A recent episode of the Risky Biz Podcast featured an interview with Fletcher Heisler from Authentik, who make an open-source SSO/IdP. I’ve been using Keycloak for a couple of years now and while I have found it reliable, I have also found its feature-set to be rather limited as I would like to move to using passkeys for logging into my systems and bring RADIUS (easily) to my networking. So, after listening to the interview and hearing about what Authentik can do, I’ve spun up an instance to see if I can swap from Keycloak. The purpose of this blog post is to record some of the headaches I had getting my AD (Samba) back-end configured.

The basic installation is straight forward, and their documentation is mostly good. Spinning up a docker instance was an easy task and should make managing the software in the future (as when during a distro upgrade) much easier. I learned the hard way recently that when you do a Ubuntu in-place distribution upgrade, and MariaDB is upgraded, that you need to also upgrade MariaDB’s internal schema too. But with docker, and containers maintaining their own instances of, well, everything, the system becomes more resilient to my changes to the OS. Tick.

After following the bouncing ball getting through the initial setup, things started to fall apart when I added my AD backend via LDAP. I found the users would sync with no issue, once I correctly applied the filters to remove computer objects, however groups and group memberships did not. The documentation did not make it clear where exactly the filters needed to go and additional (superfluous) mappings were included by default, which caused the sync from Samba to fail.

I found that for my simple AD setup, that I only needed to sync ‘authentic default OpenLDAP Mapping:cn’ for the group properties. And under additional settings, I changed the User object filter to ‘(&(objectClass=user)(!(objectClass=computer)))’, group membership filed to ‘memberOf:1.2.840.113556.1.4.1941:’ and enabled the ‘loookup using user attribute’ option. All of which was in the documentation, but was left ambiguous – leaving me to try a couple of different combinations of settings until the groups appeared and then were correctly populated. I then tested changing the group membership in Samba AD, running a sync and checking the changes propagated.  

With the basics up and running I can now look forward to setting up the built-in RADIUS functionality which I hope to integrate into my Ubiquiti Unifi WiFi so I can enable identity aware WPA3-enterprise networking. I also began playing around with the default flows and logging in with my user account using a passkey with some success. I suspect that Authentik will end up replacing Keycloak as my single-sign-on provider once I’ve finished learning its nuances.