habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6fe0c1d85ed4b582e74f8ef901b1765e38f607f
authentik/website/integrations/services/opnsense/index.md
Teffen Ellis a714c781a6 website: Use Docusaurus Frontmatter for badges (#12893) 
website/docs: Reduce redundant usage of badges. Move badge logic to components.

- Fix JSX class name warning.
- Remove duplicate titles.
- Flesh out `support_level` frontmatter.
2025-02-19 18:03:05 +00:00

108 lines
3.2 KiB
Markdown
Raw Blame History

---
title: Integrate with OPNsense
sidebar_label: OPNsense
support_level: community
---
## What is OPNsense
> OPNsense is a free and Open-Source FreeBSD-based firewall and routing software. It is licensed under an Open Source Initiative approved license.
>
> -- https://opnsense.org/
:::note
This is based on authentik 2024.2.2 and OPNsense 24.1.3_1-amd64 installed using https://docs.opnsense.org/manual/install.html. Instructions may differ between versions.
:::
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1
In authentik, go and 'Create Service account' (under _Directory/Users_) for OPNsense to use as the LDAP Binder, leaving 'Create group' ticked as we'll need that group for the provider.
In this example, we'll use `opnsense-user` as the Service account's username
:::note
Take note of the password for this user as you'll need to give it to OPNsense in _Step 4_.
:::
### Step 2
In authentik, create an _LDAP Provider_ (under _Applications/Providers_) with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
### Step 3
In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 2_.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Type: LDAP
### Step 5
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
Change the following fields
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
![](./opnsense1.png)
### Step 6
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list
![](./opnsense2.png)
### Step 7
You can now either import users, or synchronize from Authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more.
## Notes
:::note
Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them.
:::
Reference in New Issue View Git Blame Copy Permalink