Authentik LDAP integration and MFA setup#339
Merged
Merged
Conversation
runleveldev
force-pushed
the
rgingras/feature/mieauth-mfa-validation
branch
from
70da470 to
a450bc4
Compare
runleveldev
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a declarative authentik deployment (blueprints + documentation) to provide SSO, LDAP, and enforced MFA for the MIE Opensource platform, and extends the base container/SSSD configuration to support LDAP-based access filtering and SSH public keys sourced from LDAP.
Changes:
- Introduces a set of authentik blueprints to define login/enrollment flows, a shared MFA validation stage, an LDAP provider/application, and a service account + group model for LDAP access control.
- Updates the base image SSSD configuration and docs to support LDAP access filtering and SSH public key retrieval via SSSD/sshd integration.
- Adds operational glue: a seeder to backfill new SSSD env vars and a script to create missing authentik users from the create-a-container API.
Reviewed changes
Copilot reviewed 15 out of 18 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
mie-opensource-landing/docs/admins/ldap-servers.md |
Documents new SSSD access provider/filter and additional LDAP/SSSD env vars. |
images/base/sssd.conf.template |
Adds LDAP access filtering and sshPublicKey mapping for SSSD, plus homedir/shell defaults. |
images/base/Dockerfile |
Installs sssd-tools and adds sshd drop-in for SSSD authorized keys. |
images/base/50-sss-ssh-authorizedkeys.conf |
Configures sshd to fetch authorized keys via sss_ssh_authorizedkeys. |
create-a-container/seeders/20260604000003-seed-sssd-access-filter-and-user-attrs.js |
Backfills new SSSD_* settings keys into default_container_env_vars. |
create-a-container/bin/sync-users-to-authentik.sh |
Create-only sync of users from create-a-container into authentik via API. |
authentik/README.md |
End-to-end documentation of blueprint import order, flows, MFA behavior, and LDAP binding model. |
authentik/blueprints/40-opensource-ldap.yaml |
Defines LDAP provider/application and restricts bind access to ldapusers; grants proxyuser directory search permission. |
authentik/blueprints/30-opensource-brand.yaml |
Configures default brand and assigns default flows. |
authentik/blueprints/30-flow-invitation-enrollment.yaml |
Adds invitation-based onboarding flow that assigns ldapusers and enforces MFA setup. |
authentik/blueprints/20-opensource-user-settings-flow.yaml |
Adds user settings flow with read-only username and SSH key attribute editing. |
authentik/blueprints/20-opensource-authentication-flow.yaml |
Refactors to reuse shared MFA stage and adds proxyuser 2FA exception behavior. |
authentik/blueprints/12-flows-enrollment-email-verification.yaml |
Enforces MFA setup after email verification during self-service registration. |
authentik/blueprints/11-opensource-mfa-validation-stage.yaml |
Introduces shared authenticator validation stage used across flows. |
authentik/blueprints/10-opensource-ldap-identity.yaml |
Creates ldapusers group and ldap-proxyuser service account. |
authentik/blueprints/10-opensource-authenticator-duo-setup.yaml |
Adds push-notification authenticator stage + setup flow. |
runleveldev
force-pushed
the
rgingras/feature/mieauth-mfa-validation
branch
from
2d664f3 to
71447be
Compare
- Wrap LDAP access-filter examples in parentheses so they are valid filter syntax when copied into SSSD_LDAP_ACCESS_FILTER (seeder + ldap-servers docs). - Correct the authentik README description of the MFA stage binding: with policy_engine_mode: all the stage runs only when all policies pass; the negated proxyuser binding fails, skipping 2FA for that account. - Fix the proxyuser note in 10-opensource-ldap-identity.yaml, which wrongly claimed the proxyuser is not granted search_full_directory (it is, read-only, per 40-opensource-ldap.yaml).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cutover Plan
sync-users-to-authentik.shscriptCopilot Summary
This pull request introduces a comprehensive, declarative configuration for deploying authentik as the identity provider for the MIE Opensource platform. It establishes SSO, LDAP, and enforced push-based 2FA for all interactive users, using a set of blueprints that define all flows, stages, and required identities. The changes modularize the configuration, enforce strict import order, and document the deployment and flow logic in detail.
The most important changes are:
Documentation and Structure:
README.mdin theauthentikdirectory, explaining the deployment architecture, flow logic, environment variables, and blueprint import order for reproducible identity provider setup.Blueprints for Authentication and Enrollment:
10-opensource-authenticator-duo-setup.yaml), LDAP identity group and service account (10-opensource-ldap-identity.yaml), and a shared MFA validation stage (11-opensource-mfa-validation-stage.yaml). These blueprints ensure all interactive flows require push-based 2FA and that only authorized users/groups can bind to LDAP. [1] [2] [3]Flow and Stage Refactoring:
Blueprint Organization and Import Order:
50-opensource-authentication-flow.yamlto20-opensource-authentication-flow.yaml,10-flows-enrollment-email-verification.yamlto12-flows-enrollment-email-verification.yaml). This prevents import errors and makes dependencies explicit. [1] [2] [3] [4]Configuration Improvements:
These changes provide a robust, reproducible, and well-documented authentik deployment for the platform, with strong security and clear operational guidance.
TODO
ldapusersto bind to it