Authentik in Docker -LDAP Issues

[SnowyJaguar1034]

Hi all, I sem to be having some issues getting my Authentik setup to work for LDAP. I reached out via Reddit and Discord a couple of weeks ago but didn't get my issues resolved.

I followed the official LDAP setup doc and this youtube video which goes through the doc step by step to get LDAP up and running and all my settings look the same as the official LDAP setup doc; however when I do the below command

@vili:~/authentik$ ldapsearch \
  -x \
  -h 192.168.86.22 \
  -p 389 \
  -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io' \
  -w 'lAv.8Ackp13c35.5U5.lu8B3rly.r488L3m3nt' \
  -b 'DC=ldap,DC=goauthentik,DC=io' \
  '(objectClass=user)'

then I get -bash: 192.168.86.22: No such file or directory which the video references and says might happen so the video supplies the below command as an alternative

@vili:~/authentik$ ldapsearch \
-x \
-H ldap://192.168.86.22 \
-D "cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io" \
-b 'DC=ldap,DC=goauthentik,DC=io' \
'(objectClass=user)' \
-W
Enter LDAP Password:

however that gives me ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) which is annoying.

I figured out this might be caused by the Authenitk Server container not exposing ports 389 and 636 so I have updated the compose to specify those ports.
Someone on the Authentik Discord linked me to the Authentik Outpost Listener docs, which seem to suggest the LDAP outpost listens on ports 3389 and 6636 (unless the docs have a spelling mistake) so I added the AUTHENTIK_LISTEN__LDAP and AUTHENTIK_LISTEN__LDAPS to my environment variables and pointed them to 389 and 636 but I wasn't sure if I needed to specify them in the Compose file or not (so I have). I can see in my portainer instance that all of the ports are exposed now.

Then I tried connecting the LDAP outpost to the Local Docker connection and it appears to have made a ak-outpost-ldap container so maybe I need to expose the ports on that instead? This container keeps showing a status of unhealthy because it is trying to verify a TLS cert on the Authentik Server but I've disabled the certificate checks so I'm not sure why this is failing. ERR error=Get "https://192.168.86.22:9443/api/v3/outposts/instances/": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.86.22 because it doesn't contain any IP SANs event=Failed to fetch outpost configuration, retrying in 3 seconds logger=authentik.outpost.ak-api-controller timestamp=2023-05-27T15:29:47Z

Things to note:

• Yes, I know my password is exposed, I've already changed it
• The IP 192.168.86.22 is the IP of my docker host system
• You can find my Compose file here
• You can find my .env file here
• I am running my Authentik compose through Portainer
• This is a Homelab so I don't want TLS enabled at the moment
• I am planning to setup a letsencrypt setup once I know if this system works

I'm hoping someone can help me fix these issues as Authentik seems like such a useful tool compared to running a separate Authelia, LDAP and OpenID server. Even if I have a critical issue with my setup and need to wipe it away to start fresh then I'm okay doing that because I haven't managed to make it work for my use case at all for over a month now so nothing relies on it.

[aur-dev-uk]

Hi. I've been working on this and have managed to get ldaps working in my environments. Here are the steps that worked for me:

1. Set up the provider as per the docs. I imported a custom ssl keypair and added it to the provider. Set to Direct binding and Direct querying. This is for when you change the flow if you need to remove totp from the ldap flow.
2. Disable your firewall on your authentik host. Enable it once you know everything is working.
3. Try the following command to use ldapsearch:

ldapsearch -x -b "dc=groups,dc=domain,dc=com" -H ldap://IP_OF_AUTHENTIK -D "cn=username,ou=users,dc=groups,dc=domain,dc=com" -W 

Make sure to replace the groups,domain etc to match your environment.
4. Enter your password. If you're using totp, you need to enter your password and totp at the same time like so password;123456
5. Edit your ldap.conf on your local machine/from where you're running ldapsearch from to include the following:

TLS_REQCERT never

6. If you want to test with your own custom ssl certificate, use the same command as before, but replace ldap://IP_OF_AUTHENTIK with ldaps://IP_OF_AUTHENTIK

Once you have it working, you may want to configure the firewall correctly and modify your local ldap.conf to accept your root ca so you can remove the TLS_REQCERT never option.

[SnowyJaguar1034]

Okay thanks for this. I was planning to look into my Authentik issues this weekend however, I don't think I'll have time so probably next weekend or during the week. I'll make sure to follow your advice when I do get around to doing it

[TheBrones]

Thank you for the steps! I also ended up setting the authentik_host parameter to http in the Authentik outpost due to certificate errors in the container.
authentik_host: http://authentik.local:8100/

[keesfluitman]

how is authentik running? It comes with one internal Outpost. But with docker, you'll need to setup new Outposts yourself. So for LDAP i did this:

version: "3.5"

services:
    authentik_ldap:
        image: ghcr.io/goauthentik/ldap
        networks:
            - nginx
        ports:
            - 389:3389
            - 636:6636
        environment:
            AUTHENTIK_HOST: http://authentik_container:9000
            AUTHENTIK_INSECURE: "true"
            AUTHENTIK_TOKEN: TOKEN
            
networks:
    nginx:
        external: true
        

  Here is the sample: https://goauthentik.io/docs/outposts/manual-deploy-docker-compose/
  version: "3.5"

services:
    authentik_ldap:
        image: ghcr.io/goauthentik/ldap
        # Optionally specify which networks the container should be
        # might be needed to reach the core authentik server
        # networks:
        #   - foo
        ports:
            - 389:3389
            - 636:6636
        environment:
            AUTHENTIK_HOST: https://your-authentik.tld
            AUTHENTIK_INSECURE: "false"
            AUTHENTIK_TOKEN: token-generated-by-authentik

[DanZirnhelt]

Are you doing this in the same docker compose or separate then all the other authentik containers? Is that what the network is for?

[Fuseteam]

should i be able to reuse to add an existing user to it, i seem to be getting "access denied" while i cannot connect to ldaps