# authentik_outpost_ldap

Deploys an [authentik](https://goauthentik.io) LDAP outpost via Docker
Compose. The outpost exposes an LDAP interface backed by authentik, so
applications that cannot speak OIDC (e.g. Nextcloud or OpenCloud LDAP
backends) can still authenticate against the central IdP.

The outpost connects back to an authentik server using an outpost token
issued in the authentik admin interface. The image version must match
the authentik server version.

## Requirements

- Docker and Docker Compose on the target host (e.g. via
  `digitalboard.core.base`)
- Ansible collection: `community.docker`

## Role variables

| Variable | Default | Description |
| --- | --- | --- |
| `authentik_outpost_ldap_image` | `ghcr.io/goauthentik/ldap:2026.2.2` | Outpost image (match the server version). |
| `authentik_outpost_ldap_host` | `https://authentik.local.test` | URL of the authentik server. |
| `authentik_outpost_ldap_token` | `changeme` | Outpost token — **override this**. |
| `authentik_outpost_ldap_insecure` | `"true"` | Skip TLS verification toward the authentik server. |
| `authentik_outpost_ldap_network` | `ldap` | Docker network LDAP clients connect over (created by the role). |
| `authentik_outpost_ldap_authentik_network` | _unset_ | Optional extra external network to the authentik server. |
| `authentik_outpost_ldap_extra_hosts` | `[]` | Extra `host:ip` entries for in-container DNS. |

## Example

```yaml
- hosts: directory
  become: true
  roles:
    - role: digitalboard.core.authentik_outpost_ldap
      vars:
        authentik_outpost_ldap_host: "https://auth.example.com"
        authentik_outpost_ldap_token: "{{ vault_authentik_ldap_outpost_token }}"
```

## License

MIT-0