feat: use authentik ldap outpost for ldap instead of 389ds+keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 15:18:53 +02:00 · 2026-04-10 15:18:53 +02:00 · 0e1c07625a
commit 0e1c07625a
parent 1641956dd2
5 changed files with 111 additions and 40 deletions
--- a/inventories/vagrant/host_vars/backend/authentik.yml
+++ b/inventories/vagrant/host_vars/backend/authentik.yml
@ -25,11 +25,24 @@ authentik_proxy_outposts:
      authentik_host_browser: "https://authentik.local.test/"
      log_level: "info"

+authentik_ldap_apps:
+- slug: ldap
+  name: LDAP
+  base_dn: "dc=local,dc=test"
+  search_group: admins
+
+authentik_ldap_outpost:
+  name: "ldap-outpost"
+  token: "vagrant-ldap-outpost-token-change-in-production"
+  config:
+    authentik_host: "https://authentik.local.test/"
+    log_level: "info"
+
 authentik_oidc_apps:
  - slug: nextcloud
    name: Nextcloud
-    client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
-    client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
+    client_id: test1234
+    client_secret: test1234
    redirect_uris:
      - url: "https://nextcloud.local.test/apps/user_oidc/code"
        matching_mode: strict
@ -38,14 +51,24 @@ authentik_oidc_apps:
      authorization_slug: default-provider-authorization-implicit-consent
      invalidation_slug: default-provider-invalidation-flow
    scopes: [openid, email, profile, offline_access]
+  - slug: opencloud
+    name: OpenCloud
+    client_type: public
+    client_id: opencloud
+    redirect_uris:
+      - url: "https://opencloud.local.test/oidc-callback.html"
+        matching_mode: strict
+      - url: "https://opencloud.local.test/"
+        matching_mode: strict
+    scopes: [openid, email, profile, offline_access]

 authentik_entra_sources:
  - slug: entra-id
    name: "Login with Entra"
    tenant_mode: multi  # Use 'single' with real tenant ID in production
-    # tenant_id_env: ENTRA_TENANT_ID  # Not needed for multi-tenant mode
-    client_id_env: ENTRA_CLIENT_ID
-    client_secret_env: ENTRA_CLIENT_SECRET
+    # tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"  # Not needed for multi-tenant mode
+    client_id: "placeholder-change-in-production"
+    client_secret: "placeholder-change-in-production"
    scopes:
      - openid
      - profile
@ -54,16 +77,15 @@ authentik_entra_sources:
 authentik_login_sources:
  - slug: entra-id

+authentik_groups:
+  - name: admins
+
 authentik_local_users:
  - username: akadmin
    name: "Authentik Admin"
    email: "admin@local.test"
-    password_env: AKADMIN_PASSWORD
+    password: "admin"
    is_active: true
    groups:
      - authentik Admins
-
-authentik_blueprint_env:
-  AKADMIN_PASSWORD: "admin"
-  NEXTCLOUD_OIDC_CLIENT_ID: test1234
-  NEXTCLOUD_OIDC_CLIENT_SECRET: test1234
+      - admins