_ -> _Providers_ -> _Create_.
+1. Create the LDAP Application under _Applications_ -> _Applications_ -> _Create With Wizard_ and name it `LDAP`.
   ![](./general_setup14.png)
-2. Name is something meaningful like `LDAP`, bind the custom flow created previously (or the default flow, depending on setup) and specify the search group created earlier.
   ![](./general_setup15.png)

-### Create LDAP Application
+### Assign LDAP permissions

-1. Create the LDAP Application under _Applications_ -> _Applications_ -> _Create_ and name it something meaningful like `LDAP`. Choose the provider created in the previous step.
-   ![](./general_setup16.png)
+1. Navigate to the LDAP Provider under _Applications_ -> _Providers_ -> `Provider for LDAP`.
+2. Switch to the _Permissions_ tab.
+3. Click the _Assign to new user_ button to select a user to assign the full directory search permission to.
+4. Select the `ldapservice` user in the modal by typing in its username. Select the _Search full LDAP directory_ permission and click _Assign_

 ### Create LDAP Outpost

 1. Create (or update) the LDAP Outpost under _Applications_ -> _Outposts_ -> _Create_. Set the Type to `LDAP` and choose the `LDAP` application created in the previous step.
-   ![](./general_setup17.png)
+   ![](./general_setup16.png)

 :::info
 The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access
--- a/website/docs/providers/ldap/index.md
+++ b/website/docs/providers/ldap/index.md
@ -10,7 +10,7 @@ Note: This provider requires the deployment of the [LDAP Outpost](../../outposts

 All users and groups in authentik's database are searchable. Currently, there is limited support for filters (you can only search for objectClass), but this will be expanded in further releases.

-Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. For more info, see [Bind modes](#bind-modes).
+Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. For more info, see [Bind modes](#binding--bind-modes).

 You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.

@ -72,7 +72,7 @@ This enables you to bind on port 636 using LDAPS.

 See the integration guide for [sssd](../../../integrations/services/sssd/) for an example guide.

-## Bind Modes
+## Binding & Bind Modes

 All bind modes rely on flows.

@ -102,7 +102,15 @@ In this mode, the outpost will always execute the configured flow when a new bin

 This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials.

-## Search Modes
+## Searching & Search Modes
+
+Any user that is authorized to access the LDAP provider's application can execute search the LDAP directory. Without explicit permissions to do broader searches, a user's search request will return information about themselves, including user info, group info, and group membership.
+
+[Users](../../user-group-role/user/index.mdx) and [roles](../../user-group-role/roles/index.mdx) can be assigned the permission "Search full LDAP directory" to allow them to search the full LDAP directory and retrieve information about all users in the authentik instance.
+
+:::info
+Up to authentik version 2024.8 this was managed using the "Search group" attribute in the LDAP Provider, where users could be added to a group to grant them this permission. With authentik 2024.8 this is automatically migrated to the "Search full LDAP directory" permission, which can be assigned more flexibly.
+:::

 #### Direct search