habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
57dc595cfbd944653bb419b3a4cdc8b66e194270
authentik/website/docs/add-secure-apps/providers/ldap/generic_setup.md
Tana M Berry 6d5172d18a website: latest PR for new Docs structure (#11639) 
* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00

3.8 KiB
Raw Blame History

title
title
Create an LDAP provider

Create Service account

  1. Create a new user account to bind with under Directory -> Users -> Create, in this example called ldapservice.

    Note the DN of this user will be cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io

:::info Note: The default-authentication-flow validates MFA by default, and currently everything but SMS-based devices and WebAuthn devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at Create LDAP Application & Provider :::

LDAP Flow

Create Custom Stages

  1. Create a new identification stage. Flows & Stage -> Stages -> Create
  2. Name it ldap-identification-stage. Select User fields Username and Email (and UPN if it is relevant to your setup).
  3. Create a new password stage. Flows & Stage -> Stages -> Create
  4. Name it ldap-authentication-password. Leave the defaults for Backends.
  5. Create a new user login stage. Flows & Stage -> Stages -> Create
  6. Name it ldap-authentication-login.

Create Custom Flow

  1. Create a new authentication flow under Flows & Stage -> Flows -> Create, and name it ldap-authentication-flow
  2. Click the newly created flow and choose Stage Bindings.
  3. Click Bind Stage choose ldap-identification-stage and set the order to 10.
  4. Click Bind Stage choose ldap-authentication-login and set the order to 30.
  5. Edit the ldap-identification-stage.
  6. Change the Password stage to ldap-authentication-password.

Create LDAP Application & Provider

  1. Create the LDAP Application under Applications -> Applications -> Create With Wizard and name it LDAP.

Assign LDAP permissions

  1. Navigate to the LDAP Provider under Applications -> Providers -> Provider for LDAP.
  2. Switch to the Permissions tab.
  3. Click the Assign to new user button to select a user to assign the full directory search permission to.
  4. Select the ldapservice user in the modal by typing in its username. Select the Search full LDAP directory permission and click Assign

Create LDAP Outpost

  1. Create (or update) the LDAP Outpost under Applications -> Outposts -> Create. Set the Type to LDAP and choose the LDAP application created in the previous step.

:::info The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access :::

ldapsearch Test

Test connectivity by using ldapsearch.

:::info ldapsearch can be installed on Linux system with these commands

sudo apt-get install ldap-utils -y # Debian-based systems
sudo yum install openldap-clients -y # CentOS-based systems

:::

ldapsearch \
  -x \
  -H ldap://<LDAP Outpost IP address>:<Port number 389> \ # In production it is recommended to use SSL, which also requires `ldaps://` as the protocol and the SSL port
  -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io' \
  -w '<ldapuserpassword>' \
  -b 'DC=ldap,DC=goauthentik,DC=io' \
  '(objectClass=user)'

:::info This query will log the first successful attempt in an event in the Events -> Logs area, further successful logins from the same user are not logged as they are cached in the outpost. :::