--- title: Active Directory support_level: community --- ## Preparation The following placeholders are used in this guide: - `ad.company` is the name of the Active Directory domain. - `authentik.company` is the FQDN of the authentik install. ## Active Directory configuration To support the integration of Active Directory with authentik, you need to create a service account in Active Directory. 1. Open **Active Directory Users and Computers** on a domain controller or computer with **Active Directory Remote Server Administration Tools** installed. 2. Navigate to an Organizational Unit, right-click it, and select **New** > **User**. 3. Create a service account, matching your naming scheme, for example: ![](./01_user_create.png) 4. Set the password for the service account. Ensure that the **Reset user password and force password change at next logon** option is not checked. Either one of the following commands can be used to generate the password: ```sh pwgen 64 1 ``` ```sh openssl rand 36 | base64 -w 0 ``` 5. Open the **Delegation of Control Wizard** by right-clicking the domain Active Directory Users and Computers, and selecting **All Tasks**. 6. Select the authentik service account that you've just created. 7. Grant these additional permissions (only required when _User password writeback_ is enabled on the LDAP source in authentik, and dependent on your AD Domain) ![](./02_delegate.png) :::note Limiting service account permissions Optionally, if you don't want authentik to be able to view and sync objects within certain Organizational Units, you can limit the service account's permissions: 1. Right click the Organizational Unit in question and navigate to **Properties** > **Security**. 2. Select the authentik service account that you created. 3. Under the **Deny** column, check **Read**. 4. Click **Apply**. You can repeat this process for other OUs and objects within Active Directory. ::: :::note LDAP signing By default, Windows Server 2025 requires LDAP signing, which can disrupt authentik’s Active Directory connectivity if LDAPS is not in use. This can be addressed by enabling LDAPS or by disabling LDAP signing on the domain controller, with the understanding that the latter option carries security implications. ::: ## authentik Setup To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Federation & Social login**. 3. Click **Create** and select **LDAP Source** as the type. 4. Provide a name, slug, and the following required configurations: Under **Connection Settings**: - **Server URI**: `ldap://ad.company` :::info For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://` as a prefix. You can verify that LDAPS is working by opening the `ldp.exe` tool on a domain controller and attempting a connection to the server via port 636. If a connection can be established, LDAPS is functioning as expected. More information can be found in the [Microsoft LDAPS documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-over-ssl-connection-issues). Multiple servers can be specified by separating URIs with a comma (e.g. `ldap://dc1.ad.company,ldap://dc2.ad.company`). If a DNS entry with multiple records is used, authentik will select a random entry when first connecting. ::: - **Bind CN**: `@ad.company` - **Bind Password**: the password of the service account created in the previous section. - **Base DN**: the base DN which you want authentik to sync. Under **LDAP Attribute Mapping**: - **User Property Mappings**: select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory" - **Group Property Mappings**: select "authentik default LDAP Mapping: Name" Under **Additional Settings** _(optional)_ configurations that may need to be adjusted based on the setup of your domain: - **Group**: if enabled, all synchronized groups will be given this group as a parent. - **Addition User/Group DN**: additional DN which is _prepended_ to your Base DN configured above, to limit the scope of synchronization for Users and Groups. - **User object filter**: which objects should be considered users (e.g. `(objectClass=user)`). For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts. - **Group object filter**: which objects should be considered groups (e.g `(objectClass=group)`). - **Lookup using a user attribute**: acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories and nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field. - **Group membership field**: the user object attribute or the group object attribute that determines the group membership of a user (e.g. `member`). If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute. - **User membership attribute**: ensure that this is set to `distinguishedName`. - **Object uniqueness field**: a user attribute that contains a unique identifier (e.g. `objectSid`). 5. Click **Finish** to save the LDAP Source. An LDAP synchronization will begin in the background. Once completed, you can view the summary by navigating to **Dashboards** > **System Tasks**: ![](./03_additional_perms.png) 6. To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage. ![](./11_ak_stage.png)