trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sources/ldap: add support for cert based auth (#5850) 

* ldap: support cert based auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ldap: default sni switch to off

* ldap: `get_info=NONE` on insufficient access error

* fix: Make file locale script

* ldap: add google ldap attribute mappings

* ldap: move google secure ldap blueprint to examples

Revert "ldap: add google ldap attribute mappings"

This reverts commit 8a861bb92c1bd763b6e7ec0513f73b3039a1adb4.

* ldap: remove `validate` for client cert auth

not strictly necessary

* ldap: write temp cert files more securely

* ldap: use first array value for sni when provided csv input

* don't specify tempdir

we set $TMPDIR in the dockerfile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* limit API to only allow certificate key pairs with private key

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use maxsplit

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
ChandonPierre 2023-06-12 09:41:44 -04:00 committed by GitHub
parent 8ddefb213f
commit 029395d08b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 680 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -151,7 +151,7 @@ web-check-compile:
cd web && npm run tsc
web-i18n-extract:
cd web && npm run extract
cd web && npm run extract-locales
#########################
## Website

15
authentik/sources/ldap/api.py
View File

@ -8,6 +8,7 @@ from drf_spectacular.utils import extend_schema, extend_schema_field, inline_ser
from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError
from rest_framework.fields import DictField, ListField
from rest_framework.relations import PrimaryKeyRelatedField
from rest_framework.request import Request
from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet
@ -16,6 +17,7 @@ from authentik.admin.api.tasks import TaskSerializer
from authentik.core.api.propertymappings import PropertyMappingSerializer
from authentik.core.api.sources import SourceSerializer
from authentik.core.api.used_by import UsedByMixin
from authentik.crypto.models import CertificateKeyPair
from authentik.events.monitored_tasks import TaskInfo
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
from authentik.sources.ldap.tasks import SYNC_CLASSES
@ -24,6 +26,15 @@ from authentik.sources.ldap.tasks import SYNC_CLASSES
class LDAPSourceSerializer(SourceSerializer):
"""LDAP Source Serializer"""
client_certificate = PrimaryKeyRelatedField(
allow_null=True,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
queryset=CertificateKeyPair.objects.exclude(
key_data__exact="",
),
required=False,
)
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
"""Check that only a single source has password_sync on"""
sync_users_password = attrs.get("sync_users_password", True)
@ -42,9 +53,11 @@ class LDAPSourceSerializer(SourceSerializer):
fields = SourceSerializer.Meta.fields + [
"server_uri",
"peer_certificate",
"client_certificate",
"bind_cn",
"bind_password",
"start_tls",
"sni",
"base_dn",
"additional_user_dn",
"additional_group_dn",
@ -75,7 +88,9 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
"server_uri",
"bind_cn",
"peer_certificate",
"client_certificate",
"start_tls",
"sni",
"base_dn",
"additional_user_dn",
"additional_group_dn",

45
authentik/sources/ldap/migrations/0003_ldapsource_client_certificate_ldapsource_sni_and_more.py Normal file
View File

@ -0,0 +1,45 @@
# Generated by Django 4.1.7 on 2023-06-06 18:33
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_crypto", "0004_alter_certificatekeypair_name"),
("authentik_sources_ldap", "0002_auto_20211203_0900"),
]
operations = [
migrations.AddField(
model_name="ldapsource",
name="client_certificate",
field=models.ForeignKey(
default=None,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_client_certificates",
to="authentik_crypto.certificatekeypair",
),
),
migrations.AddField(
model_name="ldapsource",
name="sni",
field=models.BooleanField(
default=False, verbose_name="Use Server URI for SNI verification"
),
),
migrations.AlterField(
model_name="ldapsource",
name="peer_certificate",
field=models.ForeignKey(
default=None,
help_text="Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_peer_certificates",
to="authentik_crypto.certificatekeypair",
),
),
]

37
authentik/sources/ldap/models.py
View File

@ -1,11 +1,13 @@
"""authentik LDAP Models"""
from os import chmod
from ssl import CERT_REQUIRED
from tempfile import NamedTemporaryFile, mkdtemp
from typing import Optional
from django.db import models
from django.utils.translation import gettext_lazy as _
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
from ldap3.core.exceptions import LDAPSchemaError
from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
from rest_framework.serializers import Serializer
from authentik.core.models import Group, PropertyMapping, Source
@ -39,14 +41,24 @@ class LDAPSource(Source):
on_delete=models.SET_DEFAULT,
default=None,
null=True,
related_name="ldap_peer_certificates",
help_text=_(
"Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
),
)
client_certificate = models.ForeignKey(
CertificateKeyPair,
on_delete=models.SET_DEFAULT,
default=None,
null=True,
related_name="ldap_client_certificates",
help_text=_("Client certificate to authenticate against the LDAP Server's Certificate."),
)
bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True)
bind_password = models.TextField(blank=True)
start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS"))
sni = models.BooleanField(default=False, verbose_name=_("Use Server URI for SNI verification"))
base_dn = models.TextField(verbose_name=_("Base DN"))
additional_user_dn = models.TextField(
@ -112,8 +124,22 @@ class LDAPSource(Source):
if self.peer_certificate:
tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
tls_kwargs["validate"] = CERT_REQUIRED
if self.client_certificate:
temp_dir = mkdtemp()
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_cert:
temp_cert.write(self.client_certificate.certificate_data)
certificate_file = temp_cert.name
chmod(certificate_file, 0o600)
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_key:
temp_key.write(self.client_certificate.key_data)
private_key_file = temp_key.name
chmod(private_key_file, 0o600)
tls_kwargs["local_private_key_file"] = private_key_file
tls_kwargs["local_certificate_file"] = certificate_file
if ciphers := CONFIG.y("ldap.tls.ciphers", None):
tls_kwargs["ciphers"] = ciphers.strip()
if self.sni:
tls_kwargs["sni"] = self.server_uri.split(",", maxsplit=1)[0].strip()
server_kwargs = {
"get_info": ALL,
"connect_timeout": LDAP_TIMEOUT,
@ -133,8 +159,10 @@ class LDAPSource(Source):
"""Get a fully connected and bound LDAP Connection"""
server_kwargs = server_kwargs or {}
connection_kwargs = connection_kwargs or {}
connection_kwargs.setdefault("user", self.bind_cn)
connection_kwargs.setdefault("password", self.bind_password)
if self.bind_cn is not None:
connection_kwargs.setdefault("user", self.bind_cn)
if self.bind_password is not None:
connection_kwargs.setdefault("password", self.bind_password)
connection = Connection(
self.server(**server_kwargs),
raise_exceptions=True,
@ -148,9 +176,10 @@ class LDAPSource(Source):
successful = connection.bind()
if successful:
return connection
except LDAPSchemaError as exc:
except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
# Schema error, so try connecting without schema info
# See https://github.com/goauthentik/authentik/issues/4590
# See also https://github.com/goauthentik/authentik/issues/3399
if server_kwargs.get("get_info", ALL) == NONE:
raise exc
server_kwargs["get_info"] = NONE

222
blueprints/example/sources-google-ldap-mappings.yaml Normal file
View File

@ -0,0 +1,222 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "false"
name: Example - Google Secure LDAP mappings
entries:
- identifiers:
managed: goauthentik.io/sources/ldap/google-uid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uid"
object_field: "username"
expression: |
return ldap.get('uid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleUid"
object_field: "attributes.googleUid"
expression: |
return ldap.get('googleUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-posixuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: posixUid"
object_field: "attributes.posixUid"
expression: |
return ldap.get('posixUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-cn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: cn"
object_field: "name"
expression: |
return ldap.get('cn')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sn"
object_field: "attributes.sn"
expression: |
return list_flatten(ldap.get('sn'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-givenname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: givenName"
object_field: "attributes.givenName"
expression: |
return list_flatten(ldap.get('givenName'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-displayname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: displayName"
object_field: "attributes.displayName"
expression: |
return ldap.get('displayName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-mail
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: mail"
object_field: "email"
expression: |
return ldap.get('mail')
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberof
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberOf"
object_field: "attributes.memberOf"
expression: |
return ldap.get('memberOf')
- identifiers:
managed: goauthentik.io/sources/ldap/google-title
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: title"
object_field: "attributes.title"
expression: |
return ldap.get('title')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeenumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeNumber"
object_field: "attributes.employeeNumber"
expression: |
return ldap.get('employeeNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeetype
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeType"
object_field: "attributes.employeeType"
expression: |
return ldap.get('employeeType')
- identifiers:
managed: goauthentik.io/sources/ldap/google-departmentnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: departmentNumber"
object_field: "attributes.departmentNumber"
expression: |
return ldap.get('departmentNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-physicaldeliveryofficename
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: physicalDeliveryOfficeName"
object_field: "attributes.physicalDeliveryOfficeName"
expression: |
return ldap.get('physicalDeliveryOfficeName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-jpegphoto
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: jpegPhoto"
object_field: "attributes.jpegPhoto"
expression: |
return ldap.get('jpegPhoto')
- identifiers:
managed: goauthentik.io/sources/ldap/google-entryuuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: entryUuid"
object_field: "attributes.entryUuid"
expression: |
return ldap.get('entryUuid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-objectsid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: objectSid"
object_field: "attributes.objectSid"
expression: |
return ldap.get('objectSid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-uidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uidNumber"
object_field: "attributes.uidNumber"
expression: |
return ldap.get('uidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-homedirectory
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: homeDirectory"
object_field: "attributes.homeDirectory"
expression: |
return ldap.get('homeDirectory')
- identifiers:
managed: goauthentik.io/sources/ldap/google-loginshell
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: loginShell"
object_field: "attributes.loginShell"
expression: |
return ldap.get('loginShell')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sshpublickey
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sshPublicKey"
object_field: "attributes.sshPublicKey"
expression: |
return list_flatten(ldap.get('sshPublicKey'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-description
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: description"
object_field: "attributes.description"
expression: |
return list_flatten(ldap.get('description'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-member
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: member"
object_field: "attributes.member"
expression: |
return list_flatten(ldap.get('member'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberUid"
object_field: "attributes.memberUid"
expression: |
return list_flatten(ldap.get('memberUid'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleadmincreated
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleAdminCreated"
object_field: "attributes.googleAdminCreated"
expression: |
return list_flatten(ldap.get('googleAdminCreated'))

9
blueprints/schema.json
View File

@ -4732,6 +4732,11 @@
"title": "Peer certificate",
"description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
},
"client_certificate": {
"type": "integer",
"title": "Client certificate",
"description": "Client certificate to authenticate against the LDAP Server's Certificate."
},
"bind_cn": {
"type": "string",
"title": "Bind CN"
@ -4744,6 +4749,10 @@
"type": "boolean",
"title": "Enable Start TLS"
},
"sni": {
"type": "boolean",
"title": "Use Server URI for SNI verification"
},
"base_dn": {
"type": "string",
"minLength": 1,

91
locale/en/LC_MESSAGES/django.po
View File

@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2023-05-21 21:59+0000\n"
"POT-Creation-Date: 2023-06-12 12:11+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@ -31,16 +31,16 @@ msgstr ""
msgid "Validation Error"
msgstr ""
#: authentik/blueprints/api.py:43
#: authentik/blueprints/api.py:44
msgid "Blueprint file does not exist"
msgstr ""
#: authentik/blueprints/api.py:54
#: authentik/blueprints/api.py:55
#, python-format
msgid "Failed to validate blueprint: %(logs)s"
msgstr ""
#: authentik/blueprints/api.py:59
#: authentik/blueprints/api.py:60
msgid "Either path or content must be set."
msgstr ""
@ -69,24 +69,24 @@ msgstr ""
msgid "authentik Export - %(date)s"
msgstr ""
#: authentik/blueprints/v1/tasks.py:149 authentik/crypto/tasks.py:93
#: authentik/blueprints/v1/tasks.py:150 authentik/crypto/tasks.py:93
#, python-format
msgid "Successfully imported %(count)d files."
msgstr ""
#: authentik/core/api/providers.py:113
#: authentik/core/api/providers.py:120
msgid "SAML Provider from Metadata"
msgstr ""
#: authentik/core/api/providers.py:114
#: authentik/core/api/providers.py:121
msgid "Create a SAML Provider by importing its Metadata."
msgstr ""
#: authentik/core/api/users.py:118
#: authentik/core/api/users.py:143
msgid "No leading or trailing slashes allowed."
msgstr ""
#: authentik/core/api/users.py:121
#: authentik/core/api/users.py:146
msgid "No empty segments in user path allowed."
msgstr ""
@ -1365,7 +1365,7 @@ msgstr ""
msgid "Authentication token"
msgstr ""
#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:82
#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
msgid "Property mappings used for group creation/updating."
msgstr ""
@ -1426,79 +1426,88 @@ msgstr ""
msgid "Used recovery-link to authenticate."
msgstr ""
#: authentik/sources/ldap/models.py:35
#: authentik/sources/ldap/models.py:37
msgid "Server URI"
msgstr ""
#: authentik/sources/ldap/models.py:43
#: authentik/sources/ldap/models.py:46
msgid ""
"Optionally verify the LDAP Server's Certificate against the CA Chain in this "
"keypair."
msgstr ""
#: authentik/sources/ldap/models.py:47
msgid "Bind CN"
msgstr ""
#: authentik/sources/ldap/models.py:49
msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:51
msgid "Base DN"
msgstr ""
#: authentik/sources/ldap/models.py:53
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:54
msgid "Addition User DN"
#: authentik/sources/ldap/models.py:55
msgid ""
"Client certificate to authenticate against the LDAP Server's Certificate."
msgstr ""
#: authentik/sources/ldap/models.py:58
msgid "Prepended to Base DN for Group-queries."
msgid "Bind CN"
msgstr ""
#: authentik/sources/ldap/models.py:59
msgid "Addition Group DN"
#: authentik/sources/ldap/models.py:60
msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:61
msgid "Use Server URI for SNI verification"
msgstr ""
#: authentik/sources/ldap/models.py:63
msgid "Base DN"
msgstr ""
#: authentik/sources/ldap/models.py:65
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:66
msgid "Addition User DN"
msgstr ""
#: authentik/sources/ldap/models.py:70
msgid "Prepended to Base DN for Group-queries."
msgstr ""
#: authentik/sources/ldap/models.py:71
msgid "Addition Group DN"
msgstr ""
#: authentik/sources/ldap/models.py:77
msgid "Consider Objects matching this filter to be Users."
msgstr ""
#: authentik/sources/ldap/models.py:68
#: authentik/sources/ldap/models.py:80
msgid "Field which contains members of a group."
msgstr ""
#: authentik/sources/ldap/models.py:72
#: authentik/sources/ldap/models.py:84
msgid "Consider Objects matching this filter to be Groups."
msgstr ""
#: authentik/sources/ldap/models.py:75
#: authentik/sources/ldap/models.py:87
msgid "Field which contains a unique Identifier."
msgstr ""
#: authentik/sources/ldap/models.py:89
#: authentik/sources/ldap/models.py:101
msgid ""
"When a user changes their password, sync it back to LDAP. This can only be "
"enabled on a single LDAP source."
msgstr ""
#: authentik/sources/ldap/models.py:159
#: authentik/sources/ldap/models.py:188
msgid "LDAP Source"
msgstr ""
#: authentik/sources/ldap/models.py:160
#: authentik/sources/ldap/models.py:189
msgid "LDAP Sources"
msgstr ""
#: authentik/sources/ldap/models.py:182
#: authentik/sources/ldap/models.py:211
msgid "LDAP Property Mapping"
msgstr ""
#: authentik/sources/ldap/models.py:183
#: authentik/sources/ldap/models.py:212
msgid "LDAP Property Mappings"
msgstr ""

36
schema.yml
View File

@ -17096,6 +17096,11 @@ paths:
name: bind_cn
schema:
type: string
- in: query
name: client_certificate
schema:
type: string
format: uuid
- in: query
name: enabled
schema:
@ -17171,6 +17176,10 @@ paths:
name: slug
schema:
type: string
- in: query
name: sni
schema:
type: boolean
- in: query
name: start_tls
schema:
@ -30950,11 +30959,20 @@ components:
nullable: true
description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn:
type: string
start_tls:
type: boolean
title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn:
type: string
additional_user_dn:
@ -31064,6 +31082,12 @@ components:
nullable: true
description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn:
type: string
bind_password:
@ -31072,6 +31096,9 @@ components:
start_tls:
type: boolean
title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn:
type: string
minLength: 1
@ -36356,6 +36383,12 @@ components:
nullable: true
description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn:
type: string
bind_password:
@ -36364,6 +36397,9 @@ components:
start_tls:
type: boolean
title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn:
type: string
minLength: 1

59
web/src/admin/sources/ldap/LDAPSourceForm.ts
View File

@ -184,6 +184,26 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
${msg("To use SSL instead, use 'ldaps://' and disable this option.")}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="sni">
<label class="pf-c-switch">
<input
class="pf-c-switch__input"
type="checkbox"
?checked=${first(this.instance?.sni, false)}
/>
<span class="pf-c-switch__toggle">
<span class="pf-c-switch__toggle-icon">
<i class="fas fa-check" aria-hidden="true"></i>
</span>
</span>
<span class="pf-c-switch__label"
>${msg("Use Server URI for SNI verification")}</span
>
</label>
<p class="pf-c-form__helper-text">
${msg("Required for servers using TLS 1.3+")}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("TLS Verification Certificate")}
name="peerCertificate"
@ -222,6 +242,45 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("TLS Client authentication certificate")}
name="clientCertificate"
>
<ak-search-select
.fetchObjects=${async (
query?: string,
): Promise<CertificateKeyPair[]> => {
const args: CryptoCertificatekeypairsListRequest = {
ordering: "name",
hasKey: true,
includeDetails: false,
};
if (query !== undefined) {
args.search = query;
}
const certificates = await new CryptoApi(
DEFAULT_CONFIG,
).cryptoCertificatekeypairsList(args);
return certificates.results;
}}
.renderElement=${(item: CertificateKeyPair): string => {
return item.name;
}}
.value=${(item: CertificateKeyPair | undefined): string | undefined => {
return item?.pk;
}}
.selected=${(item: CertificateKeyPair): boolean => {
return item.pk === this.instance?.clientCertificate;
}}
?blankable=${true}
>
</ak-search-select>
<p class="pf-c-form__helper-text">
${msg(
"Client certificate keypair to authenticate against the LDAP Server's Certificate.",
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn">
<input
type="text"

28
web/xliff/de.xlf
View File

@ -748,13 +748,6 @@
<source>Certificate</source>
<target>Zertifikat</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Wenn sich mehrere Anbieter einen Außenposten teilen, wird ein selbstsigniertes Zertifikat verwendet.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>UID-Startnummer</target>
@ -5722,6 +5715,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Aktivieren</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

29
web/xliff/en.xlf
View File

@ -777,14 +777,6 @@
<source>Certificate</source>
<target>Certificate</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>If multiple providers share an outpost, a self-signed certificate is used.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>UID start number</target>
@ -6039,6 +6031,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Activate</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

28
web/xliff/es.xlf
View File

@ -733,13 +733,6 @@
<source>Certificate</source>
<target>Certificado</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si varios proveedores comparten un puesto avanzado, se utiliza un certificado autofirmado.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>Número inicial de UID</target>
@ -5630,6 +5623,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Activar</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

28
web/xliff/fr_FR.xlf
View File

@ -749,13 +749,6 @@
<source>Certificate</source>
<target>Certificat</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>Numéro de départ d'UID</target>
@ -5737,6 +5730,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Activer</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

28
web/xliff/pl.xlf
View File

@ -752,13 +752,6 @@
<source>Certificate</source>
<target>Certyfikat</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Jeśli wielu dostawców współdzieli placówkę, używany jest certyfikat z podpisem własnym.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>Numer początkowy UID</target>
@ -5869,6 +5862,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Aktywuj</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

29
web/xliff/pseudo-LOCALE.xlf
View File

@ -761,14 +761,6 @@
<trans-unit id="sb157267c85fdff30">
<source>Certificate</source>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
@ -5973,6 +5965,27 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="s27976e94b05c6970">
<source>Activate</source>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>

28
web/xliff/tr.xlf
View File

@ -733,13 +733,6 @@
<source>Certificate</source>
<target>Sertifika</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>UID başlangıç numarası</target>
@ -5620,6 +5613,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>Etkinleştir</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

31
web/xliff/zh-Hans.xlf
View File

@ -965,16 +965,6 @@
<source>Certificate</source>
<target>证书</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>由于协议限制,只在前哨有单个提供程序,或所有提供程序都使用相同证书时才使用此证书。</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供程序共享同一个前哨,则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
@ -7547,6 +7537,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<target>激活</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

28
web/xliff/zh-Hant.xlf
View File

@ -740,13 +740,6 @@
<source>Certificate</source>
<target>证书</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>UID 起始编号</target>
@ -5675,6 +5668,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>启用</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>

28
web/xliff/zh_TW.xlf
View File

@ -740,13 +740,6 @@
<source>Certificate</source>
<target>证书</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86">
<source>UID start number</source>
<target>UID 起始编号</target>
@ -5674,6 +5667,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source>
<target>启用</target>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body>
</file>
</xliff>