Infrastructure to support LDAP based auth in TAK via Authentik
Important
The Auth-Infra service assumes some pre-requisite dependencies are deployed before initial deployment.
The following are dependencies which need to be created:
| Name | Notes |
|---|---|
tak-vpc-<name> |
VPC & networking to place tasks in - repo |
An AWS ACM certificate must also be generated that covers the subdomain that the Auth-Infra is deployed to.
From the root directory, install the deploy dependencies
npm installDeployment to AWS is handled via AWS Cloudformation. The template can be found in the ./cloudformation
directory. The deployment itself is performed by Deploy which
was installed in the previous step.
Note
The deploy tool can be run via the following
npx deployTo install it globally - view the deploy README
Deploy uses your existing AWS credentials. Ensure that your ~/.aws/credentials has an entry like:
[coe]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>
Deployment can then be performed via the following:
npx deploy create <stack>
npx deploy update <stack>
npx deploy info <stack> --outputs
npx deploy info <stack> --parameters
Stacks can be created, deleted, cancelled, etc all via the deploy tool. For further information
information about deploy functionality run the following for help.
npx deployThe CloudFormation is split into two stacks to ensure consistent deploy results.
The first portion deploys the Authentik Server itself. The second portion deploys the Authentik LDAP Outpost.
Step 1: Create the Authenik Server Portion
npx deploy create <stack>
The custom Authentik server image in this repository bakes in
docker/authentik-server/user_settings.py, which is copied to
/data/user_settings.py inside the container. Authentik loads that file automatically on startup for both the
server and worker processes. It is currently used to enable Django BCrypt password hashers for imported legacy
passwords.
The Authentik server ECS service now always uses target-tracking autoscaling. CPU utilization is hardcoded to a
60% target and memory utilization is hardcoded to a 75% target. The CloudFormation parameters
ServerAutoScalingMinCapacity and ServerAutoScalingMaxCapacity can be used to bound cost.
Step 2: Configure the Authentik LDAP Provider
Follow the instructions of the Authentik documentation to create and LDAP provider.
- LDAP Service Account: The username and password have been created by the above CloudFormation template as a Secrets Manager secret in
coe-auth-<stack>>/svc. - LDAP Outpost AUTHENTIK_TOKEN: The Authentik server will create an AUTHENTIK_TOKEN for the LDAP Outpost, which needs to be saved in Secrets Manager as the secret for
coe-auth-<stack>>/authentik-ldap-token
Step 3: Create the Authentik LDAP Outpost
npx deploy create <stack> --template ./cloudformation/ldap.template.js
Step 4: Verify the LDAP DNS record
The LDAP stack now creates an ldap.<hosted-zone-name> Route53 alias automatically and points it at the internal NLB. For example, if the hosted zone is epatak.org, the stack will create ldap.epatak.org.
The LDAP outpost is exposed as LDAPS only on port 636. The LDAP CloudFormation template automatically associates the VPC ACM certificate with the secure listener.
TLS terminates on the NLB at port 636 and the decrypted LDAP traffic is forwarded internally to the outpost on port 3389.
ldapsearch -x -H ldaps://ldap.<domain>:636 -D "cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io" -W -b "ou=users,dc=ldap,dc=goauthentik,dc=io" -s sub "(objectClass=person)" dn cn uid mail
Bind Example:
ldapsearch -x -H ldaps://ldap.<domain>:636 -D "cn=<username>,ou=users,dc=ldap,dc=goauthentik,dc=io" -W -b "ou=users,dc=ldap,dc=goauthentik,dc=io" -s sub "(objectClass=person)" dn cn uid mail