Authentik - LDAP Generic Setup

Поділитися
Вставка
  • Опубліковано 21 лис 2024

КОМЕНТАРІ • 78

  • @wydx120
    @wydx120 Рік тому +3

    Okay, for everyone who is struggling with `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`, and is running Authentik through docker-compose/portainer, here's what I did to fix it:
    - I mapped the 389 and 636 host ports to the 3389 and 6636 ports on the authentik *server* container (these are the default ports mapped to the ones Authentik actually listens to by default)
    - I explicitly opened the 389 and 636 ports on my machine through `iptables`. Depending on what you have on your machine, you may need to use a different tool, like `nftables`. It's somewhat easy to look up how to do this once you know what you actually have to do
    - You have to configure the worker with `user: root` and mapping `docker.sock` in the volumes list (I didn't do it because the official compose file mentioned in a comment that these were optional) and you have to choose Local Docker Integration
    I'm not sure if all of these are necessary, but it wasn't until after doing all these that my LDAP Outpost started working

    • @cooptonian
      @cooptonian  11 місяців тому +2

      this sounds like it could be very helpful to others; PINNED!

    • @KeesFluitman
      @KeesFluitman 9 місяців тому

      well you need to make sure you create a container for the outpost as well. With which it connects. At least for me. Once i realized that again, it worked fluently.

    • @fooryo-fourier
      @fooryo-fourier 8 місяців тому

      @@KeesFluitmanYou magical m0therf****er. You are right. It worked. Now it gives me Invalid credentials (49) but there are people talking about it on github

    • @fuseteam
      @fuseteam 2 місяці тому

      from what i can see the outpost is what require the docker sock for the "local docker connection" integration and the provider seems to indicate to connect to port 389, so i would presume that only port 389 may be needed

    • @fuseteam
      @fuseteam 2 місяці тому

      ok i was wrong 389 is for ldap and 636 is for ldap SSL. now i can connect to ldap but i get access denied, but i cannout connect to ldap SSL even tho i have mapped it

  • @gamezonline
    @gamezonline Рік тому +12

    Thank you for all the videos you doing on Authentik, the doc's for Authentik are not beginner friendly and your videos help out a lot

  • @BetterMobs
    @BetterMobs Місяць тому +1

    I had issue with having integration set up to docker integration, removed it and for now everything looks good

  • @Homme_Pur
    @Homme_Pur 2 місяці тому +2

    Is there modifications needed in 2024.8.1 ? I spent the night trying to get it to work but finally reverted back to 2024.6.4 as I wasn't able to get it to work with jellyfin (I could "talk" to the outpost but there was no users found no matter if I enabled the full ldap search policy on the ldap user)

  • @schrödingers__dog_1
    @schrödingers__dog_1 Рік тому +1

    Great video! I have watched all your Authentik videos as a walkthrough for my own deployment of Authentik. Could you possibly do a tutorial on SSO? I am particularly curious about getting it to work with Jellyfin, but I have had some trouble.

    • @cooptonian
      @cooptonian  Рік тому +1

      ...I haven't looked into this yet, but it looks promising: github.com/9p4/jellyfin-plugin-sso
      It even lists authentik as a tested provider...

  • @semaphoreui
    @semaphoreui 5 місяців тому

    The best tutorial for Athentik LDAP. Thank you!

  • @ChristianFoellmann
    @ChristianFoellmann Рік тому +1

    The radius outpost is in the stable version.
    Can you post a video how to correctly set that up?

  • @primeral
    @primeral Місяць тому

    Thank you for this vid, I'd have been so lost without it

    • @cooptonian
      @cooptonian  Місяць тому

      Glad I could help

    • @primeral
      @primeral Місяць тому

      @@cooptonian hey brother, would you mind doing a video on LDAP integration with specific apps? I've been over Authentik's documentation for Jellyfin integration and it's been a fail for me.

  • @jackho8154
    @jackho8154 6 днів тому

    There is no search group field in New Provider form. How to define selected group that can do search queries in Authentik?

  • @Digitronus
    @Digitronus Рік тому +1

    I really like your videos about Authentik. Could you make a video about how to login with Azure AD and MFA ?

    • @cooptonian
      @cooptonian  Рік тому

      ...unfortunately I don't use Azure AD

  • @Weesaal_Cummar
    @Weesaal_Cummar Рік тому

    Hello Cooptonian, I tried the same steps for LDAP configuration. It is still not working for me. I am not sure how to get that done. Can you create one video or help with some article how to configure LDAP with openvpn application using Authentik.

  • @leboyoyo
    @leboyoyo 10 днів тому

    Awesome thanks Bro!

  • @ChrisDePasqualeNJ
    @ChrisDePasqualeNJ Рік тому +1

    You are the Man - SPX PCS to the moon! :-)

  • @KibbleWhite
    @KibbleWhite 2 місяці тому

    I reach 7:46 but after selecting type as 'LDAP', the LDAP application does not appear in the available applications listing.

    • @teojudes6792
      @teojudes6792 2 місяці тому +1

      if u use the 2024.8.0 there is a bug updtae in 2024.8.1 should be fixed

  • @T23gunny
    @T23gunny 2 місяці тому

    Where would you put the password expire policy in this

    • @cooptonian
      @cooptonian  2 місяці тому

      ...in your authentication flow, attached to your identification stage

  • @Josh-mo2ib
    @Josh-mo2ib Рік тому

    Just curious, as I noticed a different approach from the documents. Is there an advantage to creating separate stages and flows specifically for LDAP as opposed to using the default login flow?

    • @cooptonian
      @cooptonian  Рік тому +1

      ...I am not sure about others' usage, however, if you have multiple flows for different things and you use the default stages...you can run into issues when you modify a particular default stage (it will change it for all other flows that share/rely on that stage). Anyways, I at least found that as an issue for myself. I would have a nice customized flow...then I would go off and experiment in making another flow...only to find my experimenting changed my nice customized flow (if that makes sense).

  • @michaell7511
    @michaell7511 Рік тому

    Great video as always! In the last command, you used 192.168.x.x. What if this is on a VPS that has only a public IP, do you use the IP instead? Wouldn't that make the LDAP publicly accessible by using the public IP? Thanks for feedback.

    • @cooptonian
      @cooptonian  Рік тому

      You'd use the IP of authentik's host...you'd have to configure an internal network. After that, it should be secured per authentik's own documentation: goauthentik.io/docs/providers/ldap/generic_setup, use SSL port 636 for production.

    • @EderMorales18
      @EderMorales18 Рік тому

      Would you be able to elaborate on this a bit? I run authentik on unraid, after following your video and the docs I continue to get the "can't contact tjhe LDAP server". I'm using a raspberrypi to test with the ldapsearch tool. I've tried entering the IP of my unraid server and nothing@@cooptonian

  • @Diddimos
    @Diddimos Рік тому

    Hi, thanks for the detailed steps. Everything works instead of the LDAP outpost, I can't get it configured (and know too little to solve it). Could you assist me? I use the base docker-compose file which uses the embedded outpost. Do I need to add the LDAP docker image to my stack? If so, how do I configure that with traefik? The point is that when I now setup my LDAP outpost, It says "Not available" under "Health and Version".

    • @Diddimos
      @Diddimos Рік тому

      Edit: setting up an LDAP outpost is sooo poorly documented. Figured it out by applying some educated guesses but I'm curious how you achieved this

    • @cooptonian
      @cooptonian  Рік тому

      Ha! Same, educated guesses and the documentation by Hooray4Rob...before that, documentation was even less...

    • @zyadon7964
      @zyadon7964 Рік тому +1

      @@Diddimos What ended up being the problem and solution?

    • @Zippoman924
      @Zippoman924 Рік тому +1

      @@zyadon7964 The solution for mine was to update the Outpost config so it had "authentik_host_insecure: true".

  • @张伟平-m9q
    @张伟平-m9q 7 місяців тому

    Why i did my ldapsearh return ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) error, i get confused.

    • @cooptonian
      @cooptonian  7 місяців тому

      ...not sure if it will help, but did you see the pinned comment stating your error?

  • @emf9
    @emf9 5 місяців тому

    Should this be a service or regular user? The generic docs say regular but some of the integrations like opnsense say service.

    • @cooptonian
      @cooptonian  5 місяців тому +1

      ...for the video, I just followed the documentation and created as regular user... (for my purposes, this worked for Jellyfin)

    • @emf9
      @emf9 5 місяців тому

      @@cooptonian thanks. Been trying to make it work with OPNSense. But I can't seem to get it to bind/login.

  • @pbvdven2
    @pbvdven2 Рік тому

    Thanks for you videos really helpful. did you try the authentik ldap with linux for user authentication. i cant seem to get it setup. i managed to get apps working like proxmox, calibre-web, jellyfin with authentik ldap but with Ubuntu i cant get it working. i read some where authentik is not a full ldap server so maybe its not suppose to work i have no idea maybe you could help point me in the right direction? thanks.

    • @cooptonian
      @cooptonian  Рік тому

      currently only using it for Jellyfin so not sure about Ubuntu...have you asked in the discord?

  • @d4rkz3nn3n
    @d4rkz3nn3n 2 місяці тому

    does this also work for unraid users?

  • @watsonanikwai
    @watsonanikwai 7 місяців тому +1

    No integration active, why?

    • @fuseteam
      @fuseteam 2 місяці тому

      possibly because you did not map the docker socket

  • @krys-p-bacon
    @krys-p-bacon Рік тому

    Any tips on how to use the ldap over SSL (i.e., port 636, or ldaps://)? Followed your guide, no issues. I just cant figure out how to get SSL working, the authentik documentation quickly mentions support and requiring to add a certificate/domain name, but I cant figure it out

    • @cooptonian
      @cooptonian  Рік тому +1

      I haven't tried it, but you create a certificate under "System > Certificates" menu. Then edit your LDAP provider; under "Protocols" choose your created certificate and enter a TLS server name... If you tried that already, maybe ask in the discord. Only thing I can maybe see an issue with is the naming format for the TLS server name??

    • @krys-p-bacon
      @krys-p-bacon Рік тому

      @@cooptonian I'm also thinking it has to do with the TLS Server Name. any "best guess" as to what it could be? is it the FQDN, the docker IP of the LDAP, the IP of the host server? Feel like I've tried every variant lol

    • @cooptonian
      @cooptonian  Рік тому

      wow, yah you tried a good number of combinations...best guess is it would be the hostname/name of the computer (ie: DESKTOP-3820S8, or Linux-Vbox...etc.)

  • @spik330
    @spik330 6 місяців тому

    the video didn't cover integrations(aka the networking part) and how to point Authentik to my ldap server

    • @cooptonian
      @cooptonian  5 місяців тому

      ...sorry, this video was just the generic LDAP provider setup. I got this working as an LDAP source for my Jellyfin setup (ldap plugin required)

    • @fuseteam
      @fuseteam 2 місяці тому

      Authentik __is__ the ldap server

  • @xsniper001
    @xsniper001 5 місяців тому

    @Cooptonian, could you do a JellyFin LDAP guide? It would be great... I am struggling to get authentik on jellyfin...

    • @cameronhill2true
      @cameronhill2true 3 місяці тому

      What are the issues that you're having? I just set up the SSO Plugin over the weekend after weeks of tinkering and figuring out how to properly configure everything. I might be able to point you in the right direction.

    • @xsniper001
      @xsniper001 3 місяці тому

      @@cameronhill2true I just didn`t manage to make it work. If you can create a guide how to do it I would greatly appreciate mate. Thank you.

    • @cameronhill2true
      @cameronhill2true 3 місяці тому

      @@xsniper001 I've never really done guides for this type of stuff, but it just so happens that I accidentally wiped my whole media services VM a few days ago. I'll have to reconfigure everything, so I'll have to run the process again...shame on me for not completing a proper backup.
      I was planning on setting it up again this weekend, so I'll try to put something together when I get to the authentication piece.

    • @cameronhill2true
      @cameronhill2true 2 місяці тому

      I tried to post a link, but I think it got removed. If you still want that guide, let me know.

  • @nick-leffler
    @nick-leffler Рік тому

    By doing this tho is someone finds the URL to the LDAP flow, won't that remove the 2fa which could lead to security issues?

    • @cooptonian
      @cooptonian  Рік тому

      No, they won't be authenticated...trying to directly access a flow URL will result in either denial or redirect to the login page.

    • @nick-leffler
      @nick-leffler 11 місяців тому

      @@cooptonian How can I ensure that happens? With testing that doesn't seem to be the case.

    • @cooptonian
      @cooptonian  11 місяців тому

      You've tested outside your network with the exact flow URL and bypassed 2FA? If so, I recommend bringing the issue up with the dev in discord or bug report on their github so that maybe it can be patched.

    • @nick-leffler
      @nick-leffler 11 місяців тому

      @@cooptonian yes and ok thanks

  • @jhmc93
    @jhmc93 Рік тому

    when i do ldap search and put thee right credentials in i get ldap_bind: invalid credentials (49), can you help? regards

    • @cooptonian
      @cooptonian  Рік тому

      ...did you double check the password is correct? Just in case there was a typo...go into users and force change the password to something you definitely know. Then try to run the test commands again with the updated password...

    • @jhmc93
      @jhmc93 Рік тому +1

      @@cooptonian thank you for your reply!
      I myself made an error it was a typo with the username!
      thanks for the guide!

    • @cooptonian
      @cooptonian  Рік тому +1

      OK great...and no problem!

  • @jhmc93
    @jhmc93 Рік тому

    ldap says its a unhealthy container can u help?

    • @cooptonian
      @cooptonian  Рік тому

      ...has it been unhealthy from the start? Also, have you simply tried restarting the container?

  • @Shaq2k
    @Shaq2k 10 місяців тому

    Thanks. Is it safe to assume this is valid for MS Active Directory too?

  • @kylejoel87
    @kylejoel87 Рік тому +1

    First of all a massive thank you for your videos they have been awesome. One thing if you don't mind me asking for help. I am on Unraid and I am trying to get it to link up with Jellyfin. if you could help me, i would owe you a mega pint and i would really appreciate it.

    • @cooptonian
      @cooptonian  Рік тому

      Glad they helped...and what do you mean get linked up? I unfortunately do not use unraid so my experience in that is limited... Have you asked in the discord?