2026-06-15: Forgejo sync fixed, osTicket LDAP SSO complete, capstone started

project-kitestacks-migration.md

@@ -551,3 +551,60 @@ against the public hostname can hit the wrong DB; use monk's local
   needs 3rd-party OAuth2/SAML plugin) - NOT YET DONE.
 - End-user ticket submission uses osTicket's native client portal signup (works
   out of the box, no SSO needed).
+
+## 2026-06-14/15: Forgejo sync fixed + osTicket Authentik LDAP SSO complete
+
+### Forgejo sync (monk → kscloud1) - FIXED
+- Ran `docker exec -u git forgejo /app/gitea/gitea dump` on monk, scp'd to kscloud1
+- Restored: 13 repos + DB synced, ROOT_URL fixed on kscloud1 to `https://gitforge.kitestacks.com/`
+- kscloud1 Forgejo docker-compose updated (correct ROOT_URL + SSH port 2222)
+- Sync script: `~/kitestacks-live/docker/forgejo/sync-to-cloud.sh` (rsync repos + DB dump)
+- Cron: `0 */6 * * *` runs sync-to-cloud.sh, logs to `/tmp/forgejo-sync.log`
+- Authentik redirect URI fixed: updated `_redirect_uris` in shared Postgres from
+  `authentik/callback` → `Authentik/callback` (matched renamed Forgejo source name)
+
+### osTicket Authentik LDAP SSO - COMPLETE (2026-06-14/15)
+Uses Authentik's LDAP outpost + osTicket's built-in auth-ldap.phar plugin.
+
+**Authentik side:**
+- LDAPProvider "osTicket LDAP" (pk=11, base_dn=DC=ldap,DC=goauthentik,DC=io)
+- Application "osTicket LDAP" (slug=osticket-ldap, backchannel provider)
+- Outpost "osTicket LDAP Outpost" (pk=5c42f5ba-64bd-434e-a47f-7ce9da13227a)
+- Outpost service token: `jjYRKWuGtoeq9r0qeifbCnXGHDjhCJU2MLnkCvMMduIGA1kQKz85qnt7u5Zf`
+- ldap-svc user (search account): DN=`cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
+  password=`IlgQaxBPv9rdoq03CsoY53tH`, member of homelab-admin group
+
+**Docker services added on monk:**
+- `~/kitestacks-live/docker/authentik-ldap/docker-compose.yml`
+  - `authentik-ldap` (ghcr.io/goauthentik/ldap:2025.2.4) on kitestacks+osticket_default networks
+  - `authentik-ldap-proxy` (alpine/socat) bridges port 389→3389 on osticket_default
+    so osticket-app can reach standard LDAP port without phar URI workaround
+
+**Docker services added on kscloud1:**
+- `/opt/kitestacks/docker/authentik-ldap/docker-compose.yml`
+  - Same authentik-ldap container, bound to 100.123.254.52:3389 (Tailscale) + 127.0.0.1:3389
+
+**auth-ldap.phar patches (3 patches applied, original backed up as auth-ldap.phar.orig):**
+1. `authentication.php` - `getConnection()`: adds binddn/bindpw from plugin config to
+   Net_LDAP2 params so initial connect uses credentials (not anonymous, which Authentik rejects)
+2. `config.php` - validation block: sets include_path to phar's include dir before
+   `require_once Net/LDAP2.php` so sub-files resolve correctly in FPM context
+3. ALL `include/Net/LDAP2/*.php` files: guards `require_once 'PEAR.php'` with
+   `if (!class_exists('PEAR', false))` to prevent fatal conflict between osTicket's
+   `/include/pear/PEAR.php` and PHP global `/usr/local/lib/php/PEAR.php`
+
+**osTicket LDAP plugin config (namespace plugin.2 in ost_config):**
+- servers: `authentik-ldap-proxy` (via socat on port 389)
+- bind_dn: `cn=ldap-svc,ou=users,dc=ldap,dc=goauthentik,dc=io`
+- bind_pw: encrypted with `Crypto::encrypt(pass, SECRET_SALT, 'plugin.2')`
+- search_base: `ou=users,dc=ldap,dc=goauthentik,dc=io`
+- schema: auto, auth-staff: 1, auth-client: 0, domain: ldap.goauthentik.io
+
+**Staff login:** username=`kenpat7177`, password=Authentik password (reset to `KiteStacks2026!`)
+  on `tasks.kitestacks.com/scp/login.php`
+
+### Per Scholas IT Support Capstone - IN PROGRESS
+See [[project-per-scholas-capstone]]. Next steps:
+- Create capstone incident tickets in osTicket (5-phase challenge)
+- Set up osTicket user/client portal for non-staff users (Phase 3 end-user access)
+- Each capstone ticket maps to a phase scenario (migration event, incident response, etc.)