Authelia + LLDAP + Traefik ForwardAuth Setup guide
This quick guide should take you through the steps necessary to setup Authelia as your forwardAuth for Traefik. We’ll be using LLDAP as the backend for Authelia since it’s lightweight and simple enough for most users.
Setup LLDAP
-
Follow the easy steps included in the Installation Notes for LLDAP. Change
dc=example,dc=comto your domain, i.e.dc=MYDOMAIN,dc=netand then change your password. -
Once in
LLDAP, create a user inside thelldap_password_managergroup and change your defaultadminpassword. Thatlldap_password_manageruser will be used to bind toAuthelia. Here I’ve created a user calledmanager, but you can use anything -
Create an
admingroup and addUserto it. We will allow users of this group to access the site with Authelia later in the guide.
Setup Authelia
- The setup for Authelia is very specific and the logs won’t tell you where you’ve messed up, but there’s precise steps used to integrate
LLDAPintoAuthelia.
# your domaindomain: example.com# autehlia ingress urldefault_redirection_url: https://auth.example.comauthentication_backend: # lldap setup ldap: enabled: true implementation: custom # if name is not lldap update as needed url: ldap://lldap-ldap.lldap.svc.cluster.local:3890 # replace with your domain base_dn: DC=example,DC=com username_attribute: uid additional_users_dn: ou=people users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) additional_groups_dn: ou=groups groups_filter: (member={dn}) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName # user with lldap_password_manager group user: uid=manager,ou=people,dc=example,dc=com # above user password in plain text plain_password: somepassword file: enabled: falsenotifier: # smtp setup (example is gmail) smtp: enabled: true host: smtp.gmail.com port: 587 # gmail email address (username) # use a google app password if using gmail plain_password: somepassword # email address to show as sender filesystem: enabled: falseaccess_control: rules: # basic rule for one factor (username/password) login for users in the lldap_admin group - domain: - "*.example.com" - example.com policy: one_factor subject: "group:lldap_admin"Please see Authelia Rules for more advanced rules.
Setup Authelia Ingress
- Make sure you’re using the same domain as the
Default Redirection URLabove, so for me that’sauth.mydomain.com
ingress: main: enabled: true integrations: traefik: enabled: true certManager: enabled: true certificateIssuer: domain-0-le-prod hosts: - host: auth.example.comTraefik ForwardAuth Setup
-
This part is straight forward as long as you have a working
Traefikinstall. -
The following is added to
Traefikvalues.yaml,
middlewares: forwardAuth: - name: auth address: http://authelia.authelia.svc.cluster.local:9091/api/verify?rd=https://auth.example.com/ authResponseHeaders: - Remote-User - Remote-Group - Remote-Name - Remote-Email trustForwardHeader: trueAdding the forwardauth to your Apps
The last step is adding the forwardauth along with the standard ingress settings for your app, for more info on setting ingress see the ClusterIssuer Guide.
- In this example we use the same name as above, or
auth.
ingress: main: enabled: true integrations: traefik: enabled: true middlewares: - name: auth namespace: traefik certManager: enabled: true certificateIssuer: domain-0-le-prod hosts: - host: radarr.example.comReferences
The origin material for this guide is available on the LLDAP Github. While further information on Authelia can be found on their Github and website.
Support
If you have any issues with following this guide, we can be reached using Discord for real-time feedback and support.