habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34367a7481764c8628363e028bed53a236b5b104
authentik/website/docs/providers/ldap/generic_setup.md
Jens Langhammer 3a59b75f4a website/docs: update ldap provider docs 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-20 11:46:57 +01:00

3.8 KiB
Raw Blame History

title
title
Generic Setup

Create User/Group

  1. Create a new user account to bind with under Directory -> Users -> Create, in this example called ldapservice.

    Note the DN of this user will be cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io

  2. Create a new group for LDAP searches. In this example ldapsearch. Add the ldapservice user to this new group.

:::info Note: The default-authentication-flow validates MFA by default, and currently everything but SMS-based devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at Create LDAP Provider :::

LDAP Flow

Create Custom Stages

  1. Create a new identification stage. Flows & Stage -> Stages -> Create
  2. Name it something meaningful like ldap-identification-stage. Select User fields Username and Email (and UPN if it is relevant to your setup).
  3. Create a new password stage. Flows & Stage -> Stages -> Create
  4. Name it something meaningful like ldap-authentication-password. Leave the defaults for Backends.
  5. Create a new user login stage. Flows & Stage -> Stages -> Create
  6. Name it something meaningful like ldap-authentication-login.

Create Custom Flow

  1. Create a new authentication flow under Flows & Stage -> Flows -> Create, and name it something meaningful like ldap-authentication-flow
  2. Click the newly created flow and choose Stage Bindings.
  3. Click Bind Stage choose ldap-identification-stage and set the order to 10.
  4. Click Bind Stage choose ldap-authentication-login and set the order to 30.
  5. Edit the ldap-identification-stage.
  6. Change the Password stage to ldap-authentication-password.

Create LDAP Provider

  1. Create the LDAP Provider under Applications -> Providers -> Create.
  2. Name is something meaningful like LDAP, bind the custom flow created previously (or the default flow, depending on setup) and specify the search group created earlier.

Create LDAP Application

  1. Create the LDAP Application under Applications -> Applications -> Create and name it something meaningful like LDAP. Choose the provider created in the previous step.

Create LDAP Outpost

  1. Create (or update) the LDAP Outpost under Applications -> Outposts -> Create. Set the Type to LDAP and choose the LDAP application created in the previous step.

:::info The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access :::

ldapsearch Test

Test connectivity by using ldapsearch.

:::info ldapsearch can be installed on Linux system with these commands

sudo apt-get install ldap-utils -y # Debian-based systems
sudo yum install openldap-clients -y # CentOS-based systems

:::

ldapsearch \
  -x \
  -h <LDAP Outpost IP address> \
  -p 389 \ # Production should use SSL 636
  -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io' \
  -w '<ldapuserpassword>' \
  -b 'DC=ldap,DC=goauthentik,DC=io' \
  '(objectClass=user)'

:::info This query will log the first successful attempt in an event in the Events -> Logs area, further successful logins from the same user are not logged as they are cached in the outpost. :::