LDAP Provider
You can configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.
Note: This provider requires the deployment of the LDAP Outpost
All users and groups in authentik's database are searchable. Currently, there is limited support for filters (you can only search for objectClass), but this will be expanded in further releases.
Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. For more info, see Bind modes.
You can configure under which base DN the information should be available. For this documentation we'll use the default of DC=ldap,DC=goauthentik,DC=io
.
Users are available under ou=users,<base DN>
and groups under ou=groups,<base DN>
. To aid compatibility, each user belongs to its own "virtual" group, as is standard on most Unix-like systems. This group does not exist in the authentik database, and is generated on the fly. These virtual groups are under the ou=virtual-groups,<base DN>
DN.
Note: Every LDAP provider needs to have a unique base DN. You can achieve this by prepending an application-specific OU or DC. e.g. OU=appname,DC=ldap,DC=goauthentik,DC=io
The following fields are currently sent for users:
cn
: User's usernameuid
: Unique user identifieruidNumber
: A unique numeric identifier for the username
: User's namedisplayName
: User's namemail
: User's email addressobjectClass
: A list of these strings:- "user"
- "organizationalPerson"
- "goauthentik.io/ldap/user"
memberOf
: A list of all DNs that the user is a member ofhomeDirectory
: A default home directory path for the user, by default/home/$username
. Can be overwritten by settinghomeDirectory
as an attribute on users or groups.ak-active
: "true" if the account is active, otherwise "false"ak-superuser
: "true" if the account is part of a group with superuser permissions, otherwise "false"
The following fields are current set for groups:
cn
: The group's nameuid
: Unique group identifiergidNumber
: A unique numeric identifier for the groupmember
: A list of all DNs of the groups membersobjectClass
: A list of these strings:- "group"
- "goauthentik.io/ldap/group"
A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: goauthentik.io/ldap/virtual-group
.
The virtual groups gidNumber is equal to the uidNumber of the user.
Additionally, for both users and (non-virtual) groups, any attributes you set are also present as LDAP Attributes.
Starting with 2021.9.1, custom attributes will override the inbuilt attributes.
Starting with 2023.3, periods and slashes in custom attributes will be sanitized.
SSL / StartTLS
You can also configure SSL for your LDAP Providers by selecting a certificate and a server name in the provider settings.
Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured TLS Server name field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen be the bind request to ensure bind credentials are transmitted over TLS.
This enables you to bind on port 636 using LDAPS.