---
title: Authentication Overview
description: SSO, LDAP, and access control in Netgrimoire
published: true
date: 2026-04-12T00:00:00.000Z
tags: ward, auth, sso
editor: markdown
dateCreated: 2026-04-12T00:00:00.000Z
---

# Authentication Overview

## SSO Providers

| Provider | Scope | URL |
|----------|-------|-----|
| Authentik | `*.netgrimoire.com` | Protected via `caddy.import_1: authentik` label |
| Authelia | `*.wasted-bandwidth.net` | Green Grimoire + Shadow Grimoire services |

Both providers use LLDAP as their LDAP backend.

## LLDAP

Lightweight LDAP directory at `ldap.netgrimoire.com`. Postgres backend. Provides the user directory for both Authentik and Authelia.

See [LDAP Client Setup](/Ward-Grimoire/Access/LDAP-Client-Setup) for configuring hosts to authenticate via LLDAP.

## Vaultwarden

Password manager at `pass.netgrimoire.com`. Protected by Authentik.

## WireGuard

5 VPN peers on 192.168.32.0/24. Managed in OPNsense. See [Host Inventory](/Keystone-Grimoire/Hosts/Host-Inventory) for peer assignments.

## YubiKey (Planned)

- PIV SSH authentication on all hosts — highest-impact pending integration
- Challenge-response for LUKS / Kopia key derivation on znas