search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.53k stars 842 forks source link

Cannot get LDAP Outpost to work #9135

Closed ledahosn closed 2 weeks ago

ledahosn commented 5 months ago

Describe your question/ I'm trying to create a LDAP Authentication Procedure but i'm hanging with the LDAP Outpost restarting in a loop. I am Using a docker-compose.yml like this:

If I change the token or url im getting correct errors so the connection is working fine

Relevant info debian, docker 

ghcr.io/goauthentik/server                      2024.2.2         10d11d26be3b   4 weeks ago    714MB
ghcr.io/goauthentik/ldap                        latest           c1cfe7b36298   4 weeks ago    39.6MB

Screenshots image image

Logs docker-compose.yml

version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
  ldap:
      image: ghcr.io/goauthentik/ldap
      ports:
          - 389:3389
          - 636:6636
      environment:
          AUTHENTIK_DEBUG: "true"
          AUTHENTIK_HOST: http://AUTHENTIK_URL
          AUTHENTIK_INSECURE: "true"
          AUTHENTIK_TOKEN: "MY_TOKEN"
volumes:
  database:
    driver: local
  redis:
    driver: local

Output of docker-compose logs of the outpost

ldap-1  | {"event":"Loaded config from environment","level":"debug","timestamp":"2024-04-04T13:45:56Z"}
ldap-1  | timestamp="2024-04-04T13:45:56Z" level=info event="Starting Debug server" listen="0.0.0.0:9900" logger=authentik.go_debugger
ldap-1  | timestamp="2024-04-04T13:45:57Z" level=info event="Successfully connected websocket" logger=authentik.outpost.ak-ws outpost=77c51912-bf25-47c4-9f2e-350ea429ca35
ldap-1  | timestamp="2024-04-04T13:45:57Z" level=panic event="Failed to run server" error="no ldap provider defined"
ldap-1  | timestamp="2024-04-04T13:45:57Z" level=info event="finished shutdown" logger=authentik.outpost.ak-api-controller
ldap-1  | panic: (*logrus.Entry) 0xc0001e60e0
ldap-1  |
ldap-1  | goroutine 1 [running]:
ldap-1  | github.com/sirupsen/logrus.(*Entry).log(0xc0001e6070, 0x0, {0xc00001e1e0, 0x14})
ldap-1  |       /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:260 +0x491
ldap-1  | github.com/sirupsen/logrus.(*Entry).Log(0xc0001e6070, 0x0, {0xc0005abb88?, 0x109d960?, 0xc0006841a0?})
ldap-1  |       /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:304 +0x48
ldap-1  | github.com/sirupsen/logrus.(*Entry).Panic(...)
ldap-1  |       /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:342
ldap-1  | main.init.func2(0xc00033a600?, {0x123cf0f?, 0x4?, 0x123cf13?})
ldap-1  |       /go/src/goauthentik.io/cmd/ldap/main.go:79 +0x45d
ldap-1  | github.com/spf13/cobra.(*Command).execute(0x1bf00a0, {0xc00012e120, 0x0, 0x0})
ldap-1  |       /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987 +0xab1
ldap-1  | github.com/spf13/cobra.(*Command).ExecuteC(0x1bf00a0)
ldap-1  |       /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff
ldap-1  | github.com/spf13/cobra.(*Command).Execute(...)
ldap-1  |       /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
ldap-1  | main.main()
ldap-1  |       /go/src/goauthentik.io/cmd/ldap/main.go:90 +0x48
PentaPaetzold commented 5 months ago

I dont know about the Image LDAP, but you may not need the Service ghcr.io/goauthentik/ldap in compse-file when you use Docker- Integration and connect the Outpost to the Docker- Integration. That works perfectly for me. Maybe you want to try to check the Outpostintegration to work and have it assigned in LDAP- Outpost? For my Case i am using Unix-Socket specified with "unix://var/run/docker.sock" (mind, that "unix:///var/run/docker.sock" is not working at least for me!)

After that, you can find the docker Service like ak-outpost-ldap running and automatically managed by authentik.

BeryJu commented 2 weeks ago

The error is caused by no LDAP applications/providers being defined in the outpost, which is something that shouldn't be possible in most cases as authentik will prevent it.

Also, it is required that the LDAP outpost is on the same version as your authentik instance, your docker-compose file is missing a version tag for the ldap container