feat: use authentik ldap outpost for ldap instead of 389ds+keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 15:18:53 +02:00 · 2026-04-10 15:18:53 +02:00 · 0e1c07625a
commit 0e1c07625a
parent 1641956dd2
5 changed files with 111 additions and 40 deletions
--- a/inventories/vagrant/host_vars/backend/nextcloud.yml
+++ b/inventories/vagrant/host_vars/backend/nextcloud.yml
@ -30,34 +30,38 @@ nextcloud_s3_ssl: false
 nextcloud_s3_usepath_style: true

 # Extra hosts for container DNS resolution (Vagrant only)
+nextcloud_extra_networks:
+  - ldap
+
 nextcloud_extra_hosts:
  - "storage.local.test:192.168.56.11"
  - "keycloak.local.test:192.168.56.11"
  - "authentik.local.test:192.168.56.11"
-  - "389ds:192.168.56.11"
+  # - "389ds:192.168.56.11"  # only needed when using 389ds LDAP directly

-# LDAP backend (pre-create users synced from Keycloak via 389ds)
+# LDAP backend (Authentik LDAP outpost)
 nextcloud_ldap_enabled: true
 nextcloud_ldap_config:
-  ldapHost: "ldaps://389ds"
-  ldapPort: "3636"
-  ldapAgentName: "cn=Directory Manager"
+  ldapHost: "ldap://authentik-outpost-ldap-ldap-1"
+  ldapPort: "3389"
+  ldapAgentName: "cn=akadmin,ou=users,dc=local,dc=test"
  ldapAgentPassword: "admin"
  ldapBase: "dc=local,dc=test"
  ldapBaseUsers: "ou=users,dc=local,dc=test"
  ldapTLS: "0"
  turnOffCertCheck: "1"
-  ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
-  ldapUserFilterObjectclass: "inetOrgPerson"
-  ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
+  ldapUserFilter: "(&(objectClass=user)(cn=*))"
+  ldapUserFilterObjectclass: "user"
+  ldapLoginFilter: "(&(objectClass=user)(cn=%uid))"
  ldapLoginFilterUsername: "1"
-  ldapUserDisplayName: "displayName"
+  ldapUserDisplayName: "cn"
  ldapEmailAttribute: "mail"
-  ldapExpertUsernameAttr: "uid"
-  ldapExpertUUIDUserAttr: "nsuniqueid"
+  ldapExpertUsernameAttr: "cn"
+  ldapExpertUUIDUserAttr: "uid"
+  ldapExpertUUIDGroupAttr: "uid"
  ldapBaseGroups: "ou=groups,dc=local,dc=test"
-  ldapGroupFilter: "(&(objectClass=groupOfNames))"
-  ldapGroupFilterObjectclass: "groupOfNames"
+  ldapGroupFilter: "(&(objectClass=group))"
+  ldapGroupFilterObjectclass: "group"
  ldapGroupDisplayName: "cn"
  ldapGroupMemberAssocAttr: "member"
  ldapAdminGroup: "admins"
@ -65,6 +69,34 @@ nextcloud_ldap_config:
  ldapPagingSize: "500"
  ldapExperiencedAdmin: "1"
  ldapConfigurationActive: "1"
+# LDAP backend (389ds via Keycloak federation)
+# nextcloud_ldap_config:
+#   ldapHost: "ldaps://389ds"
+#   ldapPort: "3636"
+#   ldapAgentName: "cn=Directory Manager"
+#   ldapAgentPassword: "admin"
+#   ldapBase: "dc=local,dc=test"
+#   ldapBaseUsers: "ou=users,dc=local,dc=test"
+#   ldapTLS: "0"
+#   turnOffCertCheck: "1"
+#   ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
+#   ldapUserFilterObjectclass: "inetOrgPerson"
+#   ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
+#   ldapLoginFilterUsername: "1"
+#   ldapUserDisplayName: "displayName"
+#   ldapEmailAttribute: "mail"
+#   ldapExpertUsernameAttr: "uid"
+#   ldapExpertUUIDUserAttr: "nsuniqueid"
+#   ldapBaseGroups: "ou=groups,dc=local,dc=test"
+#   ldapGroupFilter: "(&(objectClass=groupOfNames))"
+#   ldapGroupFilterObjectclass: "groupOfNames"
+#   ldapGroupDisplayName: "cn"
+#   ldapGroupMemberAssocAttr: "member"
+#   ldapAdminGroup: "admins"
+#   ldapCacheTTL: "600"
+#   ldapPagingSize: "500"
+#   ldapExperiencedAdmin: "1"
+#   ldapConfigurationActive: "1"

 # OIDC providers for login
 nextcloud_oidc_providers: