It even comes with Typos in the Docs…
Identity Provider becomes Identify Provider…
Still under heavy development indeed!
My 2 cents
Andy
what is under heavy development sir.
In the link provided by @LayLow:
Authentik (https://goauthentik.io) is a very capable open source Identity Provider (idP software like Authelia, Okta, Keycloak etc.) which probably has the most features of any open source identify provider available. It’s also still under heavy development with stable releases being made every few weeks.
But it seems strange that you haven’t read it!
My 2 cents
Andy
yea, and in the recent update they even added remote desktop access and brothers.
Not yet, i was on mobile before, so limited concentration to read entire long post, only schemed through it.
Just to clarify, it doesn’t seem to be an official post but a personal blog site. Post dated 2022. The quote could have been taken from the official page at that time.
1 Like
I did actually read it!
1 Like
@LayLow could you kindly help test backup and restore as well as clone of the app, to see how weell those work?
I need to postpone that for I need the resources for other purposes atm. Since there are so many Proxmox users here, I am sure they can spare a VM and try…
1 Like
I can not tell (yet) for I lack the experience with the required parameters. FGood to know something might be possible, but for now I have no need atm. Maybe @danb35 does, but that is for him to decide.
Thanks!
Does Authentik even support this? Because I don’t see anywhere in its docs that it does. It appears to support acting as a LDAP provider so that other applications can authenticate against it, but I don’t see anything in the Authentik docs about any kind of external user database.
@danb35 would this help?
I tried to use the Identity provider on a 1 node NS8 cluster, but fail at how to connect to the ldap service (URI)
1 Like
It would, thanks. Why on earth do they hide that information there, rather than under “Docs”?
So, with that path to the setup page, here are the settings I used:
- Name and Slug: at your discretion
- Server URI:
ldap://10.5.4.1:20010- The IP and port are found on the domain configuration page; I don’t know how likely they are to be different for your installation - Disable StartTLS
- Bind CN: set to “Bind DN” from the domain config page
- Bind password: from the domain config page
- Base DN: from the domain config page
This doesn’t give me any errors, but I’m not certain it’s working as expected. Here’s what I see on the status page:
Clicking “Run sync again” turns that button green for a moment, then it goes back to blue.
It’s not. I did the same with the internal VPN address, FQDN, 127.0.0.1, LDAP and LDAPS, Node LDAP port etc. but no luck. You can tell by going to the objects tab in your screenshot above and you will only find Athentik admin and no users. The app log of Authentik, The clusetr log and the node log did not give me any clues.
I guess the big question is how an LDAP instance ca be used as an LDAP resource for external apps…
I’ve updated my post; the settings for Bind CN and Base DN have changed. But I can’t see that they’ve made a change in what’s happening.
It doesn’t help that LDAP itself is a black art that’s almost completely undocumented. But ldapsearch seems to be able to connect to the OpenLDAP server (using the same credentials I entered in Authentik) and list the users:
[root@ns8 ~]# ldapsearch -v -H ldap://10.5.4.1:20010 -D "cn=ldapservice,dc=db5,dc=us" -b "dc=db5,dc=us" -W
ldap_initialize( ldap://10.5.4.1:20010/??base )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=db5,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# db5.us
dn: dc=db5,dc=us
objectClass: top
objectClass: dcObject
objectClass: organization
dc: db5
o: db5.us
# People, db5.us
dn: ou=People,dc=db5,dc=us
objectClass: top
objectClass: organizationalUnit
ou: People
# Groups, db5.us
dn: ou=Groups,dc=db5,dc=us
objectClass: top
objectClass: organizationalUnit
ou: Groups
# PPolicy, db5.us
dn: ou=PPolicy,dc=db5,dc=us
objectClass: top
objectClass: organizationalUnit
ou: PPolicy
# default, PPolicy, db5.us
dn: cn=default,ou=PPolicy,dc=db5,dc=us
objectClass: namedPolicy
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMinAge: 0
pwdMaxAge: 15552000
pwdMinLength: 8
pwdInHistory: 12
pwdLockout: TRUE
pwdUseCheckModule: TRUE
pwdCheckModuleArg: default
pwdExpireWarning: 0
# ldapservice, db5.us
dn: cn=ldapservice,dc=db5,dc=us
objectClass: device
objectClass: simpleSecurityObject
cn: ldapservice
userPassword:: M015eXEydkI1V1BsV0BCZEAzbHdIMHpkaVV0dHpKYzc=
# locals, db5.us
dn: cn=locals,dc=db5,dc=us
gidNumber: 1001
cn: locals
description: Default users primary group
objectClass: posixGroup
# domain admins, Groups, db5.us
dn: cn=domain admins,ou=Groups,dc=db5,dc=us
gidNumber: 1002
objectClass: posixGroup
cn: domain admins
description: Domain Administrators
memberUid: administrator
# administrator, People, db5.us
dn: uid=administrator,ou=People,dc=db5,dc=us
uidNumber: 1001
gidNumber: 1001
uid: administrator
displayName: Builtin administrator user
cn: administrator
sn: administrator
objectClass: posixAccount
objectClass: inetOrgPerson
homeDirectory: /home/administrator
# dan, People, db5.us
dn: uid=dan,ou=People,dc=db5,dc=us
objectClass: posixAccount
objectClass: inetOrgPerson
uid: dan
uidNumber: 1002
gidNumber: 1001
homeDirectory: /home/dan
cn:: RGFuCg==
sn:: IEJyb3duCg==
displayName: Dan Brown
# everyone, Groups, db5.us
dn: cn=everyone,ou=Groups,dc=db5,dc=us
objectClass: posixGroup
cn: everyone
gidNumber: 1003
description: All Users
memberUid: fred
# fred, People, db5.us
dn: uid=fred,ou=People,dc=db5,dc=us
objectClass: posixAccount
objectClass: inetOrgPerson
uid: fred
uidNumber: 1003
gidNumber: 1001
homeDirectory: /home/fred
cn:: RnJlZAo=
sn:: IEZsaW50c3RvbmUK
displayName: Fred Flintstone
# search result
search: 2
result: 0 Success
# numResponses: 13
# numEntries: 12
This page gives a couple of commands to test connectivity:
…but it looks like they’re using docker or kubectl commands, neither of which are available on NS8. @stephdl, any idea how we’d go about running these commands inside the Authentik container?
Never mind, found it: ssh goauthentik1@localhost, then podman exec to run commands. But then we hit the problem that neither ldap_sync nor ldap_check_connection can be found in either the authentik-app or the authentik-app-worker containers.
I tried that too (mine is abviously another ip:port) but that did not work in Authentic LDAP config. ‘Nothing happened’, no sync, but also no error.
@stephdl any idea if i need to do something in the APP in relation to Ldap, to have ldap accessible or visible and recognizable by the App.
At the moment, i am not aware of any pre-config files or env that i can make use to impleemnt NS ldap into Authntik, so i saw no need to invoke ldap parameters.
Your app is root less ?
yes it is rootless, should it not be?
should it be rootfull?
I did something similar to allow an app to connect to the ldapproxy