 6d5172d18a
			
		
	
	6d5172d18a
	
	
	
		
			
			* first pass
* dependency shenanigans
* move blueprints
* few broken links
* change config the throw errors
* internal file edits
* fighting links
* remove sidebarDev
* fix subdomain
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix relative URL
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix mismatched package versions
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix api reference build
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* test tweak
* links hell
* more links hell
* links hell2
* yep last of the links
* last broken link fixed
* re-add cves
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add devdocs redirects
* add dir
* tweak netlify.toml
* move latest 2 CVES into dir
* fix links to moved cves
* typoed title fix
* fix link
* remove banner
* remove committed api docs
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* integrations: remove version dropdown
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* Update Makefile
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* change doc links in web as well
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* fix some more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* fix more docs paths
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* ci: require ci-web.build for merging
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* Revert "ci: require ci-web.build for merging"
This reverts commit b99a4842a9.
* remove sluf for Application
* put slug back in
* minor fix to trigger deploy
* Spelled out Documentation in menu bar
* remove image redirects...
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* remove explicit index.md
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* remove mdx first
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* then remove .md
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add missing prefix
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
		
	
		
			
				
	
	
		
			96 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			96 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | |
| title: Create an LDAP provider
 | |
| ---
 | |
| 
 | |
| ### Create Service account
 | |
| 
 | |
| 1. Create a new user account to bind with under _Directory_ -> _Users_ -> _Create_, in this example called `ldapservice`.
 | |
| 
 | |
|     Note the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io`
 | |
| 
 | |
| :::info
 | |
| Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
 | |
| :::
 | |
| 
 | |
| ### LDAP Flow
 | |
| 
 | |
| #### Create Custom Stages
 | |
| 
 | |
| 1. Create a new identification stage. _Flows & Stage_ -> _Stages_ -> _Create_
 | |
|    
 | |
| 2. Name it `ldap-identification-stage`. Select User fields Username and Email (and UPN if it is relevant to your setup).
 | |
|    
 | |
| 3. Create a new password stage. _Flows & Stage_ -> _Stages_ -> _Create_
 | |
|    
 | |
| 4. Name it `ldap-authentication-password`. Leave the defaults for Backends.
 | |
|    
 | |
| 5. Create a new user login stage. _Flows & Stage_ -> _Stages_ -> _Create_
 | |
|    
 | |
| 6. Name it `ldap-authentication-login`.
 | |
|    
 | |
| 
 | |
| #### Create Custom Flow
 | |
| 
 | |
| 1. Create a new authentication flow under _Flows & Stage_ -> _Flows_ -> _Create_, and name it `ldap-authentication-flow`
 | |
|    
 | |
| 2. Click the newly created flow and choose _Stage Bindings_.
 | |
|    
 | |
| 3. Click `Bind Stage` choose `ldap-identification-stage` and set the order to `10`.
 | |
|    
 | |
| 4. Click `Bind Stage` choose `ldap-authentication-login` and set the order to `30`.
 | |
|    
 | |
| 5. Edit the `ldap-identification-stage`.
 | |
|    
 | |
| 6. Change the Password stage to `ldap-authentication-password`.
 | |
|    
 | |
| 
 | |
| ### Create LDAP Application & Provider
 | |
| 
 | |
| 1. Create the LDAP Application under _Applications_ -> _Applications_ -> _Create With Wizard_ and name it `LDAP`.
 | |
|    
 | |
|    
 | |
| 
 | |
| ### Assign LDAP permissions
 | |
| 
 | |
| 1. Navigate to the LDAP Provider under _Applications_ -> _Providers_ -> `Provider for LDAP`.
 | |
| 2. Switch to the _Permissions_ tab.
 | |
| 3. Click the _Assign to new user_ button to select a user to assign the full directory search permission to.
 | |
| 4. Select the `ldapservice` user in the modal by typing in its username. Select the _Search full LDAP directory_ permission and click _Assign_
 | |
| 
 | |
| ### Create LDAP Outpost
 | |
| 
 | |
| 1. Create (or update) the LDAP Outpost under _Applications_ -> _Outposts_ -> _Create_. Set the Type to `LDAP` and choose the `LDAP` application created in the previous step.
 | |
|    
 | |
| 
 | |
| :::info
 | |
| The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access
 | |
| :::
 | |
| 
 | |
| ### ldapsearch Test
 | |
| 
 | |
| Test connectivity by using ldapsearch.
 | |
| 
 | |
| :::info
 | |
| ldapsearch can be installed on Linux system with these commands
 | |
| 
 | |
| ```shell
 | |
| sudo apt-get install ldap-utils -y # Debian-based systems
 | |
| sudo yum install openldap-clients -y # CentOS-based systems
 | |
| ```
 | |
| 
 | |
| :::
 | |
| 
 | |
| ```shell
 | |
| ldapsearch \
 | |
|   -x \
 | |
|   -H ldap://<LDAP Outpost IP address>:<Port number 389> \ # In production it is recommended to use SSL, which also requires `ldaps://` as the protocol and the SSL port
 | |
|   -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io' \
 | |
|   -w '<ldapuserpassword>' \
 | |
|   -b 'DC=ldap,DC=goauthentik,DC=io' \
 | |
|   '(objectClass=user)'
 | |
| ```
 | |
| 
 | |
| :::info
 | |
| This query will log the first successful attempt in an event in the _Events_ -> _Logs_ area, further successful logins from the same user are not logged as they are cached in the outpost.
 | |
| :::
 |