website: latest migration to new structure (#11522)

* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

website/docs/users-sources/sources/directory-sync/active-directory/index.md

@@ -0,0 +1,73 @@
+---
+title: Active Directory
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `ad.company` is the Name of the Active Directory domain.
+-   `authentik.company` is the FQDN of the authentik install.
+
+## Active Directory setup
+
+1. Open Active Directory Users and Computers
+
+2. Create a user in Active Directory, matching your naming scheme
+
+    ![](./01_user_create.png)
+
+3. Give the User a password, generated using for example `pwgen 64 1` or `openssl rand 36 | base64 -w 0`.
+
+4. Open the Delegation of Control Wizard by right-clicking the domain and selecting "All Tasks".
+
+5. Select the authentik service user you've just created.
+
+6. Ensure the "Reset user password and force password change at next logon" Option is checked.
+
+    ![](./02_delegate.png)
+
+7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
+
+    ![](./03_additional_perms.png)
+
+Additional info: https://support.microfocus.com/kb/doc.php?id=7023371
+
+## authentik Setup
+
+In authentik, create a new LDAP Source in Directory -> Federation & Social login.
+
+Use these settings:
+
+-   Server URI: `ldap://ad.company`
+
+    For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`. You can test to verify LDAPS is working using `ldp.exe`.
+
+    You can specify multiple servers by separating URIs with a comma, like `ldap://dc1.ad.company,ldap://dc2.ad.company`.
+
+    When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
+
+-   Bind CN: `<name of your service user>@ad.company`
+-   Bind Password: The password you've given the user above
+-   Base DN: The base DN which you want authentik to sync
+-   Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
+-   Group property mappings: Select "authentik default LDAP Mapping: Name"
+
+Additional settings that might need to be adjusted based on the setup of your domain:
+
+-   Group: If enabled, all synchronized groups will be given this group as a parent.
+-   Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups
+-   User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
+-   Group object filter: Which objects should be considered groups.
+-   Group membership field: Which user field saves the group membership
+-   Object uniqueness field: A user field which contains a unique Identifier
+
+After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks.
+
+![](./03_additional_perms.png)
+
+To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
+
+![](./11_ak_stage.png)

website/docs/users-sources/sources/directory-sync/freeipa/index.md

@@ -0,0 +1,81 @@
+---
+title: FreeIPA
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `svc_authentik` is the name of the bind account.
+-   `freeipa.company` is the Name of the domain.
+-   `ipa1.freeipa.company` is the Name of the FreeIPA server.
+
+## FreeIPA Setup
+
+1. Log into FreeIPA.
+
+2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: `pwgen 64 1` or `openssl rand 36 | base64 -w 0`. After you are done click **Add and Edit**.
+
+    ![](./01_user_create.pn)
+
+3. In the user management screen, select the Roles tab.
+
+    ![](./02_user_roles.png)
+
+4. Add a role that has privileges to change user passwords, the default `User Administrators` role is sufficient. This is needed to support password resets from within authentik.
+
+    ![](./03_add_user_role.png)
+
+5. By default, if an administrator account resets a user's password in FreeIPA the user's password expires after the first use and must be reset again. This is a security feature to ensure password complexity and history policies are enforced. To bypass this feature for a more seamless experience, you can make the following modification on each of your FreeIPA servers:
+
+    ```
+    $ ldapmodify -x -D "cn=Directory Manager" -W -h ipa1.freeipa.company -p 389
+
+    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+    changetype: modify
+    add: passSyncManagersDNs
+    passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company
+    ```
+
+Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
+
+## authentik Setup
+
+In authentik, create a new LDAP Source in Resources -> Sources.
+
+Use these settings:
+
+-   Server URI: `ldaps://ipa1.freeipa.company`
+
+    You can specify multiple servers by separating URIs with a comma, like `ldap://ipa1.freeipa.company,ldap://ipa2.freeipa.company`.
+
+    When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
+
+-   Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
+-   Bind Password: The password you've given the user above
+-   Base DN: `dc=freeipa,dc=company`
+-   Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
+-   Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
+
+Additional settings:
+
+-   Group: If selected, all synchronized groups will be given this group as a parent.
+-   Addition User/Group DN: `cn=users,cn=accounts`
+-   Addition Group DN: `cn=groups,cn=accounts`
+-   User object filter: `(objectClass=person)`
+-   Group object filter: `(objectClass=groupofnames)`
+-   Group membership field: `member`
+-   Object uniqueness field: `ipaUniqueID`
+
+    ![](./04_source_settings_1.png)
+    ![](./05_source_settings_2.png)
+
+After you save the source, you can kick off a synchronization by navigating to the source, clicking on the "Sync" tab, and clicking the "Run sync again" button.
+
+![](./06_sync_source.png)
+
+Lastly, verify that the "User database + LDAP password" backend is selected in the "Password Stage" under Flows -> Stages.
+
+![](./07_password_stage.png)