habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
665de8ef2211524f3cc13dce9344bd59c61c3a5c
authentik/website/docs/users-sources/sources/directory-sync/freeipa/index.md
Tana M Berry 6d5172d18a website: latest PR for new Docs structure (#11639) 
* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00

3.3 KiB
Raw Blame History

title
title
FreeIPA

Support level: Community

Preparation

The following placeholders will be used:

  • svc_authentik is the name of the bind account.
  • freeipa.company is the Name of the domain.
  • ipa1.freeipa.company is the Name of the FreeIPA server.

FreeIPA Setup

  1. Log into FreeIPA.

  2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: pwgen 64 1 or openssl rand 36 | base64 -w 0. After you are done click Add and Edit.

  3. In the user management screen, select the Roles tab.

  4. Add a role that has privileges to change user passwords, the default User Administrators role is sufficient. This is needed to support password resets from within authentik.

  5. By default, if an administrator account resets a user's password in FreeIPA the user's password expires after the first use and must be reset again. This is a security feature to ensure password complexity and history policies are enforced. To bypass this feature for a more seamless experience, you can make the following modification on each of your FreeIPA servers:

    $ ldapmodify -x -D "cn=Directory Manager" -W -h ipa1.freeipa.company -p 389

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company

Additional info: 22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login

authentik Setup

In authentik, create a new LDAP Source in Resources -> Sources.

Use these settings:

  • Server URI: ldaps://ipa1.freeipa.company

    You can specify multiple servers by separating URIs with a comma, like ldap://ipa1.freeipa.company,ldap://ipa2.freeipa.company.

    When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.

  • Bind CN: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company

  • Bind Password: The password you've given the user above

  • Base DN: dc=freeipa,dc=company

  • Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"

  • Group property mappings: Select "authentik default OpenLDAP Mapping: cn"

Additional settings:

  • Group: If selected, all synchronized groups will be given this group as a parent.

  • Addition User/Group DN: cn=users,cn=accounts

  • Addition Group DN: cn=groups,cn=accounts

  • User object filter: (objectClass=person)

  • Group object filter: (objectClass=groupofnames)

  • Group membership field: member

  • Object uniqueness field: ipaUniqueID

After you save the source, you can kick off a synchronization by navigating to the source, clicking on the "Sync" tab, and clicking the "Run sync again" button.

Lastly, verify that the "User database + LDAP password" backend is selected in the "Password Stage" under Flows -> Stages.