Authentik-SSO App for Nethserver 8

App
,
61

I don’t think so:
image

image

Well, here’s what’s running:

[goauthentik1@ns8 ~]$ podman ps
CONTAINER ID  IMAGE                                    COMMAND           CREATED      STATUS      PORTS                      NAMES
2fb2b699ec50  localhost/podman-pause:4.6.1-1702418000                    9 hours ago  Up 9 hours  127.0.0.1:20015->9000/tcp  a27e84f1412e-infra
c97057160485  docker.io/library/postgres:12-alpine     postgres          9 hours ago  Up 9 hours  127.0.0.1:20015->9000/tcp  goauthentik-pgsql
0a067ad47798  docker.io/library/redis:alpine           --appendonly yes  9 hours ago  Up 9 hours  127.0.0.1:20015->9000/tcp  goauthentik-redis
c352d7f256f5  docker.io/beryju/authentik:2024.2.2      server            9 hours ago  Up 9 hours  127.0.0.1:20015->9000/tcp  goauthentik-app
201e1ff98ade  docker.io/beryju/authentik:2024.2.2      worker            9 hours ago  Up 9 hours  127.0.0.1:20015->9000/tcp  goauthentik-app-worker

The Authentik images, server and worker, are docker.io/beryju/authentik. But the docker-compose file they recommend seems to use ghcr.io/goauthentik/server. I don’t know if this is a significant difference, or even a difference at all, but it looks like one.

Again, my concern was that ldap_sync and ldap_check_connection aren’t present in those containers, and those tools are what the Authentik docs say to use to start troubleshooting LDAP issues. But I just spun up Authentik in a separate VM using their docker-compose file, and neither of those utilities is present there either–but the docker compose run --rm worker ldap_sync command works in that environment.

So I guess the question has become, what’s the equivalent of that command with podman?

1 Like
62

…and I don’t think anything needs to be done to allow Authentik to make the network connection; it appears to be saying that connection is fine:
image

1 Like
63

But on your previous screenshot your Base DN is the other way around with Bind DN or is that a weird display or error from Authentik?

image

64

Ah, you’re right–I’d corrected that in the text of my post, but not in the screen shot. The more recent screen shot (posted this morning) is how it’s set now.

1 Like
65

Check!

66

I’ll change the image tonight and also workout if there are things missing.

Am curious, I saw a docker ldap app for testing ldap connection, I’ll try build it as an app for Nethserver then we test the connections, if that works then I’d say it’s a problem with our config if I’d doesn’t I’ll try to implement full ldap check config. If it still does not work, then we need help from Beth dev

1 Like
67

With all the apps available (both NS7/8) a central authentication and IAM method is almost mandatory. Managing a userbase on a per app basis is undoable.

68

True and very true, infact I am happy almost many OSS apps have sso

69

So Authenik integrates readily with many apps known to ‘us’:

  • Dokuwiki
  • Mastodon
  • Matrix Synapse
  • Nextcloud
  • ONLYOffice
  • Paperless-ngx
  • Roundcube
  • Proxmox VE
  • Minio
  • Zammad
  • Grafana
  • Zabbix
  • Wordpress
  • Github
  • Active Directory
  • LDAP, oAuth, SAML
  • Discord
  • Apple
  • Azure
  • Google

Interesting as a central IAM solution

1 Like
70

Ok, I think I got ldap sync (partially) working (once carefully reading :wink: )

In authenik:

  • One needs to use the IP number and port of the provider detail, in my case: ldap://10.5.4.1:20088
  • Correct bind and base DN
  • DE-select sync groups option (for now)
  • Under advanced ldap setting: Object uniqueness field: uid

I can now sync and get the NS8 users in Authentik. Hopefully it is a good start to explore further like correct mappings, groups and other functionality.

HTH

cc: @danb35 @oneitonitram @kemboielvis22

1 Like
71

@LayLow thank you for the tip. Could you kindly dumb down the instructions abit kindly if you don’t mind.

Assume the user is new to authetik. Which menu options do they need to access,
What parameters are they setting. If possibile with masked screenshorts.

Let me get home and work on it tonight.

Am feeling SSO tonight, so will make lots of efforts SSO and ldap related for Nethserver.

72

I would like to ask @michelandre if he feels up in doing this for us. He is WAY better at documenting these and further detailed instructions then me…

1 Like
73

Just do what you have, even if a rough draft it would be easier to have translated into a better documentation.

My goal is to actually have all apps we have worked on with official documentation on the NS8 apps docs page

1 Like
74

Following those instructions, I can now sync, but I don’t see any of the NS8 users in Authentik. Here are the NS8 users:

image
image745×457 8.23 KB

Here are the users in Authentik:

image
image776×360 24.6 KB

Here’s the status of the LDAP provider in Authentik:

image
image743×531 17.9 KB

…and settings:

image
image688×614 18.7 KB

75

How about the regular mapping settings?

76

I haven’t touched them from their defaults:

image
image1073×659 20.2 KB

77

Please also select cn and uid on user properties, save and sync again

image
image2140×658 50.2 KB

2 Likes
78

Ah ha!

image
image888×612 37.9 KB

1 Like
79

Top!!

80

So as for the auth/workflow of users, who is in the lead when using Authentik.

Creating a domain on NS8, one can choose for an external account provider which can be Authentik, but does that mean that NS8 syncs back from Authentik to NS8? And how about email or other attributes.

Normally and IAM solution is in the lead and all other components are being fed/updated from the central solution. I believe NS8 and modules see NS8 as the central point provider?

Thinking out loud here, sparring.