website/docs: add freeipa docs (#1666)

* website/docs: add freeipa docs Signed-off-by: M. David Bennett <mdavidbennett@syntheticworks.com> * website/docs: fix freeipa settings screenshot Signed-off-by: M. David Bennett <mdavidbennett@syntheticworks.com>
2021-10-26 07:29:42 -05:00 · 2021-10-26 07:29:42 -05:00 · 6067406e96
parent 9ccd4d69fe
commit 6067406e96
10 changed files with 77 additions and 1 deletions
--- a/website/docs/integrations/sources/freeipa/01_user_create.png
+++ b/website/docs/integrations/sources/freeipa/01_user_create.png
--- a/website/docs/integrations/sources/freeipa/02_user_roles.png
+++ b/website/docs/integrations/sources/freeipa/02_user_roles.png
--- a/website/docs/integrations/sources/freeipa/03_add_user_role.png
+++ b/website/docs/integrations/sources/freeipa/03_add_user_role.png
--- a/website/docs/integrations/sources/freeipa/04_source_settings_1.png
+++ b/website/docs/integrations/sources/freeipa/04_source_settings_1.png
--- a/website/docs/integrations/sources/freeipa/05_source_settings_2.png
+++ b/website/docs/integrations/sources/freeipa/05_source_settings_2.png
--- a/website/docs/integrations/sources/freeipa/06_sync_source.png
+++ b/website/docs/integrations/sources/freeipa/06_sync_source.png
--- a/website/docs/integrations/sources/freeipa/07_password_stage.png
+++ b/website/docs/integrations/sources/freeipa/07_password_stage.png
--- a/website/docs/integrations/sources/freeipa/index.md
+++ b/website/docs/integrations/sources/freeipa/index.md
@ -0,0 +1,73 @@
+---
+title: FreeIPA
+---
+
+## Preparation
+
+The following placeholders will be used:
+
+- `svc_authentik` is the name of the bind account.
+- `freeipa.company` is the Name of the domain.
+- `ipa1.freeipa.company` is the Name of the FreeIPA server.
+
+## FreeIPA Setup
+
+1. Log into FreeIPA.
+
+2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: `pwgen 64 1` or `openssl rand -base64 36`. Once done click `Add and Edit`.
+
+    ![](./01_user_create.png)
+
+3. In the user management screen, select the Roles tab.
+
+    ![](./02_user_roles.png)
+
+4. Add a role that has privileges to change user passwords, the default `User Administrators` role is sufficient. This is needed to support password resets from within authentik.
+
+    ![](./03_add_user_role.png)
+
+5. By default, if an administrator account resets a user's password in FreeIPA the user's password expires after the first use and must be reset again. This is a security feature to ensure password complexity and history policies are enforced. To bypass this feature for a more seamless experience, you can make the following modification on each of your FreeIPA servers:
+
+    ```
+    $ ldapmodify -x -D "cn=Directory Manager" -W -h ipa1.freeipa.company -p 389
+    
+    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+    changetype: modify
+    add: passSyncManagersDNs
+    passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company
+    ```
+
+Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
+
+## authentik Setup
+In authentik, create a new LDAP Source in Resources -> Sources.
+
+Use these settings:
+
+- Server URI: `ldaps://ipa1.freeipa.company`
+- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
+- Bind Password: The password you've given the user above
+- Base DN: `dc=freeipa,dc=company`
+- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
+- Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
+
+Additional settings:
+
+- Group: If selected, all synchronized groups will be given this group as a parent.
+- Addition User/Group DN: `cn=users,cn=accounts`
+- Addition Group DN: `cn=groups,cn=accounts`
+- User object filter: `(objectClass=person)`
+- Group object filter: `(objectClass=groupofnames)`
+- Group membership field: `member`
+- Object uniqueness field: `ipaUniqueID`
+
+    ![](./04_source_settings_1.png)
+    ![](./05_source_settings_2.png)
+
+After you save the source, you can kick off a synchronization by navigating to the source, clicking on the "Sync" tab, and clicking the "Run sync again" button.
+
+![](./06_sync_source.png)
+
+Lastly, verify that the "User database + LDAP password" backend is selected in the "Password Stage" under Flows -> Stages.
+
+![](./07_password_stage.png)
--- a/website/docs/integrations/sources/ldap/index.md
+++ b/website/docs/integrations/sources/ldap/index.md
@ -9,7 +9,9 @@ Sources allow you to connect authentik to an existing user directory. They can a
 This source allows you to import users and groups from an LDAP Server.

 :::info
-For Active Directory, follow the [Active Directory Integration](https://goauthentik.io/docs/integrations/sources/active-directory/index)
+For Active Directory, follow the [Active Directory Integration](integrations/sources/active-directory/index.md)
+
+For FreeIPA, follow the [FreeIPA Integration](integrations/sources/freeipa/index.md)
 :::

 - Server URI: URI to your LDAP server/Domain Controller.
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -74,6 +74,7 @@ module.exports = {
                        "integrations/sources/apple/index",
                        "integrations/sources/active-directory/index",
                        "integrations/sources/discord/index",
+                        "integrations/sources/freeipa/index",
                        "integrations/sources/github/index",
                        "integrations/sources/google/index",
                        "integrations/sources/ldap/index",