3996bdac33
* website: Bump prettier from 3.3.3 to 3.4.1 in /website Bumps [prettier](https://github.com/prettier/prettier) from 3.3.3 to 3.4.1. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1) --- updated-dependencies: - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * update formatting Signed-off-by: Jens Langhammer <jens@goauthentik.io> * sigh Signed-off-by: Jens Langhammer <jens@goauthentik.io> * disable flaky test Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
3.0 KiB
title
| title |
|---|
| Active Directory |
Support level: Community
Preparation
The following placeholders will be used:
ad.companyis the Name of the Active Directory domain.authentik.companyis the FQDN of the authentik install.
Active Directory setup
-
Open Active Directory Users and Computers
-
Create a user in Active Directory, matching your naming scheme
-
Give the User a password, generated using for example
pwgen 64 1oropenssl rand 36 | base64 -w 0. -
Open the Delegation of Control Wizard by right-clicking the domain and selecting "All Tasks".
-
Select the authentik service user you've just created.
-
Ensure the "Reset user password and force password change at next logon" Option is checked.
-
Grant these additional permissions (only required when Sync users' password is enabled, and dependent on your AD Domain)
Additional info: https://support.microfocus.com/kb/doc.php?id=7023371
authentik Setup
In authentik, create a new LDAP Source in Directory -> Federation & Social login.
Use these settings:
-
Server URI:
ldap://ad.companyFor authentik to be able to write passwords back to Active Directory, make sure to use
ldaps://. You can test to verify LDAPS is working usingldp.exe.You can specify multiple servers by separating URIs with a comma, like
ldap://dc1.ad.company,ldap://dc2.ad.company.When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
-
Bind CN:
<name of your service user>@ad.company -
Bind Password: The password you've given the user above
-
Base DN: The base DN which you want authentik to sync
-
Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
-
Group property mappings: Select "authentik default LDAP Mapping: Name"
Additional settings that might need to be adjusted based on the setup of your domain:
- Group: If enabled, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: Additional DN which is prepended to your Base DN configured above to limit the scope of synchronization for Users and Groups
- User object filter: Which objects should be considered users. For Active Directory set it to
(&(objectClass=user)(!(objectClass=computer)))to exclude Computer accounts. - Group object filter: Which objects should be considered groups.
- Group membership field: Which user field saves the group membership
- Object uniqueness field: A user field which contains a unique Identifier
After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks.
To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
