search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.73k stars 596 forks source link

LDAP Outpost will refuse to start until an Application is created that uses it #9512

Open davidfrickert opened 2 months ago

davidfrickert commented 2 months ago

Describe the bug LDAP Outpost will refuse to start until an Application is created that uses it. This is a bit strange, is it intended? The logs do not imply that an application is required so it makes it kind of confusing to understand what is happening, but it does start working once an Application is created.

To Reproduce Steps to reproduce the behavior:

  1. Deploy Authentik via Helm
  2. Use terraform to provision LDAP outpost without configuring application
  3. LDAP outpost on reboot loop
  4. Configure application
  5. LDAP outpost works fine

Expected behavior LDAP outpost starts without an application configured in Authentik to use it.

Screenshots Not necessary.

Logs

Before creating application - LDAP outpost container refuses to start:

{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2024-04-29T13:16:09Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2024-04-29T13:16:09Z"}
{"event":"not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.","level":"info","logger":"authentik.go_debugger","timestamp":"2024-04-29T13:16:09Z"}
{"event":"Successfully connected websocket","level":"info","logger":"authentik.outpost.ak-ws","outpost":"27d5c728-b0c9-43a5-847d-f9a748144813","timestamp":"2024-04-29T13:16:09Z"}
{"error":"no ldap provider defined","event":"Failed to run server","level":"panic","timestamp":"2024-04-29T13:16:10Z"}
{"event":"finished shutdown","level":"info","logger":"authentik.outpost.ak-api-controller","timestamp":"2024-04-29T13:16:10Z"}
panic: (*logrus.Entry) 0xc00015e930

goroutine 1 [running]:
github.com/sirupsen/logrus.(*Entry).log(0xc00015e8c0, 0x0, {0xc000130840, 0x14})
        /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:260 +0x491
github.com/sirupsen/logrus.(*Entry).Log(0xc00015e8c0, 0x0, {0xc00060fb88?, 0x10dfaa0?, 0xc000136950?})
        /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:304 +0x48
github.com/sirupsen/logrus.(*Entry).Panic(...)
        /go/pkg/mod/github.com/sirupsen/logrus@v1.9.3/entry.go:342
main.init.func2(0xc0000ac600?, {0x128d597?, 0x4?, 0x128d59b?})
        /go/src/goauthentik.io/cmd/ldap/main.go:79 +0x45d
github.com/spf13/cobra.(*Command).execute(0x1c92760, {0xc00019c040, 0x0, 0x0})
        /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987 +0xab1
github.com/spf13/cobra.(*Command).ExecuteC(0x1c92760)
        /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
main.main()
        /go/src/goauthentik.io/cmd/ldap/main.go:90 +0x48

After application created - starts OK:

{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2024-04-29T13:17:43Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2024-04-29T13:17:43Z"}
{"event":"not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.","level":"info","logger":"authentik.go_debugger","timestamp":"2024-04-29T13:17:43Z"}
{"event":"Successfully connected websocket","level":"info","logger":"authentik.outpost.ak-ws","outpost":"27d5c728-b0c9-43a5-847d-f9a748144813","timestamp":"2024-04-29T13:17:43Z"}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Starting LDAP server","level":"info","listen":"0.0.0.0:3389","logger":"authentik.outpost.ldap","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Starting Metrics server","level":"info","listen":"0.0.0.0:9300","logger":"authentik.outpost.metrics","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Starting LDAP SSL server","level":"info","listen":"0.0.0.0:6636","logger":"authentik.outpost.ldap","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Starting authentik outpost","hash":"tagged","level":"info","logger":"authentik.outpost","timestamp":"2024-04-29T13:17:44Z","version":"2024.4.1"}
{"event":"initialised direct binder","level":"info","logger":"authentik.outpost.ldap.binder.direct","timestamp":"2024-04-29T13:17:44Z"}
{"event":"Update providers","level":"info","logger":"authentik.outpost.ldap","timestamp":"2024-04-29T13:17:44Z"}

Version and Deployment (please complete the following information):

Additional context N/A

davidfrickert commented 2 months ago

Sample terraform file for testing (token needs to be replaced) Deploy as is to test that LDAP outpost does not become healthy, uncomment last lines to add dummy application and check that outpost becomes healthy.

terraform {
  required_providers {
    authentik = {
      source = "goauthentik/authentik"
      version = "2024.4.0"
    }
  }
}

provider "authentik" {
  url   = "https://authentik.127.0.0.1.sslip.io"
  token = "REPLACEME"
  insecure = true
}

data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
}

resource "authentik_service_connection_kubernetes" "local" {
  name  = "local"
  local = true
}

resource "authentik_provider_ldap" "default" {
  name         = "authentik-ldap-provider"
  base_dn      = "dc=example,dc=com"
  bind_flow    = data.authentik_flow.default-authentication-flow.id
}

resource "authentik_outpost" "outpost-ldap" {
  name = "ldap"
  type = "ldap"
  service_connection = authentik_service_connection_kubernetes.local.id
  config = jsonencode({
    "log_level": "info",
    "authentik_host": "http://authentik-server.keycloak-iam.svc.cluster.local",
    "docker_map_ports": true,
    "kubernetes_replicas": 1,
    "kubernetes_namespace": "keycloak-iam",
    "authentik_host_browser": "",
    "object_naming_template": "ak-outpost-%(name)s",
    "authentik_host_insecure": false,
    "kubernetes_service_type": "ClusterIP",
    "kubernetes_image_pull_secrets": [],
    "kubernetes_disabled_components": [],
    "kubernetes_ingress_annotations": {},
    "kubernetes_ingress_secret_name": "authentik-outpost-tls"
  })
  protocol_providers = [
    authentik_provider_ldap.default.id
  ]
}

# for some reason the LDAP outpost won't start without an app configured to use it...?
# resource "authentik_application" "dummy-ldap" {
#  name              = "dummy-ldap"
#  slug              = "dummy-ldap"
#  protocol_provider = authentik_provider_ldap.default.id
# }
authentik-automation[bot] commented 6 hours ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.