These instructions can be used to get the LibreNMS Docker container working with SSO (OpenID) using Authentik. It is assumed that you already have a working Authentik setup.
You will need to have SSL for the LibreNMS interface and it is assumed below that LibreNMS is running on the hostname “nms.example.com”. The base directory for the LibreNMS Docker files/env files is assumed to be /opt/librenms
.
Authentik Setup
Create the new Authentik provider for LibreNMS with the type “OAuth2/OpenID Provider”. Set the relevant authentication and authorization flows.
Expand the protocol settings and set the redirect URI to the following:
https://nms.example.com/auth/authentik/callback
All remaining configuration for the provider can be left alone as defaults.
Finally create the application in Authentik and assign the LibreNMS provider. In the UI settings set the launch URL to https://nms.example.com/login
.
With that complete the configuration on the Authentik side should be finished.
Docker Container Fixes
A few changes need to be added to the LibreNMS Dockerfile; the Authentik Socialite provider needs to be added and a PHP file configured to use the provider.
Create the folder /opt/librenms/docker
and create the file /opt/librenms/docker/Dockerfile
. In the Dockerfile put the following contents:
# Use base LibreNMS container image FROM librenms/librenms:latest # Fix permissions and install the Authentik provider for Socialite RUN apk --update --no-cache add -t build-dependencies php-xmlwriter 2>&1 | tee -a authentik.log \ && cd /opt/librenms/ \ && chmod 777 /opt/librenms/composer.* \ /opt/librenms/logs/librenms.log \ /opt/librenms/scripts/composer_wrapper.php \ && chmod 777 /opt/librenms/scripts \ /opt/librenms \ /opt/librenms/vendor/socialiteproviders \ /opt/librenms/vendor/composer \ /opt/librenms/vendor/composer/* \ /opt/librenms/bootstrap/* \ && lnms plugin:add socialiteproviders/authentik # Add required auth file for SSO to work COPY EventServiceProvider.php /opt/librenms/app/Providers/EventServiceProvider.php
Next create the PHP file, /opt/librenms/EventServiceProvider.php
, with the following contents:
<?php namespace App\Providers; use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider; class EventServiceProvider extends ServiceProvider { /** * The event listener mappings for the application. * * @var array<string, array<int, string>> */ protected $listen = [ \Illuminate\Auth\Events\Login::class => ['App\Listeners\AuthEventListener@login'], \Illuminate\Auth\Events\Logout::class => ['App\Listeners\AuthEventListener@logout'], \App\Events\UserCreated::class => [ \App\Listeners\MarkNotificationsRead::class, ], \App\Events\PollingDevice::class => [ ], \App\Events\DevicePolled::class => [ \App\Listeners\CheckAlerts::class, \App\Listeners\UpdateDeviceGroups::class, ], \Illuminate\Database\Events\QueryExecuted::class => [ \App\Listeners\QueryDebugListener::class, \App\Listeners\QueryMetricListener::class, ], \Illuminate\Database\Events\StatementPrepared::class => [ \App\Listeners\LegacyQueryListener::class, ], \SocialiteProviders\Manager\SocialiteWasCalled::class => [ \SocialiteProviders\Authentik\AuthentikExtendSocialite::class.'@handle', \App\Listeners\SocialiteWasCalledListener::class, ], ]; /** * Register any events for your application. * * @return void */ public function boot(): void { // } /** * Determine if events and listeners should be automatically discovered. * * @return bool */ public function shouldDiscoverEvents(): bool { return false; } }
The change from the default PHP file is this specific line:
\SocialiteProviders\Authentik\AuthentikExtendSocialite::class.'@handle',
Finally edit the /opt/librenms/docker-compose.yaml
file. The librenms
service needs to have the image: librenms/librenms:latest
line commented out and the build context set to the docker directory:
librenms: #image: librenms/librenms:latest build: context: ./docker
LibreNMS Configuration
Start LibreNMS and enter the container with docker exec -it librenms /bin/bash
.
The following configuration needs to be added to LibreNMS to start using the new SSO provider:
lnms config:set auth.socialite.configs.authentik.base_url https://authentik.example.com/ lnms config:set auth.socialite.configs.authentik.client_id client-id lnms config:set auth.socialite.configs.authentik.client_secret client-secret lnms config:set auth.socialite.configs.authentik.redirect https://nms.example.com/auth/authentik/callback lnms config:set auth.socialite.configs.authentik.listener "\SocialiteProviders\Authentik\AuthentikExtendSocialite"
To enable accounts to be created automatically in LibreNMS enable the register option for Socialite:
lnms config:set auth.socialite.register true
To redirect the default login page to Authentik, set the following option:
lnms config:set auth.socialite.redirect true
After these changes you should now be able to login by accessing https://nms.example.com/login
.
References
- GitHub issue “Socialite Auth Plugins #276” – base for the above Socialite provider installation command (needed to have the PHP file added and remove a chmod for file which doesn’t exist)
- LibreNMS Oauth/SAML documentation