Authentik - LDAP Generic Setup

Подписаться 2,5 тыс.

Просмотров 16 тыс.

50% 1

This video follows the documentation to set up Authentik's LDAP flow, application, provider, and outpost.
The command I copy and pasted that worked for me:
ldapsearch \
-x \
-H ldap://＜hostIPaddress＞ \ #enter your own host IP address
-D "cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io" \
-b 'DC=ldap,DC=goauthentik,DC=io' \
'(objectClass=user)' \
-W
Authentik LDAP Generic Setup Instructions:
goauthentik.io/docs/providers...

Хобби

Опубликовано:

31 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 58

@wydx120 8 месяцев назад

Okay, for everyone who is struggling with `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`, and is running Authentik through docker-compose/portainer, here's what I did to fix it: - I mapped the 389 and 636 host ports to the 3389 and 6636 ports on the authentik *server* container (these are the default ports mapped to the ones Authentik actually listens to by default) - I explicitly opened the 389 and 636 ports on my machine through `iptables`. Depending on what you have on your machine, you may need to use a different tool, like `nftables`. It's somewhat easy to look up how to do this once you know what you actually have to do - You have to configure the worker with `user: root` and mapping `docker.sock` in the volumes list (I didn't do it because the official compose file mentioned in a comment that these were optional) and you have to choose Local Docker Integration I'm not sure if all of these are necessary, but it wasn't until after doing all these that my LDAP Outpost started working

@cooptonian 8 месяцев назад

this sounds like it could be very helpful to others; PINNED!

@KeesFluitman 5 месяцев назад

well you need to make sure you create a container for the outpost as well. With which it connects. At least for me. Once i realized that again, it worked fluently.

@fooryo-fourier 4 месяца назад

@@KeesFluitmanYou magical m0therf****er. You are right. It worked. Now it gives me Invalid credentials (49) but there are people talking about it on github

@gamezonline Год назад

Thank you for all the videos you doing on Authentik, the doc's for Authentik are not beginner friendly and your videos help out a lot

@cooptonian Год назад

You're very welcome!

@examen1996 Год назад

Thank you for these authentik videos, they helped me a lot in setting up my kubernetes cluster, already configured authentication for proxmox and now it's synology(oidc) and jellyfin(ldap) turn . Subbed :)

@cooptonian Год назад

Thank you and I'm glad the videos helped!

@semaphoreui 2 месяца назад

The best tutorial for Athentik LDAP. Thank you!

@cooptonian Месяц назад

Glad you think so!

@ChrisDePasqualeNJ Год назад

You are the Man - SPX PCS to the moon! :-)

@ChristianFoellmann Год назад

The radius outpost is in the stable version. Can you post a video how to correctly set that up?

@Shaq2k 7 месяцев назад

Thanks. Is it safe to assume this is valid for MS Active Directory too?

@Weesaal_Cummar 9 месяцев назад

Hello Cooptonian, I tried the same steps for LDAP configuration. It is still not working for me. I am not sure how to get that done. Can you create one video or help with some article how to configure LDAP with openvpn application using Authentik.

@filipaldebrink954 Год назад

Great video! I have watched all your Authentik videos as a walkthrough for my own deployment of Authentik. Could you possibly do a tutorial on SSO? I am particularly curious about getting it to work with Jellyfin, but I have had some trouble.

@cooptonian Год назад

...I haven't looked into this yet, but it looks promising: github.com/9p4/jellyfin-plugin-sso It even lists authentik as a tested provider...

@Josh-mo2ib Год назад

Just curious, as I noticed a different approach from the documents. Is there an advantage to creating separate stages and flows specifically for LDAP as opposed to using the default login flow?

@cooptonian Год назад

...I am not sure about others' usage, however, if you have multiple flows for different things and you use the default stages...you can run into issues when you modify a particular default stage (it will change it for all other flows that share/rely on that stage). Anyways, I at least found that as an issue for myself. I would have a nice customized flow...then I would go off and experiment in making another flow...only to find my experimenting changed my nice customized flow (if that makes sense).

@xsniper001 Месяц назад

@Cooptonian, could you do a JellyFin LDAP guide? It would be great... I am struggling to get authentik on jellyfin...

@Digitronus Год назад

I really like your videos about Authentik. Could you make a video about how to login with Azure AD and MFA ?

@cooptonian Год назад

...unfortunately I don't use Azure AD

@Diddimos Год назад

Hi, thanks for the detailed steps. Everything works instead of the LDAP outpost, I can't get it configured (and know too little to solve it). Could you assist me? I use the base docker-compose file which uses the embedded outpost. Do I need to add the LDAP docker image to my stack? If so, how do I configure that with traefik? The point is that when I now setup my LDAP outpost, It says "Not available" under "Health and Version".

@Diddimos Год назад

Edit: setting up an LDAP outpost is sooo poorly documented. Figured it out by applying some educated guesses but I'm curious how you achieved this

@cooptonian Год назад

Ha! Same, educated guesses and the documentation by Hooray4Rob...before that, documentation was even less...

@zyadon7964 Год назад

@@Diddimos What ended up being the problem and solution?

@Zippoman924 11 месяцев назад

@@zyadon7964 The solution for mine was to update the Outpost config so it had "authentik_host_insecure: true".

@krys-p-bacon 10 месяцев назад

Any tips on how to use the ldap over SSL (i.e., port 636, or ldaps://)? Followed your guide, no issues. I just cant figure out how to get SSL working, the authentik documentation quickly mentions support and requiring to add a certificate/domain name, but I cant figure it out

@cooptonian 10 месяцев назад

I haven't tried it, but you create a certificate under "System > Certificates" menu. Then edit your LDAP provider; under "Protocols" choose your created certificate and enter a TLS server name... If you tried that already, maybe ask in the discord. Only thing I can maybe see an issue with is the naming format for the TLS server name??

@krys-p-bacon 10 месяцев назад

@@cooptonian I'm also thinking it has to do with the TLS Server Name. any "best guess" as to what it could be? is it the FQDN, the docker IP of the LDAP, the IP of the host server? Feel like I've tried every variant lol

@cooptonian 10 месяцев назад

wow, yah you tried a good number of combinations...best guess is it would be the hostname/name of the computer (ie: DESKTOP-3820S8, or Linux-Vbox...etc.)

@user-vh1xi1yf1z 3 месяца назад

Why i did my ldapsearh return ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) error, i get confused.

@cooptonian 3 месяца назад

...not sure if it will help, but did you see the pinned comment stating your error?

@jhmc93 Год назад

when i do ldap search and put thee right credentials in i get ldap_bind: invalid credentials (49), can you help? regards

@cooptonian Год назад

...did you double check the password is correct? Just in case there was a typo...go into users and force change the password to something you definitely know. Then try to run the test commands again with the updated password...

@jhmc93 Год назад

@@cooptonian thank you for your reply! I myself made an error it was a typo with the username! thanks for the guide!

@cooptonian Год назад

OK great...and no problem!

@pbvdven2 Год назад

Thanks for you videos really helpful. did you try the authentik ldap with linux for user authentication. i cant seem to get it setup. i managed to get apps working like proxmox, calibre-web, jellyfin with authentik ldap but with Ubuntu i cant get it working. i read some where authentik is not a full ldap server so maybe its not suppose to work i have no idea maybe you could help point me in the right direction? thanks.

@cooptonian Год назад

currently only using it for Jellyfin so not sure about Ubuntu...have you asked in the discord?

@spik330 2 месяца назад

the video didn't cover integrations(aka the networking part) and how to point Authentik to my ldap server

@cooptonian 2 месяца назад

...sorry, this video was just the generic LDAP provider setup. I got this working as an LDAP source for my Jellyfin setup (ldap plugin required)

@watsonanikwai 3 месяца назад

No integration active, why?

@nick-leffler 9 месяцев назад

By doing this tho is someone finds the URL to the LDAP flow, won't that remove the 2fa which could lead to security issues?

@cooptonian 9 месяцев назад

No, they won't be authenticated...trying to directly access a flow URL will result in either denial or redirect to the login page.

@nick-leffler 8 месяцев назад

@@cooptonian How can I ensure that happens? With testing that doesn't seem to be the case.

@cooptonian 8 месяцев назад

You've tested outside your network with the exact flow URL and bypassed 2FA? If so, I recommend bringing the issue up with the dev in discord or bug report on their github so that maybe it can be patched.

@nick-leffler 8 месяцев назад

@@cooptonian yes and ok thanks

@emf9 2 месяца назад

Should this be a service or regular user? The generic docs say regular but some of the integrations like opnsense say service.

@cooptonian 2 месяца назад

...for the video, I just followed the documentation and created as regular user... (for my purposes, this worked for Jellyfin)

@emf9 2 месяца назад

@@cooptonian thanks. Been trying to make it work with OPNSense. But I can't seem to get it to bind/login.

@jhmc93 Год назад

ldap says its a unhealthy container can u help?

@cooptonian Год назад

...has it been unhealthy from the start? Also, have you simply tried restarting the container?

@michaell7511 9 месяцев назад

Great video as always! In the last command, you used 192.168.x.x. What if this is on a VPS that has only a public IP, do you use the IP instead? Wouldn't that make the LDAP publicly accessible by using the public IP? Thanks for feedback.

@cooptonian 9 месяцев назад

You'd use the IP of authentik's host...you'd have to configure an internal network. After that, it should be secured per authentik's own documentation: goauthentik.io/docs/providers/ldap/generic_setup, use SSL port 636 for production.

@EderMorales18 8 месяцев назад

Would you be able to elaborate on this a bit? I run authentik on unraid, after following your video and the docs I continue to get the "can't contact tjhe LDAP server". I'm using a raspberrypi to test with the ldapsearch tool. I've tried entering the IP of my unraid server and nothing@@cooptonian

@kylejoel87 Год назад

First of all a massive thank you for your videos they have been awesome. One thing if you don't mind me asking for help. I am on Unraid and I am trying to get it to link up with Jellyfin. if you could help me, i would owe you a mega pint and i would really appreciate it.

@cooptonian Год назад

Glad they helped...and what do you mean get linked up? I unfortunately do not use unraid so my experience in that is limited... Have you asked in the discord?