website/docs: add LDAP Outpost docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-05-05 11:48:07 +02:00
parent ee48b8c225
commit 2cad9a3d07
4 changed files with 56 additions and 1 deletions

View file

@ -51,7 +51,7 @@ export class OutpostForm extends Form<Outpost> {
name="type">
<select class="pf-c-form-control">
<option value=${OutpostTypeEnum.Proxy} ?selected=${this.outpost?.type === OutpostTypeEnum.Proxy}>${t`Proxy`}</option>
<option value=${OutpostTypeEnum.Ldap} ?selected=${this.outpost?.type === OutpostTypeEnum.Ldap}>${t`LDAP`}</option>
<option value=${OutpostTypeEnum.Ldap} ?selected=${this.outpost?.type === OutpostTypeEnum.Ldap}>${t`LDAP (Technical preview)`}</option>
</select>
</ak-form-element-horizontal>
<ak-form-element-horizontal

View file

@ -0,0 +1,42 @@
---
title: LDAP Outpost
---
:::info
This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues)
:::
You can configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
Users are available under `cn=users,<base DN>` and groups under `cn=groups,<base DN>`.
The following fields are currently sent for users:
- cn: User's username
- uid: Unique user identifier
- name: User's name
- displayName: User's name
- mail: User's email address
- objectClass: A list of these strings:
- "user"
- "organizationalPerson"
- "goauthentik.io/ldap/user"
- accountStatus: "active" if the account is active, otherwise "inactive"
- superuser: "active" if the account is part of a group with superuser permissions, otherwise "inactive"
- memberOf: A list of all DNs that the user is a member of
The following fields are current set for groups:
- cn: The group's name
- uid: Unique group identifier
- objectClass: A list of these strings:
- "user"
- "goauthentik.io/ldap/group"
**Additionally**, for both users and groups, any attributes you set are also present as LDAP Attributes.

View file

@ -4,6 +4,18 @@ title: Next
## Headline Changes
- LDAP Provider
:::info
This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues)
:::
You can now configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
- Compatibility with forwardAuth/auth_request
The authentik proxy is now compatible with forwardAuth (traefik) / auth_request (nginx). All that is required is the latest version of the outpost,

View file

@ -35,6 +35,7 @@ module.exports = {
items: [
"outposts/outposts",
"outposts/proxy",
"outposts/ldap",
"outposts/upgrading",
"outposts/manual-deploy-docker-compose",
"outposts/manual-deploy-kubernetes",