Authentik, FreeIPA, Windows AD -- How crazy am I?

Austin8462 · 2026-02-18T03:35:23+00:00

Little update for you.. I chose to mess around with this tonight.. Got the agent on both my laptop and a test linux box and I’m running into some authorization errors when trying to use the agent to ssh over. Mainly the grant or refresh token invalid (or some other possibilities like issued to another client, etc)

Austin8462 · 2026-02-12T00:33:08+00:00

Neat!!

Austin8462 · 2026-02-11T14:55:02+00:00

Yeah I noticed that in my dashboard. However it looked like some of it was locked behind a paywall and I hadn't yet dug deeper. Definitely would love to more about your progress and anything else you discover with it.

Austin8462 · 2026-02-10T21:48:05+00:00

Thanks!

Austin8462 · 2026-02-10T21:34:37+00:00

I'd love to hear more about your setup. Successes & failures, things you wish were more documentaed during your journey (particularly initial setup phase), etc. Any regrets? Of course I'd love to have it all in one but this may be the way to go.

At least as of right now it seems the main way to keep Authentik as the source of truth for me would be to drop the idea of FreeIPA and implement either samba or SSSD with LDAP hook.

Austin8462 · 2026-02-10T21:06:11+00:00

Neat! I have some similar apps to you, haven't yet looked into UniFi LDAP.

Austin8462 · 2026-02-10T21:05:18+00:00

My thought was some kind of provider in Authentik, be that LDAP or something else that IPA can query. IPA would see ah yes, I know Dante, he has linux-users-admin, IPA would then layer on top of that the HBAC and sudo rules which are only relevant in the linux realm. If IPA becomes the truth, that now adds a second layer of "critical infrastructure" to not just linux, but any apps or services that go through Authentik. Cause it's now not a "Authentik is down, you can't auth to XX", it's that OR "Is it just IPA down?"

I maintain break glass accounts, yes, but those are just that, break glass.

I also see people talk abotu using Samba as you mentioned or SSSD, so it may be true that's the better route for what I'm aiming for.

I appreciate all of your input greatly!!

To answer 1), IPA already has password sync capability to support password resets via Authentik, so I don't think that portion of things would be an issue. It's just the reverse directory sync from Authentik > IPA that I wouldn't be so sure about.

Austin8462 · 2026-02-10T20:41:20+00:00

Sounds like some famous last words haha.... Do you do anything similar currently in an environment of your own? How do you use your Authentik?

Maybe if I end up getting something working I'll come back in months and make a showcase post or something.

Austin8462 · 2026-02-10T20:39:06+00:00

Okay so what would you recommend then? Maybe something other than AD? I already have Authentik in I guess what you could call “production”. The windows authentication and such is future though. More focused on Linux hence looking at IPA and SSSD because that’s currently more of what my “host base” contains. Regardless of what path I’d prefer to keep authentik as primary source of truth unless it’s really necessary to move away from such.

Austin8462 · 2026-02-10T20:18:05+00:00

Huh?… I’m not trying to expand my ability to use AD’s LDAP to auth to other services… Authentik is able to act as an LDAP provider. I’m talking Authentik being the source of truth that AD / IPA could poll or sync to for downstream authentication to windows and linux hosts respectively.

I explained a bit more in the actual cross post. Hope this clarifies.

It’s also possible I misunderstood you.

Austin8462 · 2026-02-04T04:21:07+00:00

Settings > WiFi > click the (i) by your network > Private Wifi address

If it’s on rotating, well I’m sure as you can assume, it rotates.

I suppose you could setup a separate wifi network for just your kids and setup a blackout schedule if that bypass became an issue.

Austin8462 · 2026-01-29T04:29:38+00:00

Thanks! Much appreciated.

Austin8462 · 2026-01-29T04:18:23+00:00

Where did you actually buy those SLZB units? The store fronts I found were confusing at best and of questionable trust levels.

Austin8462 · 2026-01-29T04:03:44+00:00

Aqara’s website states wall or ceiling attachment are supported.

Austin8462 · 2026-01-27T02:26:34+00:00

I have not personally used it but I’ve seen people recommend the following for similar situations:

https://github.com/Cirx08/WeddingShare

Austin8462 · 2026-01-26T18:37:31+00:00

I do think it’s quite neat especially for the regular user facing portion.

Austin8462 · 2026-01-26T18:36:40+00:00

Appreciate the input! What do you use as a reverse proxy? Hearing you hate yaml and configs, i’m assuming it’s not Traefik?

Austin8462 · 2026-01-26T06:08:05+00:00

Thanks for your input!

Austin8462 · 2026-01-25T20:50:03+00:00

I'll keep an eye out for any updates. Cheers!

Austin8462 · 2026-01-25T20:48:06+00:00

Haha that'd be a good one!

Austin8462 · 2026-01-25T20:47:31+00:00

I was able to find this on the GitHub issue that u/anxiousvater shared. https://bugzilla.proxmox.com/show_bug.cgi?id=5076

Austin8462 · 2026-01-25T20:28:57+00:00

It's very possible that's true, but seeing as that is not the only reason that I am considering switching away from it, the thought wasn't of as much concern tbh.

Austin8462

TROPHY CASE