feat: use authentik ldap outpost for ldap instead of 389ds+keycloak

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-04-10 15:18:53 +02:00 · 2026-04-10 15:18:53 +02:00 · 0e1c07625a
commit 0e1c07625a
parent 1641956dd2
5 changed files with 111 additions and 40 deletions
--- a/inventories/vagrant/host_vars/backend/authentik.yml
+++ b/inventories/vagrant/host_vars/backend/authentik.yml
@ -25,11 +25,24 @@ authentik_proxy_outposts:
      authentik_host_browser: "https://authentik.local.test/"
      log_level: "info"

+authentik_ldap_apps:
+- slug: ldap
+  name: LDAP
+  base_dn: "dc=local,dc=test"
+  search_group: admins
+
+authentik_ldap_outpost:
+  name: "ldap-outpost"
+  token: "vagrant-ldap-outpost-token-change-in-production"
+  config:
+    authentik_host: "https://authentik.local.test/"
+    log_level: "info"
+
 authentik_oidc_apps:
  - slug: nextcloud
    name: Nextcloud
-    client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
-    client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
+    client_id: test1234
+    client_secret: test1234
    redirect_uris:
      - url: "https://nextcloud.local.test/apps/user_oidc/code"
        matching_mode: strict
@ -38,14 +51,24 @@ authentik_oidc_apps:
      authorization_slug: default-provider-authorization-implicit-consent
      invalidation_slug: default-provider-invalidation-flow
    scopes: [openid, email, profile, offline_access]
+  - slug: opencloud
+    name: OpenCloud
+    client_type: public
+    client_id: opencloud
+    redirect_uris:
+      - url: "https://opencloud.local.test/oidc-callback.html"
+        matching_mode: strict
+      - url: "https://opencloud.local.test/"
+        matching_mode: strict
+    scopes: [openid, email, profile, offline_access]

 authentik_entra_sources:
  - slug: entra-id
    name: "Login with Entra"
    tenant_mode: multi  # Use 'single' with real tenant ID in production
-    # tenant_id_env: ENTRA_TENANT_ID  # Not needed for multi-tenant mode
-    client_id_env: ENTRA_CLIENT_ID
-    client_secret_env: ENTRA_CLIENT_SECRET
+    # tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"  # Not needed for multi-tenant mode
+    client_id: "placeholder-change-in-production"
+    client_secret: "placeholder-change-in-production"
    scopes:
      - openid
      - profile
@ -54,16 +77,15 @@ authentik_entra_sources:
 authentik_login_sources:
  - slug: entra-id

+authentik_groups:
+  - name: admins
+
 authentik_local_users:
  - username: akadmin
    name: "Authentik Admin"
    email: "admin@local.test"
-    password_env: AKADMIN_PASSWORD
+    password: "admin"
    is_active: true
    groups:
      - authentik Admins
-
-authentik_blueprint_env:
-  AKADMIN_PASSWORD: "admin"
-  NEXTCLOUD_OIDC_CLIENT_ID: test1234
-  NEXTCLOUD_OIDC_CLIENT_SECRET: test1234
+      - admins
--- a/inventories/vagrant/host_vars/backend/nextcloud.yml
+++ b/inventories/vagrant/host_vars/backend/nextcloud.yml
@ -30,34 +30,38 @@ nextcloud_s3_ssl: false
 nextcloud_s3_usepath_style: true

 # Extra hosts for container DNS resolution (Vagrant only)
+nextcloud_extra_networks:
+  - ldap
+
 nextcloud_extra_hosts:
  - "storage.local.test:192.168.56.11"
  - "keycloak.local.test:192.168.56.11"
  - "authentik.local.test:192.168.56.11"
-  - "389ds:192.168.56.11"
+  # - "389ds:192.168.56.11"  # only needed when using 389ds LDAP directly

-# LDAP backend (pre-create users synced from Keycloak via 389ds)
+# LDAP backend (Authentik LDAP outpost)
 nextcloud_ldap_enabled: true
 nextcloud_ldap_config:
-  ldapHost: "ldaps://389ds"
-  ldapPort: "3636"
-  ldapAgentName: "cn=Directory Manager"
+  ldapHost: "ldap://authentik-outpost-ldap-ldap-1"
+  ldapPort: "3389"
+  ldapAgentName: "cn=akadmin,ou=users,dc=local,dc=test"
  ldapAgentPassword: "admin"
  ldapBase: "dc=local,dc=test"
  ldapBaseUsers: "ou=users,dc=local,dc=test"
  ldapTLS: "0"
  turnOffCertCheck: "1"
-  ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
-  ldapUserFilterObjectclass: "inetOrgPerson"
-  ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
+  ldapUserFilter: "(&(objectClass=user)(cn=*))"
+  ldapUserFilterObjectclass: "user"
+  ldapLoginFilter: "(&(objectClass=user)(cn=%uid))"
  ldapLoginFilterUsername: "1"
-  ldapUserDisplayName: "displayName"
+  ldapUserDisplayName: "cn"
  ldapEmailAttribute: "mail"
-  ldapExpertUsernameAttr: "uid"
-  ldapExpertUUIDUserAttr: "nsuniqueid"
+  ldapExpertUsernameAttr: "cn"
+  ldapExpertUUIDUserAttr: "uid"
+  ldapExpertUUIDGroupAttr: "uid"
  ldapBaseGroups: "ou=groups,dc=local,dc=test"
-  ldapGroupFilter: "(&(objectClass=groupOfNames))"
-  ldapGroupFilterObjectclass: "groupOfNames"
+  ldapGroupFilter: "(&(objectClass=group))"
+  ldapGroupFilterObjectclass: "group"
  ldapGroupDisplayName: "cn"
  ldapGroupMemberAssocAttr: "member"
  ldapAdminGroup: "admins"
@ -65,6 +69,34 @@ nextcloud_ldap_config:
  ldapPagingSize: "500"
  ldapExperiencedAdmin: "1"
  ldapConfigurationActive: "1"
+# LDAP backend (389ds via Keycloak federation)
+# nextcloud_ldap_config:
+#   ldapHost: "ldaps://389ds"
+#   ldapPort: "3636"
+#   ldapAgentName: "cn=Directory Manager"
+#   ldapAgentPassword: "admin"
+#   ldapBase: "dc=local,dc=test"
+#   ldapBaseUsers: "ou=users,dc=local,dc=test"
+#   ldapTLS: "0"
+#   turnOffCertCheck: "1"
+#   ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
+#   ldapUserFilterObjectclass: "inetOrgPerson"
+#   ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
+#   ldapLoginFilterUsername: "1"
+#   ldapUserDisplayName: "displayName"
+#   ldapEmailAttribute: "mail"
+#   ldapExpertUsernameAttr: "uid"
+#   ldapExpertUUIDUserAttr: "nsuniqueid"
+#   ldapBaseGroups: "ou=groups,dc=local,dc=test"
+#   ldapGroupFilter: "(&(objectClass=groupOfNames))"
+#   ldapGroupFilterObjectclass: "groupOfNames"
+#   ldapGroupDisplayName: "cn"
+#   ldapGroupMemberAssocAttr: "member"
+#   ldapAdminGroup: "admins"
+#   ldapCacheTTL: "600"
+#   ldapPagingSize: "500"
+#   ldapExperiencedAdmin: "1"
+#   ldapConfigurationActive: "1"

 # OIDC providers for login
 nextcloud_oidc_providers:
--- a/inventories/vagrant/host_vars/backend/opencloud.yml
+++ b/inventories/vagrant/host_vars/backend/opencloud.yml
@ -1,19 +1,20 @@
 opencloud_domain: "opencloud.local.test"
 opencloud_admin_password: "admin"
+opencloud_extra_networks:
+  - ldap
 opencloud_extra_hosts:
  - "opencloud.local.test:host-gateway"
-  - "keycloak.local.test:host-gateway"
+  - "authentik.local.test:192.168.56.11"
  - "storage.local.test:192.168.56.11"
  - "office.local.test:host-gateway"
  - "drawio.local.test:host-gateway"
-  - "389ds:192.168.56.11"

-# OIDC configuration (Keycloak)
-opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant"
+# OIDC configuration (Authentik)
+opencloud_oidc_issuer: "https://authentik.local.test/application/o/opencloud/"
 opencloud_oidc_client_id: "opencloud"
 opencloud_oidc_client_secret: "opencloud-secret-change-in-production"
-opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account"
-opencloud_oidc_autoprovision_accounts: false
+opencloud_oidc_account_edit_url: "https://authentik.local.test/if/user/#/settings"
+opencloud_oidc_autoprovision_accounts: true

 # S3 storage configuration using Garage
 opencloud_use_s3_storage: true
@ -26,12 +27,18 @@ opencloud_s3_bucket: "opencloud"
 opencloud_collabora_domain: "office.local.test"
 opencloud_wopi_domain: "wopi.opencloud.local.test"

-# LDAP backend (users synced from Keycloak via 389ds)
-opencloud_ldap_uri: "ldaps://389ds:3636"
-opencloud_ldap_bind_dn: "cn=Directory Manager"
+# LDAP backend (Authentik LDAP outpost)
+opencloud_ldap_uri: "ldap://authentik-outpost-ldap-ldap-1:3389"
+opencloud_ldap_bind_dn: "cn=akadmin,ou=users,dc=local,dc=test"
 opencloud_ldap_bind_password: "admin"
 opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test"
 opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test"
+opencloud_ldap_user_schema_id: "uid"
+opencloud_ldap_user_schema_id_is_octet_string: false
+opencloud_ldap_user_schema_username: "cn"
+opencloud_ldap_user_schema_display_name: "cn"
+opencloud_ldap_group_schema_id: "uid"
+opencloud_ldap_group_schema_id_is_octet_string: false

 # Draw.io integration
 opencloud_drawio_url: "https://drawio.local.test"
@ -48,6 +55,6 @@ opencloud_role_mapping:

 # CSP configuration
 opencloud_csp_extra_connect_src:
-  - "https://keycloak.local.test/"
+  - "https://authentik.local.test/"
 opencloud_csp_extra_frame_src:
  - "https://drawio.local.test/"
--- a/inventories/vagrant/hosts.yml
+++ b/inventories/vagrant/hosts.yml
@ -57,6 +57,10 @@ all:
      hosts:
        backend:

+    authentik_outpost_ldap_servers:
+      hosts:
+        backend:
+
    garage_servers:
      hosts:
        backend:
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@ -41,18 +41,24 @@
  roles:
    - digitalboard.core.collabora

- name: Deploy nextcloud service
-  hosts: nextcloud_servers
-  become: yes
-  roles:
-    - digitalboard.core.nextcloud
-
 - name: Deploy authentik service
  hosts: authentik_servers
  become: yes
  roles:
    - digitalboard.core.authentik

+- name: Deploy authentik LDAP outpost
+  hosts: authentik_outpost_ldap_servers
+  become: yes
+  roles:
+    - digitalboard.core.authentik_outpost_ldap
+
+- name: Deploy nextcloud service
+  hosts: nextcloud_servers
+  become: yes
+  roles:
+    - digitalboard.core.nextcloud
+
 - name: Deploy drawio service
  hosts: drawio_servers
  become: yes