trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/outposts/ldap/ldap.md
Lukas Söder 7f39399c32
providers/ldap: Added auto-generated uidNumber and guidNumber generated attributes for use with SSSD and similar software. (#1138) 
* Added auto-generated uidNumber and guidNumber generated attributes for
use with SSSD and similar software.

The starting number for uid/gid can be configured iva environtment
variables and is by default 2000 which should work fine for most instances unless there are more than
999 local accounts on the server/computer.

The uidNumber is just the users Pk + the starting number.
The guidNumber is calculated by the last couple of bytes in the uuid of
the group + the starting number, this should have a low enough chance
for collisions that it's going to be fine for most use cases.

I have not added any interface stuff for configuring the environment variables as I couldn't really find my way around all the places I'd have to edit to add it and the default values should in my opinion be fine for 99% use cases.

* Add a 'fake' primary group for each user

* First attempt att adding config to interface

* Updated API to support new fields

* Refactor code, update documentation and remove obsolete comment

Simplify `GetRIDForGroup`, was a bit overcomplicated before.

Add an additional class/struct `LDAPGroup` which is the new argument
for `pi.GroupEntry` and util functions to create `LDAPGroup` from api.Group and api.User

Add proper support in the interface for changing gidNumber and uidNumber starting points

* make lint-fix for the migration files
2021-07-14 09:17:01 +02:00

68 lines
2.8 KiB
Markdown
Raw Blame History

---
title: LDAP Outpost
---
:::info
This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues)
:::
You can configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.
You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`.
You can bind using the DN `cn=<username>,ou=users,<base DN>`, or using the following ldapsearch command for example:
```
ldapsearch \
-x \ # Only simple binds are currently supported
-h *ip* \
-p 389 \
-D 'cn=*user*,ou=users,DC=ldap,DC=goauthentik,DC=io' \ # Bind user and password
-w '*password*' \
-b 'ou=users,DC=ldap,DC=goauthentik,DC=io' \ # The search base
'(objectClass=user)'
```
The following fields are currently sent for users:
- `cn`: User's username
- `uid`: Unique user identifier
- `uidNumber`: A unique numeric identifier for the user
- `name`: User's name
- `displayName`: User's name
- `mail`: User's email address
- `objectClass`: A list of these strings:
- "user"
- "organizationalPerson"
- "goauthentik.io/ldap/user"
- `memberOf`: A list of all DNs that the user is a member of
- `goauthentik.io/ldap/active`: "true" if the account is active, otherwise "false"
- `goauthentik.io/ldap/superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false"
The following fields are current set for groups:
- `cn`: The group's name
- `uid`: Unique group identifier
- `gidNumber`: A unique numeric identifier for the group
- `member`: A list of all DNs of the groups members
- `objectClass`: A list of these strings:
- "group"
- "goauthentik.io/ldap/group"
A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: `goauthentik.io/ldap/group`.
The virtual groups gidNumber is equal to the uidNumber of the user.
**Additionally**, for both users and (non-virtual) groups, any attributes you set are also present as LDAP Attributes.
## SSL
You can also configure SSL for your LDAP Providers by selecting a certificate and a server name in the provider settings.
This enables you to bind on port 636 using LDAPS, StartTLS is not supported.
Reference in a new issue View git blame Copy permalink