LibreNMS Docker with Authentik SSO

These instructions can be used to get the LibreNMS Docker container working with SSO (OpenID) using Authentik. It is assumed that you already have a working Authentik setup.

You will need to have SSL for the LibreNMS interface and it is assumed below that LibreNMS is running on the hostname “nms.example.com”. The base directory for the LibreNMS Docker files/env files is assumed to be /opt/librenms.

Authentik Setup

Create the new Authentik provider for LibreNMS with the type “OAuth2/OpenID Provider”. Set the relevant authentication and authorization flows.

Expand the protocol settings and set the redirect URI to the following:

https://nms.example.com/auth/authentik/callback

All remaining configuration for the provider can be left alone as defaults.

Finally create the application in Authentik and assign the LibreNMS provider. In the UI settings set the launch URL to https://nms.example.com/login.

With that complete the configuration on the Authentik side should be finished.

Docker Container Fixes

A few changes need to be added to the LibreNMS Dockerfile; the Authentik Socialite provider needs to be added and a PHP file configured to use the provider.

Create the folder /opt/librenms/docker and create the file /opt/librenms/docker/Dockerfile. In the Dockerfile put the following contents:

# Use base LibreNMS container image
FROM librenms/librenms:latest

# Fix permissions and install the Authentik provider for Socialite
RUN apk --update --no-cache add -t build-dependencies php-xmlwriter 2>&1 | tee -a authentik.log \
 && cd /opt/librenms/ \
 && chmod 777 /opt/librenms/composer.* \
              /opt/librenms/logs/librenms.log \
              /opt/librenms/scripts/composer_wrapper.php \
 && chmod 777 /opt/librenms/scripts \
              /opt/librenms \
              /opt/librenms/vendor/socialiteproviders \
              /opt/librenms/vendor/composer \
              /opt/librenms/vendor/composer/* \
              /opt/librenms/bootstrap/* \
 && lnms plugin:add socialiteproviders/authentik

# Add required auth file for SSO to work
COPY EventServiceProvider.php /opt/librenms/app/Providers/EventServiceProvider.php

Next create the PHP file, /opt/librenms/EventServiceProvider.php, with the following contents:

<?php

namespace App\Providers;

use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;

class EventServiceProvider extends ServiceProvider
{
    /**
     * The event listener mappings for the application.
     *
     * @var array<string, array<int, string>>
     */
    protected $listen = [
        \Illuminate\Auth\Events\Login::class => ['App\Listeners\AuthEventListener@login'],
        \Illuminate\Auth\Events\Logout::class => ['App\Listeners\AuthEventListener@logout'],
        \App\Events\UserCreated::class => [
            \App\Listeners\MarkNotificationsRead::class,
        ],
        \App\Events\PollingDevice::class => [
        ],
        \App\Events\DevicePolled::class => [
            \App\Listeners\CheckAlerts::class,
            \App\Listeners\UpdateDeviceGroups::class,
        ],
        \Illuminate\Database\Events\QueryExecuted::class => [
            \App\Listeners\QueryDebugListener::class,
            \App\Listeners\QueryMetricListener::class,
        ],
        \Illuminate\Database\Events\StatementPrepared::class => [
            \App\Listeners\LegacyQueryListener::class,
        ],
        \SocialiteProviders\Manager\SocialiteWasCalled::class => [
            \SocialiteProviders\Authentik\AuthentikExtendSocialite::class.'@handle',
            \App\Listeners\SocialiteWasCalledListener::class,
        ],
    ];

    /**
     * Register any events for your application.
     *
     * @return void
     */
    public function boot(): void
    {
        //
    }

    /**
     * Determine if events and listeners should be automatically discovered.
     *
     * @return bool
     */
    public function shouldDiscoverEvents(): bool
    {
        return false;
    }
}

The change from the default PHP file is this specific line:

\SocialiteProviders\Authentik\AuthentikExtendSocialite::class.'@handle',

Finally edit the /opt/librenms/docker-compose.yaml file. The librenms service needs to have the image: librenms/librenms:latest line commented out and the build context set to the docker directory:

  librenms:
    #image: librenms/librenms:latest
    build:
      context: ./docker

LibreNMS Configuration

Start LibreNMS and enter the container with docker exec -it librenms /bin/bash.

The following configuration needs to be added to LibreNMS to start using the new SSO provider:

lnms config:set auth.socialite.configs.authentik.base_url https://authentik.example.com/
lnms config:set auth.socialite.configs.authentik.client_id client-id
lnms config:set auth.socialite.configs.authentik.client_secret client-secret
lnms config:set auth.socialite.configs.authentik.redirect https://nms.example.com/auth/authentik/callback
lnms config:set auth.socialite.configs.authentik.listener "\SocialiteProviders\Authentik\AuthentikExtendSocialite"

To enable accounts to be created automatically in LibreNMS enable the register option for Socialite:

lnms config:set auth.socialite.register true

To redirect the default login page to Authentik, set the following option:

lnms config:set auth.socialite.redirect true

After these changes you should now be able to login by accessing https://nms.example.com/login.

References

Leave a Reply

Your email address will not be published. Required fields are marked *