39 lines
1.2 KiB
Markdown
39 lines
1.2 KiB
Markdown
---
|
|
title: Authentication Overview
|
|
description: SSO, LDAP, and access control in Netgrimoire
|
|
published: true
|
|
date: 2026-04-12T00:00:00.000Z
|
|
tags: ward, auth, sso
|
|
editor: markdown
|
|
dateCreated: 2026-04-12T00:00:00.000Z
|
|
---
|
|
|
|
# Authentication Overview
|
|
|
|
## SSO Providers
|
|
|
|
| Provider | Scope | URL |
|
|
|----------|-------|-----|
|
|
| Authentik | `*.netgrimoire.com` | Protected via `caddy.import_1: authentik` label |
|
|
| Authelia | `*.wasted-bandwidth.net` | Green Grimoire + Shadow Grimoire services |
|
|
|
|
Both providers use LLDAP as their LDAP backend.
|
|
|
|
## LLDAP
|
|
|
|
Lightweight LDAP directory at `ldap.netgrimoire.com`. Postgres backend. Provides the user directory for both Authentik and Authelia.
|
|
|
|
See [LDAP Client Setup](/Ward-Grimoire/Access/LDAP-Client-Setup) for configuring hosts to authenticate via LLDAP.
|
|
|
|
## Vaultwarden
|
|
|
|
Password manager at `pass.netgrimoire.com`. Protected by Authentik.
|
|
|
|
## WireGuard
|
|
|
|
5 VPN peers on 192.168.32.0/24. Managed in OPNsense. See [Host Inventory](/Keystone-Grimoire/Hosts/Host-Inventory) for peer assignments.
|
|
|
|
## YubiKey (Planned)
|
|
|
|
- PIV SSH authentication on all hosts — highest-impact pending integration
|
|
- Challenge-response for LUKS / Kopia key derivation on znas
|