Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dfpc-coe/auth-infra

Cloud Infrastrcture for Hosting & Managing TAK Authentication Infrastructure (LDAP)
https://github.com/dfpc-coe/auth-infra

Last synced: about 1 month ago
JSON representation

Cloud Infrastrcture for Hosting & Managing TAK Authentication Infrastructure (LDAP)

Awesome Lists containing this project

README 

          
TAK Auth Infra



Infrastructure to support LDAP based auth in TAK via Authentik



## AWS Deployment



### 1. Pre-Reqs



> [!IMPORTANT]

> The Auth-Infra service assumes some pre-requisite dependencies are deployed before

> initial deployment.



The following are dependencies which need to be created:



| Name                  | Notes |

| --------------------- | ----- |

| `tak-vpc-`      | VPC & networking to place tasks in - [repo](https://github.com/dfpc-coe/vpc)      |



An AWS ACM certificate must also be generated that covers the subdomain that the Auth-Infra is deployed to.



### 2. Installing Dependencies



From the root directory, install the deploy dependencies



```sh

npm install

```



### 3. Authentik Server Deployment



Deployment to AWS is handled via AWS Cloudformation. The template can be found in the `./cloudformation`

directory. The deployment itself is performed by [Deploy](https://github.com/openaddresses/deploy) which

was installed in the previous step.



> [!NOTE]

> The deploy tool can be run via the following

>

> ```sh

> npx deploy

> ```

>

> To install it globally - view the deploy [README](https://github.com/openaddresses/deploy)

>

> Deploy uses your existing AWS credentials. Ensure that your `~/.aws/credentials` has an entry like:

>

> ```

> [coe]

> aws_access_key_id = 

> aws_secret_access_key = 

> ```



Deployment can then be performed via the following:



```

npx deploy create 

npx deploy update 

npx deploy info  --outputs

npx deploy info  --parameters

```



Stacks can be created, deleted, cancelled, etc all via the deploy tool. For further information

information about `deploy` functionality run the following for help.



```sh

npx deploy

```



#### Sub-Stack Deployment



The CloudFormation is split into two stacks to ensure consistent deploy results.



The first portion deploys the Authentik Server itself. The second portion deploys the Authentik LDAP Outpost.



Step 1: Create the Authenik Server Portion



```

npx deploy create 

```



The custom Authentik server image in this repository bakes in

[docker/authentik-server/user_settings.py](docker/authentik-server/user_settings.py), which is copied to

`/data/user_settings.py` inside the container. Authentik loads that file automatically on startup for both the

server and worker processes. It is currently used to enable Django BCrypt password hashers for imported legacy

passwords.



The Authentik server ECS service now always uses target-tracking autoscaling. CPU utilization is hardcoded to a

60% target and memory utilization is hardcoded to a 75% target. The CloudFormation parameters

`ServerAutoScalingMinCapacity` and `ServerAutoScalingMaxCapacity` can be used to bound cost.



Step 2: Configure the Authentik LDAP Provider



Follow the instructions of the Authentik documentation to [create and LDAP provider](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup).



* **LDAP Service Account:** The username and password have been created by the above CloudFormation template as a Secrets Manager secret in `coe-auth->/svc`.

* **LDAP Outpost AUTHENTIK_TOKEN:** The Authentik server will create an AUTHENTIK_TOKEN for the LDAP Outpost, which needs to be saved in Secrets Manager as the secret for `coe-auth->/authentik-ldap-token`



Step 3: Create the Authentik LDAP Outpost



```

npx deploy create  --template ./cloudformation/ldap.template.js

```



Step 4: Verify the LDAP DNS record



The LDAP stack now creates an `ldap.` Route53 alias automatically and points it at the internal NLB. For example, if the hosted zone is `epatak.org`, the stack will create `ldap.epatak.org`.



The LDAP outpost is exposed as LDAPS only on port `636`. The LDAP CloudFormation template automatically associates the VPC ACM certificate with the secure listener.



TLS terminates on the NLB at port `636` and the decrypted LDAP traffic is forwarded internally to the outpost on port `3389`.



```

ldapsearch -x -H ldaps://ldap.:636 -D "cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io" -W -b "ou=users,dc=ldap,dc=goauthentik,dc=io" -s sub "(objectClass=person)" dn cn uid mail

```



Bind Example:

```

ldapsearch -x -H ldaps://ldap.:636 -D "cn=,ou=users,dc=ldap,dc=goauthentik,dc=io" -W -b "ou=users,dc=ldap,dc=goauthentik,dc=io" -s sub "(objectClass=person)" dn cn uid mail

```