Authentik Outposts

[gdeeble]

Has anyone successfully installed authentik and gotten additional outposts to work? I've tried both LDAP and radius and neither seem to respond. From what I can tell with my minimal knowledge of docker, it looks like it spools up a new pod per outpost.

[Toastyyy3]

Yes, I got it to work. So basically what I did was I extracted the ldap binary and the openssl binary and all their config files from the docker container (Theoretically you could also build your own openssl binary with the FIPS flag enabled) and just insert all those files in their corresponding directory in a new LXC Container. Firstly you should follow the authentik tutorial to creating the LDAP outpost, application etc.
Step by step:

1. Spin up a new VM or LXC with Docker
2. Spin up an LDAP or Proxy Docker container by creating a compose.yaml, where you paste the corresponding stuff from the following link and then "docker compose up -d" (https://docs.goauthentik.io/docs/add-secure-apps/outposts/manual-deploy-docker-compose)
3. In the Docker Host:

• docker cp DOCKER_CONTAINER_NAME:/ldap ./ldap
• docker cp DOCKER_CONTAINER_NAME:/usr/local/lib64/ossl-modules/fips.so ./fips.so
• docker cp DOCKER_CONTAINER_NAME:/usr/local/bin/openssl ./openssl
• docker cp DOCKER_CONTAINER_NAME:/usr/local/ssl ./ssl (<-- this is a directory containing the configs of openssl)

4. Enable ssh access in the Docker Host so you can scp files from it
5. Create a new LXC (you could probably also do it on the authentik host)
6. You might want to delete the existing files in the container before so you can ensure only your files are left. Copy all those files from the Docker Host via scp to your newly created LXC to their respective path:

• fips.so --> /usr/local/lib64/ossl-modules/fips.so
• openssl --> /usr/local/bin/openssl
• ssl --> /usr/local/ssl
• ldap --> anywhere (maybe /opt/)
• Also create a symbolic link to enable access to openssl from anywhere: ln -s /usr/local/bin/openssl /usr/bin/openssl

7. Confirm openssl is working correctly by typing "openssl list -providers". The output should look as follows:

Providers:
default
name: OpenSSL Default Provider
version: 3.0.15
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active

It's important that the fips provider is mentioned here. If fips is not mentioned here, even though you copied the files over, check which config openssl is using via "openssl version -d". If this doesn't correspond to the path of the ssl directory, you might want to add the following environment variables to your /etc/environment:
export OPENSSL_CONF=/usr/local/ssl/openssl.cnf
export OPENSSL_MODULES=/usr/local/lib64/ossl-modules

8. Create the following environment variables by either appending an "export VARIABLE_NAME=VALUE" to your .bashrc or by appending them to your /etc/environmet or to your service if you create one:

• AUTHENTIK_HOST=https://auth.yourdomain.com
• AUTHENTIK_TOKEN=TOKEN
• AUTHENTIK_INSECURE=VALUE
  You get all these values from your authentik admin interface --> Applications --> Outposts and right next to the LDAP Outpost, there is a "show installation info" button.

9. Run the ldap binary or the service

Now I'm thinking about how to automate this for the community so one doesn't always have to spin up the docker etc. once a new version is available. Any ideas?

Edit: Added Openssl environment variables

[nasirHo]

I suggest we add the build commands to the installation and upgrade scripts:

go build -o /go/ldap ./cmd/ldap
go build -o /go/rac ./cmd/rac

We should also include systemd service files.
Below is the one I use for LDAP:

[Unit]
Description=authentik LDAP outpost

[Service]
ExecStart=/go/ldap
Restart=always
RestartSec=5
Environment=GOFIPS=1
Environment=AUTHENTIK_LISTEN__LDAP=0.0.0.0:389
Environment=AUTHENTIK_LISTEN__LDAPS=0.0.0.0:636
Environment=AUTHENTIK_LISTEN__METRICS=0.0.0.0:9301 # Avoid binding to the same port
EnvironmentFile=/etc/authentik/ldap.env

[Install]
WantedBy=multi-user.target

User can place required environment variable in /etc/authentik/ldap.env

We could also add a switch to allow users to choose whether or not to build them.