Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
content:serverbasics:docker-authentik [2025/04/09 15:17] – [Attaching SPNEGO] Danielcontent:serverbasics:docker-authentik [2025/04/10 10:10] (aktuell) – [Secure LDAP- Users with TOTP] Daniel
Zeile 2: Zeile 2:
  
 Authentik is a middleware expanding the basic authentication- features of FreeIPA by many additional, modern ways of authentication which is used by modern Software. It will make SSO possible (Single-Sign-On: only logging into your pc will be enough to open all apps) by using the Kerberos-Credentials to login to authentik and than to authenticate the third-aprty app like Nextcloud without any additional User or Password- Dialog. Authentik is a middleware expanding the basic authentication- features of FreeIPA by many additional, modern ways of authentication which is used by modern Software. It will make SSO possible (Single-Sign-On: only logging into your pc will be enough to open all apps) by using the Kerberos-Credentials to login to authentik and than to authenticate the third-aprty app like Nextcloud without any additional User or Password- Dialog.
- 
  
 ===== Dockerfile ===== ===== Dockerfile =====
Zeile 171: Zeile 170:
  
 </file> </file>
 +
 ===== First start ===== ===== First start =====
  
Zeile 190: Zeile 190:
  
 To Sync FreeIPA with Authentik, follow this Guide: [[https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/|https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/]] To Sync FreeIPA with Authentik, follow this Guide: [[https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/|https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/]]
 +
 +When the Sync has been configured, all FreeIPA- Users should show up in Authentik.
  
 After SVC- user is created, use the following commands to modify password reset as written in the doc: After SVC- user is created, use the following commands to modify password reset as written in the doc:
Zeile 210: Zeile 212:
  
 which should show the entry for ''passsyncmanagersdns'' . which should show the entry for ''passsyncmanagersdns'' .
 +=== Secure LDAP- Users with TOTP ===
 +
 +Now any User can login with its FreeIPA- Password, also if SPNEGO/ kerberos as beneath is not setup yet.
 +
 +This is quite insecure, so you shoul add a second factor for that type of Login (for SPNEGO the second factor is your integrated Machine, which has the key stored already).
 +
 +To do so, in the Autentik Admin- Panel go to Stages and edit the Stage "default-authentication-mfa-validation"\\
 +Change "Not configured action" → Force…\\
 +At "Configuration stages" → default.authenticator-totp-setup
 +
 +The Next time you are logging in with User and Password in Authentik, it will ask to setup a TOTP- Device. You can for example use [[https://f-droid.org/de/packages/org.liberty.android.freeotpplus/|https://f-droid.org/de/packages/org.liberty.android.freeotpplus/]]
 +
 +Hint: There is also an default Flow for this to import in Authentik here https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/flow/examples/flows#two-factor-login
  
  
  • content/serverbasics/docker-authentik.txt
  • Zuletzt geändert: 2025/04/10 10:10
  • von Daniel