Okay, for everyone who is struggling with `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`, and is running Authentik through docker-compose/portainer, here's what I did to fix it: - I mapped the 389 and 636 host ports to the 3389 and 6636 ports on the authentik *server* container (these are the default ports mapped to the ones Authentik actually listens to by default) - I explicitly opened the 389 and 636 ports on my machine through `iptables`. Depending on what you have on your machine, you may need to use a different tool, like `nftables`. It's somewhat easy to look up how to do this once you know what you actually have to do - You have to configure the worker with `user: root` and mapping `docker.sock` in the volumes list (I didn't do it because the official compose file mentioned in a comment that these were optional) and you have to choose Local Docker Integration I'm not sure if all of these are necessary, but it wasn't until after doing all these that my LDAP Outpost started working
well you need to make sure you create a container for the outpost as well. With which it connects. At least for me. Once i realized that again, it worked fluently.
@@KeesFluitmanYou magical m0therf****er. You are right. It worked. Now it gives me Invalid credentials (49) but there are people talking about it on github
from what i can see the outpost is what require the docker sock for the "local docker connection" integration and the provider seems to indicate to connect to port 389, so i would presume that only port 389 may be needed
ok i was wrong 389 is for ldap and 636 is for ldap SSL. now i can connect to ldap but i get access denied, but i cannout connect to ldap SSL even tho i have mapped it
Is there modifications needed in 2024.8.1 ? I spent the night trying to get it to work but finally reverted back to 2024.6.4 as I wasn't able to get it to work with jellyfin (I could "talk" to the outpost but there was no users found no matter if I enabled the full ldap search policy on the ldap user)
From ldap provider docs: Up to authentik version 2024.8 this was managed using the "Search group" attribute in the LDAP Provider, where users could be added to a group to grant them this permission. With authentik 2024.8 this is automatically migrated to the "Search full LDAP directory" permission, which can be assigned more flexibly.
@@cooptonian hey brother, would you mind doing a video on LDAP integration with specific apps? I've been over Authentik's documentation for Jellyfin integration and it's been a fail for me.
Great video! I have watched all your Authentik videos as a walkthrough for my own deployment of Authentik. Could you possibly do a tutorial on SSO? I am particularly curious about getting it to work with Jellyfin, but I have had some trouble.
Hello Cooptonian, I tried the same steps for LDAP configuration. It is still not working for me. I am not sure how to get that done. Can you create one video or help with some article how to configure LDAP with openvpn application using Authentik.
Hi, thanks for the detailed steps. Everything works instead of the LDAP outpost, I can't get it configured (and know too little to solve it). Could you assist me? I use the base docker-compose file which uses the embedded outpost. Do I need to add the LDAP docker image to my stack? If so, how do I configure that with traefik? The point is that when I now setup my LDAP outpost, It says "Not available" under "Health and Version".
Just curious, as I noticed a different approach from the documents. Is there an advantage to creating separate stages and flows specifically for LDAP as opposed to using the default login flow?
...I am not sure about others' usage, however, if you have multiple flows for different things and you use the default stages...you can run into issues when you modify a particular default stage (it will change it for all other flows that share/rely on that stage). Anyways, I at least found that as an issue for myself. I would have a nice customized flow...then I would go off and experiment in making another flow...only to find my experimenting changed my nice customized flow (if that makes sense).
Any tips on how to use the ldap over SSL (i.e., port 636, or ldaps://)? Followed your guide, no issues. I just cant figure out how to get SSL working, the authentik documentation quickly mentions support and requiring to add a certificate/domain name, but I cant figure it out
I haven't tried it, but you create a certificate under "System > Certificates" menu. Then edit your LDAP provider; under "Protocols" choose your created certificate and enter a TLS server name... If you tried that already, maybe ask in the discord. Only thing I can maybe see an issue with is the naming format for the TLS server name??
@@cooptonian I'm also thinking it has to do with the TLS Server Name. any "best guess" as to what it could be? is it the FQDN, the docker IP of the LDAP, the IP of the host server? Feel like I've tried every variant lol
wow, yah you tried a good number of combinations...best guess is it would be the hostname/name of the computer (ie: DESKTOP-3820S8, or Linux-Vbox...etc.)
You've tested outside your network with the exact flow URL and bypassed 2FA? If so, I recommend bringing the issue up with the dev in discord or bug report on their github so that maybe it can be patched.
...did you double check the password is correct? Just in case there was a typo...go into users and force change the password to something you definitely know. Then try to run the test commands again with the updated password...
Great video as always! In the last command, you used 192.168.x.x. What if this is on a VPS that has only a public IP, do you use the IP instead? Wouldn't that make the LDAP publicly accessible by using the public IP? Thanks for feedback.
You'd use the IP of authentik's host...you'd have to configure an internal network. After that, it should be secured per authentik's own documentation: goauthentik.io/docs/providers/ldap/generic_setup, use SSL port 636 for production.
Would you be able to elaborate on this a bit? I run authentik on unraid, after following your video and the docs I continue to get the "can't contact tjhe LDAP server". I'm using a raspberrypi to test with the ldapsearch tool. I've tried entering the IP of my unraid server and nothing@@cooptonian
Thanks for you videos really helpful. did you try the authentik ldap with linux for user authentication. i cant seem to get it setup. i managed to get apps working like proxmox, calibre-web, jellyfin with authentik ldap but with Ubuntu i cant get it working. i read some where authentik is not a full ldap server so maybe its not suppose to work i have no idea maybe you could help point me in the right direction? thanks.
What are the issues that you're having? I just set up the SSO Plugin over the weekend after weeks of tinkering and figuring out how to properly configure everything. I might be able to point you in the right direction.
@@xsniper001 I've never really done guides for this type of stuff, but it just so happens that I accidentally wiped my whole media services VM a few days ago. I'll have to reconfigure everything, so I'll have to run the process again...shame on me for not completing a proper backup. I was planning on setting it up again this weekend, so I'll try to put something together when I get to the authentication piece.
First of all a massive thank you for your videos they have been awesome. One thing if you don't mind me asking for help. I am on Unraid and I am trying to get it to link up with Jellyfin. if you could help me, i would owe you a mega pint and i would really appreciate it.
Glad they helped...and what do you mean get linked up? I unfortunately do not use unraid so my experience in that is limited... Have you asked in the discord?
Okay, for everyone who is struggling with `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`, and is running Authentik through docker-compose/portainer, here's what I did to fix it:
- I mapped the 389 and 636 host ports to the 3389 and 6636 ports on the authentik *server* container (these are the default ports mapped to the ones Authentik actually listens to by default)
- I explicitly opened the 389 and 636 ports on my machine through `iptables`. Depending on what you have on your machine, you may need to use a different tool, like `nftables`. It's somewhat easy to look up how to do this once you know what you actually have to do
- You have to configure the worker with `user: root` and mapping `docker.sock` in the volumes list (I didn't do it because the official compose file mentioned in a comment that these were optional) and you have to choose Local Docker Integration
I'm not sure if all of these are necessary, but it wasn't until after doing all these that my LDAP Outpost started working
this sounds like it could be very helpful to others; PINNED!
well you need to make sure you create a container for the outpost as well. With which it connects. At least for me. Once i realized that again, it worked fluently.
@@KeesFluitmanYou magical m0therf****er. You are right. It worked. Now it gives me Invalid credentials (49) but there are people talking about it on github
from what i can see the outpost is what require the docker sock for the "local docker connection" integration and the provider seems to indicate to connect to port 389, so i would presume that only port 389 may be needed
ok i was wrong 389 is for ldap and 636 is for ldap SSL. now i can connect to ldap but i get access denied, but i cannout connect to ldap SSL even tho i have mapped it
Thank you for all the videos you doing on Authentik, the doc's for Authentik are not beginner friendly and your videos help out a lot
You're very welcome!
Is there modifications needed in 2024.8.1 ? I spent the night trying to get it to work but finally reverted back to 2024.6.4 as I wasn't able to get it to work with jellyfin (I could "talk" to the outpost but there was no users found no matter if I enabled the full ldap search policy on the ldap user)
The best tutorial for Athentik LDAP. Thank you!
Glad you think so!
too bad this is outdated, are you planning on making an updated version of this video?
There is no search group field in New Provider form. How to define selected group that can do search queries in Authentik?
From ldap provider docs:
Up to authentik version 2024.8 this was managed using the "Search group" attribute in the LDAP Provider, where users could be added to a group to grant them this permission. With authentik 2024.8 this is automatically migrated to the "Search full LDAP directory" permission, which can be assigned more flexibly.
The radius outpost is in the stable version.
Can you post a video how to correctly set that up?
I had issue with having integration set up to docker integration, removed it and for now everything looks good
I reach 7:46 but after selecting type as 'LDAP', the LDAP application does not appear in the available applications listing.
if u use the 2024.8.0 there is a bug updtae in 2024.8.1 should be fixed
Thank you for this vid, I'd have been so lost without it
Glad I could help
@@cooptonian hey brother, would you mind doing a video on LDAP integration with specific apps? I've been over Authentik's documentation for Jellyfin integration and it's been a fail for me.
Great video! I have watched all your Authentik videos as a walkthrough for my own deployment of Authentik. Could you possibly do a tutorial on SSO? I am particularly curious about getting it to work with Jellyfin, but I have had some trouble.
...I haven't looked into this yet, but it looks promising: github.com/9p4/jellyfin-plugin-sso
It even lists authentik as a tested provider...
Hello Cooptonian, I tried the same steps for LDAP configuration. It is still not working for me. I am not sure how to get that done. Can you create one video or help with some article how to configure LDAP with openvpn application using Authentik.
Where would you put the password expire policy in this
...in your authentication flow, attached to your identification stage
You are the Man - SPX PCS to the moon! :-)
Hi, thanks for the detailed steps. Everything works instead of the LDAP outpost, I can't get it configured (and know too little to solve it). Could you assist me? I use the base docker-compose file which uses the embedded outpost. Do I need to add the LDAP docker image to my stack? If so, how do I configure that with traefik? The point is that when I now setup my LDAP outpost, It says "Not available" under "Health and Version".
Edit: setting up an LDAP outpost is sooo poorly documented. Figured it out by applying some educated guesses but I'm curious how you achieved this
Ha! Same, educated guesses and the documentation by Hooray4Rob...before that, documentation was even less...
@@Diddimos What ended up being the problem and solution?
@@zyadon7964 The solution for mine was to update the Outpost config so it had "authentik_host_insecure: true".
I really like your videos about Authentik. Could you make a video about how to login with Azure AD and MFA ?
...unfortunately I don't use Azure AD
Should this be a service or regular user? The generic docs say regular but some of the integrations like opnsense say service.
...for the video, I just followed the documentation and created as regular user... (for my purposes, this worked for Jellyfin)
@@cooptonian thanks. Been trying to make it work with OPNSense. But I can't seem to get it to bind/login.
Just curious, as I noticed a different approach from the documents. Is there an advantage to creating separate stages and flows specifically for LDAP as opposed to using the default login flow?
...I am not sure about others' usage, however, if you have multiple flows for different things and you use the default stages...you can run into issues when you modify a particular default stage (it will change it for all other flows that share/rely on that stage). Anyways, I at least found that as an issue for myself. I would have a nice customized flow...then I would go off and experiment in making another flow...only to find my experimenting changed my nice customized flow (if that makes sense).
No integration active, why?
possibly because you did not map the docker socket
Why i did my ldapsearh return ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) error, i get confused.
...not sure if it will help, but did you see the pinned comment stating your error?
does this also work for unraid users?
yes, it should
Any tips on how to use the ldap over SSL (i.e., port 636, or ldaps://)? Followed your guide, no issues. I just cant figure out how to get SSL working, the authentik documentation quickly mentions support and requiring to add a certificate/domain name, but I cant figure it out
I haven't tried it, but you create a certificate under "System > Certificates" menu. Then edit your LDAP provider; under "Protocols" choose your created certificate and enter a TLS server name... If you tried that already, maybe ask in the discord. Only thing I can maybe see an issue with is the naming format for the TLS server name??
@@cooptonian I'm also thinking it has to do with the TLS Server Name. any "best guess" as to what it could be? is it the FQDN, the docker IP of the LDAP, the IP of the host server? Feel like I've tried every variant lol
wow, yah you tried a good number of combinations...best guess is it would be the hostname/name of the computer (ie: DESKTOP-3820S8, or Linux-Vbox...etc.)
the video didn't cover integrations(aka the networking part) and how to point Authentik to my ldap server
...sorry, this video was just the generic LDAP provider setup. I got this working as an LDAP source for my Jellyfin setup (ldap plugin required)
Authentik __is__ the ldap server
By doing this tho is someone finds the URL to the LDAP flow, won't that remove the 2fa which could lead to security issues?
No, they won't be authenticated...trying to directly access a flow URL will result in either denial or redirect to the login page.
@@cooptonian How can I ensure that happens? With testing that doesn't seem to be the case.
You've tested outside your network with the exact flow URL and bypassed 2FA? If so, I recommend bringing the issue up with the dev in discord or bug report on their github so that maybe it can be patched.
@@cooptonian yes and ok thanks
when i do ldap search and put thee right credentials in i get ldap_bind: invalid credentials (49), can you help? regards
...did you double check the password is correct? Just in case there was a typo...go into users and force change the password to something you definitely know. Then try to run the test commands again with the updated password...
@@cooptonian thank you for your reply!
I myself made an error it was a typo with the username!
thanks for the guide!
OK great...and no problem!
Great video as always! In the last command, you used 192.168.x.x. What if this is on a VPS that has only a public IP, do you use the IP instead? Wouldn't that make the LDAP publicly accessible by using the public IP? Thanks for feedback.
You'd use the IP of authentik's host...you'd have to configure an internal network. After that, it should be secured per authentik's own documentation: goauthentik.io/docs/providers/ldap/generic_setup, use SSL port 636 for production.
Would you be able to elaborate on this a bit? I run authentik on unraid, after following your video and the docs I continue to get the "can't contact tjhe LDAP server". I'm using a raspberrypi to test with the ldapsearch tool. I've tried entering the IP of my unraid server and nothing@@cooptonian
Thanks for you videos really helpful. did you try the authentik ldap with linux for user authentication. i cant seem to get it setup. i managed to get apps working like proxmox, calibre-web, jellyfin with authentik ldap but with Ubuntu i cant get it working. i read some where authentik is not a full ldap server so maybe its not suppose to work i have no idea maybe you could help point me in the right direction? thanks.
currently only using it for Jellyfin so not sure about Ubuntu...have you asked in the discord?
Awesome thanks Bro!
No problem!
@Cooptonian, could you do a JellyFin LDAP guide? It would be great... I am struggling to get authentik on jellyfin...
What are the issues that you're having? I just set up the SSO Plugin over the weekend after weeks of tinkering and figuring out how to properly configure everything. I might be able to point you in the right direction.
@@cameronhill2true I just didn`t manage to make it work. If you can create a guide how to do it I would greatly appreciate mate. Thank you.
@@xsniper001 I've never really done guides for this type of stuff, but it just so happens that I accidentally wiped my whole media services VM a few days ago. I'll have to reconfigure everything, so I'll have to run the process again...shame on me for not completing a proper backup.
I was planning on setting it up again this weekend, so I'll try to put something together when I get to the authentication piece.
I tried to post a link, but I think it got removed. If you still want that guide, let me know.
ldap says its a unhealthy container can u help?
...has it been unhealthy from the start? Also, have you simply tried restarting the container?
Thanks. Is it safe to assume this is valid for MS Active Directory too?
First of all a massive thank you for your videos they have been awesome. One thing if you don't mind me asking for help. I am on Unraid and I am trying to get it to link up with Jellyfin. if you could help me, i would owe you a mega pint and i would really appreciate it.
Glad they helped...and what do you mean get linked up? I unfortunately do not use unraid so my experience in that is limited... Have you asked in the discord?