Docker: Authentik

Authentik is a middleware expanding the basic authentication- features of FreeIPA by many additional, modern ways of authentication which is used by modern Software. It will make SSO possible (Single-Sign-On: only logging into your pc will be enough to open all apps) by using the Kerberos-Credentials to login to authentik and than to authenticate the third-aprty app like Nextcloud without any user or Password.

TODO

Usually, i link the env-File to some central File. This time, as there are Passwords included, i will setup an own file. File .env:

#Common Docker-Parameters
COMPOSE_PROJECT_NAME=servername
COMPOSE_HTTP_TIMEOUT=180

#Authentik: https://goauthentik.io/docs/installation/docker-compose
AUTHENTIK_TAG=latest
#use maybe: openssl rand -base64 60 | tr -d '\n'
AUTHENTIK_SECRET_KEY=SEEDOCS
AUTHENTIK_ERROR_REPORTING__ENABLED=true
#
#Postgres-DB Authentik
AUTHENTIK_POSTGRESQL__HOST=servername-authentik_pgsql-1
AUTHENTIK_POSTGRESQL__USER=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__PASSWORD=YOURPGPASS
#
#Redis - we are using nextcloud here
AUTHENTIK_REDIS__HOST=nextcloud-aio-redis
AUTHENTIK_REDIS__PASSWORD=SeeInNextcloudSettings_nextcloud_data_config/config.php
#
## SMTP Host Emails are sent to
#AUTHENTIK_EMAIL__HOST=mailserver.smtp.de
#AUTHENTIK_EMAIL__PORT=465
## Optionally authenticate (don't add quotation marks to your password)
#AUTHENTIK_EMAIL__USERNAME=mailuser@host.de
#AUTHENTIK_EMAIL__PASSWORD=MAILPWD
## Use StartTLS
#AUTHENTIK_EMAIL__USE_TLS=false
## Use SSL
#AUTHENTIK_EMAIL__USE_SSL=true
#AUTHENTIK_EMAIL__TIMEOUT=10
## Email address authentik will send from, should have a correct @domain
#AUTHENTIK_EMAIL__FROM=mailuser@host.de

The File docker-compose.yml contains:

# Source: https://docs.goauthentik.io/docs/releases/2024.10
# wget -O docker-compose.yml https://goauthentik.io/version/2024.10/docker-compose.yml

services:
  authentik_pgsql:
    image: docker.io/library/postgres:16-alpine
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - authentik_pgsql_data:/var/lib/postgresql/data
#Defined in .env
#    environment:
#      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
#      POSTGRES_USER: ${PG_USER:-authentik}
#      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env

# Using nextcloud-aio-redis
#  redis:
#    image: docker.io/library/redis:alpine
#    command: --save 60 1 --loglevel warning
#    restart: unless-stopped
#    healthcheck:
#      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
#      start_period: 20s
#      interval: 30s
#      retries: 5
#      timeout: 3s
#    volumes:
#      - redis:/data

# Authentik Server
  authentik_server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: always
    command: server
# When Upgrading: Check for new Parameters and add to env, not here
# Possible Parameters: https://docs.goauthentik.io/docs/install-config/configuration/
    environment:
#      AUTHENTIK_REDIS__HOST: nextcloud-aio-redis # see .env for password
#      AUTHENTIK_POSTGRESQL__HOST: nextcloud-aio-database
#      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
#      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
#      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
      KRB5_TRACE: /dev/stderr
    volumes:
      - authentik_media:/media
      - authentik_custom_templates:/templates
    env_file:
      - .env
# Caddy virtualised
#    ports:
#      - "${COMPOSE_PORT_HTTP:-9000}:9000"
#      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
   networks:
     - nextcloud-aio
     - default

# Authentik Worker
  authentik_worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: always
    command: worker
#Se above
#    environment:
#      AUTHENTIK_REDIS__HOST: nextcloud-aio-redis
#      AUTHENTIK_POSTGRESQL__HOST: nextcloud-aio-database
#      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
#      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
#      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
# No Docker integration / LDAP- Outpost not needed (will be freeipa)
#      - /var/run/docker.sock:/var/run/docker.sock
      - authentik_media:/media
      - authentik_certs:/certs
      - authentik_custom_templates:/templates
    depends_on:
      - authentik_server
    env_file:
      - .env
   networks:
     - nextcloud-aio
     - default

volumes:
  authentik_pgsql_data:
  authentik_media:
  authentik_custom_templates:
  authentik_certs:
# redis:

networks:
 nextcloud-aio:
   external: true

Carefully look at each line to fit your needs.

in docker Caddy- Service enhance the lines:

# Authentik
https://authentik.domain.tld:443 {
       header Strict-Transport-Security max-age=31536000;
       reverse_proxy servername-authentik_server-1:9000
}

After doing docker compose up -d and restarting Caddy you should be able to Navigate to

https://authentik.domain.tld/if/flow/initial-setup/

and set the Password for the admin user akadmin.

Don't forget to extend your backup/docker_backup_all.sh by adding authentik to the service- list if you have not done so far.

Now that Authentik is working, we are glueing all services together.

Don't use Kerberos-Sync, because the kadmin-interface of FreeIPA is blocked to not have someone messing around with kerberos without FreeIPA not beeing informed. So use LDAP- Sync for the Users.

To Sync FreeIPA with Authentik, follow this Guide: https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/

After SVC- user is created, use the following commands to modify password reset as written in the doc:

ldapmodify -x -D "cn=Directory Manager" -H ldaps://ipa.domain.tld:636 -W
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=domain,dc=tld

At the next line, hit CTRL+D and the modification should be set, check with:

ldapsearch -xv -Z -W -H ldap://ipa.domain.tld -b "cn=ipa_pwd_extop,cn=plugins,cn=config" -D "cn=Directory Manager"

which should show the entry for passsyncmanagersdns .

With SPNEGO, you gain access to SSO in Authentik.

Here is the lonk to the Docs: https://docs.goauthentik.io/docs/users-sources/sources/protocols/kerberos/

You need to logon to FreeIPA as Admin and do the following:

• Go to Hosts, add Host authentik.domain.tld
• Go to Services, Add an new HTTP- Service for that Host

After that, you need to Console into the running FreeIPA-Container and use the commands there:

# Logon as Admin
kinit admin
# Create and read the Keytab for that service
ipa-getkeytab -s ipa.domain.tld -p HTTP/authentik.domain.tld -k /tmp/authentik.keytab
cat /tmp/authentik.keytab | base64
rm /tmp/authentik.keytab

This is the Keytab that you will use for SPNEGO.

Use the Servicename HTTP/authentik.domain.tld as the Servername!

Important: Use „User matching mode“ = „Link to User with identical Username. …“ - otherwise Kerberos may fail!

Than activate Kerberos in Flows and Stages > Stages > default-authentication-identification > Source settings