Identity Management Beyond SSO: LDAP, Authentik, and Centralized User Management

Security 2026-02-09 · 5 min read ldap identity authentik freeipa user-management

SSO is great — log in once and access all your services. But SSO alone doesn't solve the full identity problem. When you add a new service, you still create a local account manually. When a family member needs access to Jellyfin but not Proxmox, you manage permissions in each service separately. When you change your password, you update it in twenty places.

True identity management centralizes the source of truth for users, groups, and permissions. A directory service (LDAP) becomes the single place where user accounts live. Services authenticate against it instead of maintaining their own user databases. Add a user once, grant them group membership, and every LDAP-integrated service knows who they are and what they can access.

The Identity Stack

A complete homelab identity setup has three layers:

Directory service (LDAP): Stores users, groups, and attributes. The source of truth.
Authentication proxy (Authentik/Authelia): Provides SSO, MFA, and a user-facing login portal.
Service integration: Each service is configured to authenticate against LDAP directly, via OIDC/SAML through the auth proxy, or both.

You don't need all three at once. Start with a directory service, add services to it incrementally, then layer on SSO when you have enough services to justify it.

Option 1: lldap (Lightweight LDAP)

lldap is a lightweight LDAP server built specifically for homelabs. It doesn't try to be FreeIPA or Active Directory — it provides a user/group directory with a web UI for management and an LDAP interface for service integration.

Why lldap

Single binary, ~30 MB RAM
Web UI for managing users and groups (no need to learn LDAP administration tools)
Supports the LDAP queries that self-hosted services actually use
No Kerberos, DNS, or certificate authority — just the directory

Deployment

# docker-compose.yml
services:
  lldap:
    image: lldap/lldap:latest
    restart: unless-stopped
    ports:
      - "3890:3890"    # LDAP
      - "17170:17170"  # Web UI
    environment:
      LLDAP_LDAP_BASE_DN: "dc=homelab,dc=lan"
      LLDAP_LDAP_USER_PASS: "admin-password-change-me"
      LLDAP_JWT_SECRET: "change-this-to-random-string"
      TZ: "America/New_York"
    volumes:
      - ./data:/data

Initial Setup

Open http://your-server:17170 and log in with admin / your configured password
Create groups: admins, media, family, services
Create users and assign them to groups
Note the bind DN format: uid=admin,ou=people,dc=homelab,dc=lan

Integrating Services with lldap

Most self-hosted services support LDAP authentication. Here are the common configurations:

Nextcloud:

Server: ldap://lldap:3890
User DN: uid=%uid,ou=people,dc=homelab,dc=lan
Base DN: ou=people,dc=homelab,dc=lan
Group DN: ou=groups,dc=homelab,dc=lan
Admin filter: (memberOf=cn=admins,ou=groups,dc=homelab,dc=lan)

Gitea:

# In Gitea admin panel → Authentication Sources → Add LDAP
Host:                 lldap
Port:                 3890
Bind DN:              uid=admin,ou=people,dc=homelab,dc=lan
Bind Password:        admin-password
User Search Base:     ou=people,dc=homelab,dc=lan
User Filter:          (&(uid=%s)(objectClass=person))
Admin Filter:         (memberOf=cn=admins,ou=groups,dc=homelab,dc=lan)
Email Attribute:      mail
First Name Attribute: givenName
Surname Attribute:    sn

Grafana:

# grafana.ini or environment variables
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

# ldap.toml
[[servers]]
host = "lldap"
port = 3890
bind_dn = "uid=admin,ou=people,dc=homelab,dc=lan"
bind_password = "admin-password"
search_base_dns = ["ou=people,dc=homelab,dc=lan"]
search_filter = "(uid=%s)"

[servers.attributes]
username = "uid"
email = "mail"
name = "cn"

[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=homelab,dc=lan"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "cn=media,ou=groups,dc=homelab,dc=lan"
org_role = "Viewer"

Option 2: Authentik (Full Identity Provider)

Authentik is a comprehensive identity provider that includes LDAP, SAML, OIDC, SCIM, and a forward-auth proxy. It replaces both your directory service and your SSO proxy in a single platform.

Why Authentik

Includes an LDAP outpost (services that need LDAP can use it)
OIDC and SAML for services that support modern authentication
Forward-auth proxy for services with no built-in authentication
User self-service portal (password changes, MFA enrollment)
Flows and policies for fine-grained access control
Web UI for everything

Deployment

# docker-compose.yml
services:
  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: server
    ports:
      - "9000:9000"
      - "9443:9443"
    environment:
      AUTHENTIK_SECRET_KEY: generate-a-long-random-string
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: password
      AUTHENTIK_POSTGRESQL__NAME: authentik
    volumes:
      - ./media:/media
      - ./templates:/templates
    depends_on:
      - db
      - redis

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: generate-a-long-random-string
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: password
      AUTHENTIK_POSTGRESQL__NAME: authentik
    volumes:
      - ./media:/media
    depends_on:
      - db
      - redis

  db:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: authentik
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: password
    volumes:
      - ./db-data:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine
    restart: unless-stopped
    volumes:
      - ./redis-data:/data

Resource usage: ~800 MB - 1.2 GB RAM for the full stack.

Setting Up OIDC for Services

Authentik's OIDC provider is the preferred integration method for services that support it:

In Authentik admin, go to Applications → Create
Choose OAuth2/OpenID Provider
Configure the redirect URI for your service (e.g., https://grafana.homelab.lan/login/generic_oauth)
Note the Client ID and Client Secret

Grafana with Authentik OIDC:

[auth.generic_oauth]
enabled = true
name = Authentik
client_id = grafana-client-id
client_secret = grafana-client-secret
scopes = openid profile email
auth_url = https://auth.homelab.lan/application/o/authorize/
token_url = https://auth.homelab.lan/application/o/token/
api_url = https://auth.homelab.lan/application/o/userinfo/
role_attribute_path = contains(groups, 'admins') && 'Admin' || 'Viewer'

Authentik LDAP Outpost

For services that only support LDAP, Authentik can run an LDAP outpost:

  authentik-ldap:
    image: ghcr.io/goauthentik/ldap:latest
    restart: unless-stopped
    ports:
      - "3389:3389"    # LDAP
      - "6636:6636"    # LDAPS
    environment:
      AUTHENTIK_HOST: http://authentik-server:9000
      AUTHENTIK_TOKEN: outpost-token-from-admin-ui

Option 3: FreeIPA (Enterprise-Grade)

FreeIPA is a full identity management system built on 389 Directory Server, MIT Kerberos, Dogtag CA, and BIND DNS. It's what Red Hat uses for enterprise Linux environments.

When to Use FreeIPA

You want Kerberos authentication (SSH without passwords, NFS with security)
You need a certificate authority integrated with your directory
You're running RHEL/Fedora/CentOS and want tight OS integration
You want the most "enterprise-like" setup for learning purposes

When NOT to Use FreeIPA

Resource-constrained environments (needs 3-4 GB RAM minimum)
Simple homelab with a few Docker services (massive overkill)
You don't use RHEL-family distros

# Install FreeIPA server on Fedora/RHEL
sudo dnf install freeipa-server

# Run the installer
sudo ipa-server-install \
  --realm=HOMELAB.LAN \
  --domain=homelab.lan \
  --ds-password=DirectoryManagerPassword \
  --admin-password=AdminPassword \
  --hostname=ipa.homelab.lan \
  --setup-dns --auto-forwarders

FreeIPA includes its own DNS server, which simplifies service discovery but means you need to integrate it with your existing DNS infrastructure.

Comparison

Feature	lldap	Authentik	FreeIPA
RAM usage	~30 MB	~1 GB	~3-4 GB
LDAP directory	Yes	Via outpost	Yes (389 DS)
SSO (OIDC/SAML)	No	Yes	Limited
Forward auth proxy	No	Yes	No
MFA	No	Yes (TOTP, WebAuthn)	Yes (OTP)
User self-service	No	Yes	Yes
Kerberos	No	No	Yes
Certificate authority	No	Cert generation	Yes (Dogtag)
DNS integration	No	No	Yes (BIND)
Web UI	Basic user/group mgmt	Full admin + user portal	Full admin portal
Complexity	Low	Medium	High
Best for	LDAP only, simple setup	Full identity + SSO	Enterprise learning, Kerberos

Recommended Approach

Start with lldap + Authelia if you already have Authelia for SSO. lldap provides the directory, Authelia provides the authentication portal. This is the lightest option.

Use Authentik standalone if you're starting from scratch and want one platform that does everything — directory, SSO, MFA, and forward auth. It's more resource-intensive but simpler to manage as a single system.

Use FreeIPA only if you specifically need Kerberos or are building a learning environment that mimics enterprise infrastructure.

Migration Path

The practical path for most homelabs:

Deploy lldap, create your users and groups
Integrate 2-3 services with LDAP (Gitea, Nextcloud, Grafana)
When you want SSO and MFA, either add Authelia (lighter) or migrate to Authentik (more features)
Gradually add more services to the directory

The goal is to reach a state where adding a new service means configuring it to talk to your directory — not creating yet another local account with yet another password.