Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions

feat: add blueprints for authentik ldap outpost and render values directly instead of using env vars

Browse source 
Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
This commit is contained in:
Bert-Jan Fikse 2026-04-10 13:50:32 +02:00
parent d25f1c5304
commit e819770415
Signed by: bert-jan
GPG key ID: C1E0AB516AC16D1A
11 changed files with 312 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

124
roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2 Normal file
View file

@ -0,0 +1,124 @@
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
name: "ldap-{{ item.slug }}"
labels:
blueprints.goauthentik.io/instantiate: "true"
blueprints.goauthentik.io/description: "LDAP provider + application for {{ item.slug }}"
entries:
# Simple password-only flow for LDAP bind (no browser policies)
- model: authentik_stages_password.passwordstage
id: ldap-password-stage
identifiers:
name: ldap-bind-password
attrs:
name: ldap-bind-password
backends:
- authentik.core.auth.InbuiltBackend
- authentik.core.auth.TokenBackend
- authentik.sources.ldap.auth.LDAPBackend
- model: authentik_stages_identification.identificationstage
id: ldap-identification-stage
identifiers:
name: ldap-bind-identification
attrs:
name: ldap-bind-identification
user_fields:
- username
- email
password_stage: !KeyOf ldap-password-stage
- model: authentik_stages_user_login.userloginstage
id: ldap-login-stage
identifiers:
name: ldap-bind-login
attrs:
name: ldap-bind-login
- model: authentik_flows.flow
id: ldap-bind-flow
identifiers:
slug: ldap-bind
attrs:
name: LDAP Bind
slug: ldap-bind
title: LDAP Bind
designation: authentication
authentication: none
- model: authentik_flows.flowstagebinding
identifiers:
target: !KeyOf ldap-bind-flow
stage: !KeyOf ldap-identification-stage
order: 0
attrs:
target: !KeyOf ldap-bind-flow
stage: !KeyOf ldap-identification-stage
order: 0
- model: authentik_flows.flowstagebinding
identifiers:
target: !KeyOf ldap-bind-flow
stage: !KeyOf ldap-login-stage
order: 10
attrs:
target: !KeyOf ldap-bind-flow
stage: !KeyOf ldap-login-stage
order: 10
{% if item.search_group is defined and item.search_group %}
- model: authentik_rbac.role
id: ldap-search-role-{{ item.slug }}
identifiers:
name: ldap-search-{{ item.slug }}
attrs:
name: ldap-search-{{ item.slug }}
{% endif %}
- model: authentik_providers_ldap.ldapprovider
id: ldap-provider-{{ item.slug }}
identifiers:
name: {{ item.name }}
attrs:
name: {{ item.name }}
base_dn: "{{ item.base_dn }}"
authorization_flow: !KeyOf ldap-bind-flow
invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.invalidation_flow_slug | default('default-provider-invalidation-flow') }}]]
authentication_flow: !KeyOf ldap-bind-flow
search_mode: {{ item.search_mode | default('cached') }}
bind_mode: {{ item.bind_mode | default('direct') }}
{% if item.certificate is defined and item.certificate %}
certificate: !Find [authentik_crypto.certificatekeypair, [name, {{ item.certificate }}]]
{% endif %}
{% if item.uid_start_number is defined %}
uid_start_number: {{ item.uid_start_number }}
{% endif %}
{% if item.gid_start_number is defined %}
gid_start_number: {{ item.gid_start_number }}
{% endif %}
{% if item.search_group is defined and item.search_group %}
permissions:
- permission: authentik_providers_ldap.search_full_directory
role: !KeyOf ldap-search-role-{{ item.slug }}
{% endif %}
{% if item.search_group is defined and item.search_group %}
# Assign the LDAP search role to the search group
- model: authentik_core.group
identifiers:
name: {{ item.search_group }}
attrs:
roles:
- !KeyOf ldap-search-role-{{ item.slug }}
{% endif %}
- model: authentik_core.application
id: app-{{ item.slug }}
identifiers:
slug: {{ item.slug }}
attrs:
name: "{{ item.name | default(item.slug) }}"
slug: {{ item.slug }}
provider: !KeyOf ldap-provider-{{ item.slug }}