search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.77k stars 599 forks source link

Using LDAPv3 to authenticate against MacOS #10123

Open krim404 opened 2 weeks ago

krim404 commented 2 weeks ago

I am attempting to connect MacOS directly to Authentik using the LDAP interface, but I have been unable to get it working so far. I have already successfully set up an SSSD connection, confirming that the Authentik LDAP service itself is functional. However, I have not been able to find any documentation or resources on using the Authentik LDAP interface specifically with MacOS.

This leads me to my main question - is it even possible to authenticate MacOS systems against the Authentik LDAP outpost? In my research, I came across a few reports suggesting that the Authentik LDAP interface may not be feature complete compared to a full LDAP server.

Before investing more time troubleshooting, I wanted to confirm whether direct MacOS authentication is an intended/supported use case. Any insights or experiences from the community would be greatly appreciated.

Has anyone successfully connected MacOS to Authentik via the LDAP interface? Or alternatively, can anyone definitively confirm that this is not currently possible due to limitations of the Authentik LDAP implementation?

Thank you in advance for your help!

gregistech commented 1 week ago

Can't say anything about the MacOS part, but on Linux SSSD works perfectly for me.

This is my config:

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[sssd]
debug_level = 999
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
domains = xxxx
#services = nss, pam, ssh

[pam]
reconnection_retries = 3

[domain/xxxx]
#cache_credentials = true
use_fully_qualified_names = false
ldap_id_mapping = false
override_homedir = /mnt/data/homes/%u
default_shell = /bin/bash

id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
access_provider = permit
ldap_uri = ldap://ldap.xxxx

ldap_id_use_start_tls = true

ldap_schema = rfc2307bis
ldap_search_base = DC=ldap,DC=goauthentik,DC=io
ldap_user_search_base = ou=users,DC=ldap,DC=goauthentik,DC=io
ldap_group_search_base = ou=groups,DC=ldap,DC=goauthentik,DC=io

ldap_user_object_class = user
ldap_user_name = cn
ldap_group_object_class = group
ldap_group_name = cn

#ldap_access_order = filter
#ldap_access_filter = memberOf=cn=smb,ou=groups,DC=ldap,DC=goauthentik,DC=io

ldap_default_bind_dn = cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io
ldap_default_authtok = your_password_to_ldapservice
krim404 commented 1 week ago

yes, SSSD works for me as well as i said, but i cant get macos to use the LDAP.

gregistech commented 1 week ago

yes, SSSD works for me as well as i said, but i cant get macos to use the LDAP.

Ah I thought MacOS could use SSSD. Sadly I can't help with MacOS.