habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d5172d18ad1f28f66ea88d7090a5795912cdef5
authentik/website/docs/users-sources/sources/directory-sync/active-directory/index.md
Tana M Berry 6d5172d18a website: latest PR for new Docs structure (#11639) 
* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00

3.0 KiB
Raw Blame History

title
title
Active Directory

Support level: Community

Preparation

The following placeholders will be used:

  • ad.company is the Name of the Active Directory domain.
  • authentik.company is the FQDN of the authentik install.

Active Directory setup

  1. Open Active Directory Users and Computers

  2. Create a user in Active Directory, matching your naming scheme

  3. Give the User a password, generated using for example pwgen 64 1 or openssl rand 36 | base64 -w 0.

  4. Open the Delegation of Control Wizard by right-clicking the domain and selecting "All Tasks".

  5. Select the authentik service user you've just created.

  6. Ensure the "Reset user password and force password change at next logon" Option is checked.

  7. Grant these additional permissions (only required when Sync users' password is enabled, and dependent on your AD Domain)

Additional info: https://support.microfocus.com/kb/doc.php?id=7023371

authentik Setup

In authentik, create a new LDAP Source in Directory -> Federation & Social login.

Use these settings:

  • Server URI: ldap://ad.company

    For authentik to be able to write passwords back to Active Directory, make sure to use ldaps://. You can test to verify LDAPS is working using ldp.exe.

    You can specify multiple servers by separating URIs with a comma, like ldap://dc1.ad.company,ldap://dc2.ad.company.

    When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.

  • Bind CN: <name of your service user>@ad.company

  • Bind Password: The password you've given the user above

  • Base DN: The base DN which you want authentik to sync

  • Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"

  • Group property mappings: Select "authentik default LDAP Mapping: Name"

Additional settings that might need to be adjusted based on the setup of your domain:

  • Group: If enabled, all synchronized groups will be given this group as a parent.
  • Addition User/Group DN: Additional DN which is prepended to your Base DN configured above to limit the scope of synchronization for Users and Groups
  • User object filter: Which objects should be considered users. For Active Directory set it to (&(objectClass=user)(!(objectClass=computer))) to exclude Computer accounts.
  • Group object filter: Which objects should be considered groups.
  • Group membership field: Which user field saves the group membership
  • Object uniqueness field: A user field which contains a unique Identifier

After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks.

To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.