sources/ldap: add support for cert based auth (#5850)

* ldap: support cert based auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ldap: default sni switch to off

* ldap: `get_info=NONE` on insufficient access error

* fix: Make file locale script

* ldap: add google ldap attribute mappings

* ldap: move google secure ldap blueprint to examples

Revert "ldap: add google ldap attribute mappings"

This reverts commit 8a861bb92c1bd763b6e7ec0513f73b3039a1adb4.

* ldap: remove `validate` for client cert auth

not strictly necessary

* ldap: write temp cert files more securely

* ldap: use first array value for sni when provided csv input

* don't specify tempdir

we set $TMPDIR in the dockerfile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* limit API to only allow certificate key pairs with private key

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use maxsplit

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
ChandonPierre 2023-06-12 09:41:44 -04:00 committed by GitHub
parent 8ddefb213f
commit 029395d08b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 680 additions and 121 deletions

View file

@ -151,7 +151,7 @@ web-check-compile:
cd web && npm run tsc cd web && npm run tsc
web-i18n-extract: web-i18n-extract:
cd web && npm run extract cd web && npm run extract-locales
######################### #########################
## Website ## Website

View file

@ -8,6 +8,7 @@ from drf_spectacular.utils import extend_schema, extend_schema_field, inline_ser
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError from rest_framework.exceptions import ValidationError
from rest_framework.fields import DictField, ListField from rest_framework.fields import DictField, ListField
from rest_framework.relations import PrimaryKeyRelatedField
from rest_framework.request import Request from rest_framework.request import Request
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet from rest_framework.viewsets import ModelViewSet
@ -16,6 +17,7 @@ from authentik.admin.api.tasks import TaskSerializer
from authentik.core.api.propertymappings import PropertyMappingSerializer from authentik.core.api.propertymappings import PropertyMappingSerializer
from authentik.core.api.sources import SourceSerializer from authentik.core.api.sources import SourceSerializer
from authentik.core.api.used_by import UsedByMixin from authentik.core.api.used_by import UsedByMixin
from authentik.crypto.models import CertificateKeyPair
from authentik.events.monitored_tasks import TaskInfo from authentik.events.monitored_tasks import TaskInfo
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
from authentik.sources.ldap.tasks import SYNC_CLASSES from authentik.sources.ldap.tasks import SYNC_CLASSES
@ -24,6 +26,15 @@ from authentik.sources.ldap.tasks import SYNC_CLASSES
class LDAPSourceSerializer(SourceSerializer): class LDAPSourceSerializer(SourceSerializer):
"""LDAP Source Serializer""" """LDAP Source Serializer"""
client_certificate = PrimaryKeyRelatedField(
allow_null=True,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
queryset=CertificateKeyPair.objects.exclude(
key_data__exact="",
),
required=False,
)
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]: def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
"""Check that only a single source has password_sync on""" """Check that only a single source has password_sync on"""
sync_users_password = attrs.get("sync_users_password", True) sync_users_password = attrs.get("sync_users_password", True)
@ -42,9 +53,11 @@ class LDAPSourceSerializer(SourceSerializer):
fields = SourceSerializer.Meta.fields + [ fields = SourceSerializer.Meta.fields + [
"server_uri", "server_uri",
"peer_certificate", "peer_certificate",
"client_certificate",
"bind_cn", "bind_cn",
"bind_password", "bind_password",
"start_tls", "start_tls",
"sni",
"base_dn", "base_dn",
"additional_user_dn", "additional_user_dn",
"additional_group_dn", "additional_group_dn",
@ -75,7 +88,9 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
"server_uri", "server_uri",
"bind_cn", "bind_cn",
"peer_certificate", "peer_certificate",
"client_certificate",
"start_tls", "start_tls",
"sni",
"base_dn", "base_dn",
"additional_user_dn", "additional_user_dn",
"additional_group_dn", "additional_group_dn",

View file

@ -0,0 +1,45 @@
# Generated by Django 4.1.7 on 2023-06-06 18:33
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_crypto", "0004_alter_certificatekeypair_name"),
("authentik_sources_ldap", "0002_auto_20211203_0900"),
]
operations = [
migrations.AddField(
model_name="ldapsource",
name="client_certificate",
field=models.ForeignKey(
default=None,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_client_certificates",
to="authentik_crypto.certificatekeypair",
),
),
migrations.AddField(
model_name="ldapsource",
name="sni",
field=models.BooleanField(
default=False, verbose_name="Use Server URI for SNI verification"
),
),
migrations.AlterField(
model_name="ldapsource",
name="peer_certificate",
field=models.ForeignKey(
default=None,
help_text="Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_peer_certificates",
to="authentik_crypto.certificatekeypair",
),
),
]

View file

@ -1,11 +1,13 @@
"""authentik LDAP Models""" """authentik LDAP Models"""
from os import chmod
from ssl import CERT_REQUIRED from ssl import CERT_REQUIRED
from tempfile import NamedTemporaryFile, mkdtemp
from typing import Optional from typing import Optional
from django.db import models from django.db import models
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
from ldap3.core.exceptions import LDAPSchemaError from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
from rest_framework.serializers import Serializer from rest_framework.serializers import Serializer
from authentik.core.models import Group, PropertyMapping, Source from authentik.core.models import Group, PropertyMapping, Source
@ -39,14 +41,24 @@ class LDAPSource(Source):
on_delete=models.SET_DEFAULT, on_delete=models.SET_DEFAULT,
default=None, default=None,
null=True, null=True,
related_name="ldap_peer_certificates",
help_text=_( help_text=_(
"Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair." "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
), ),
) )
client_certificate = models.ForeignKey(
CertificateKeyPair,
on_delete=models.SET_DEFAULT,
default=None,
null=True,
related_name="ldap_client_certificates",
help_text=_("Client certificate to authenticate against the LDAP Server's Certificate."),
)
bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True) bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True)
bind_password = models.TextField(blank=True) bind_password = models.TextField(blank=True)
start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS")) start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS"))
sni = models.BooleanField(default=False, verbose_name=_("Use Server URI for SNI verification"))
base_dn = models.TextField(verbose_name=_("Base DN")) base_dn = models.TextField(verbose_name=_("Base DN"))
additional_user_dn = models.TextField( additional_user_dn = models.TextField(
@ -112,8 +124,22 @@ class LDAPSource(Source):
if self.peer_certificate: if self.peer_certificate:
tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
tls_kwargs["validate"] = CERT_REQUIRED tls_kwargs["validate"] = CERT_REQUIRED
if self.client_certificate:
temp_dir = mkdtemp()
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_cert:
temp_cert.write(self.client_certificate.certificate_data)
certificate_file = temp_cert.name
chmod(certificate_file, 0o600)
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_key:
temp_key.write(self.client_certificate.key_data)
private_key_file = temp_key.name
chmod(private_key_file, 0o600)
tls_kwargs["local_private_key_file"] = private_key_file
tls_kwargs["local_certificate_file"] = certificate_file
if ciphers := CONFIG.y("ldap.tls.ciphers", None): if ciphers := CONFIG.y("ldap.tls.ciphers", None):
tls_kwargs["ciphers"] = ciphers.strip() tls_kwargs["ciphers"] = ciphers.strip()
if self.sni:
tls_kwargs["sni"] = self.server_uri.split(",", maxsplit=1)[0].strip()
server_kwargs = { server_kwargs = {
"get_info": ALL, "get_info": ALL,
"connect_timeout": LDAP_TIMEOUT, "connect_timeout": LDAP_TIMEOUT,
@ -133,8 +159,10 @@ class LDAPSource(Source):
"""Get a fully connected and bound LDAP Connection""" """Get a fully connected and bound LDAP Connection"""
server_kwargs = server_kwargs or {} server_kwargs = server_kwargs or {}
connection_kwargs = connection_kwargs or {} connection_kwargs = connection_kwargs or {}
connection_kwargs.setdefault("user", self.bind_cn) if self.bind_cn is not None:
connection_kwargs.setdefault("password", self.bind_password) connection_kwargs.setdefault("user", self.bind_cn)
if self.bind_password is not None:
connection_kwargs.setdefault("password", self.bind_password)
connection = Connection( connection = Connection(
self.server(**server_kwargs), self.server(**server_kwargs),
raise_exceptions=True, raise_exceptions=True,
@ -148,9 +176,10 @@ class LDAPSource(Source):
successful = connection.bind() successful = connection.bind()
if successful: if successful:
return connection return connection
except LDAPSchemaError as exc: except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
# Schema error, so try connecting without schema info # Schema error, so try connecting without schema info
# See https://github.com/goauthentik/authentik/issues/4590 # See https://github.com/goauthentik/authentik/issues/4590
# See also https://github.com/goauthentik/authentik/issues/3399
if server_kwargs.get("get_info", ALL) == NONE: if server_kwargs.get("get_info", ALL) == NONE:
raise exc raise exc
server_kwargs["get_info"] = NONE server_kwargs["get_info"] = NONE

View file

@ -0,0 +1,222 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "false"
name: Example - Google Secure LDAP mappings
entries:
- identifiers:
managed: goauthentik.io/sources/ldap/google-uid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uid"
object_field: "username"
expression: |
return ldap.get('uid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleUid"
object_field: "attributes.googleUid"
expression: |
return ldap.get('googleUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-posixuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: posixUid"
object_field: "attributes.posixUid"
expression: |
return ldap.get('posixUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-cn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: cn"
object_field: "name"
expression: |
return ldap.get('cn')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sn"
object_field: "attributes.sn"
expression: |
return list_flatten(ldap.get('sn'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-givenname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: givenName"
object_field: "attributes.givenName"
expression: |
return list_flatten(ldap.get('givenName'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-displayname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: displayName"
object_field: "attributes.displayName"
expression: |
return ldap.get('displayName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-mail
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: mail"
object_field: "email"
expression: |
return ldap.get('mail')
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberof
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberOf"
object_field: "attributes.memberOf"
expression: |
return ldap.get('memberOf')
- identifiers:
managed: goauthentik.io/sources/ldap/google-title
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: title"
object_field: "attributes.title"
expression: |
return ldap.get('title')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeenumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeNumber"
object_field: "attributes.employeeNumber"
expression: |
return ldap.get('employeeNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeetype
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeType"
object_field: "attributes.employeeType"
expression: |
return ldap.get('employeeType')
- identifiers:
managed: goauthentik.io/sources/ldap/google-departmentnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: departmentNumber"
object_field: "attributes.departmentNumber"
expression: |
return ldap.get('departmentNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-physicaldeliveryofficename
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: physicalDeliveryOfficeName"
object_field: "attributes.physicalDeliveryOfficeName"
expression: |
return ldap.get('physicalDeliveryOfficeName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-jpegphoto
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: jpegPhoto"
object_field: "attributes.jpegPhoto"
expression: |
return ldap.get('jpegPhoto')
- identifiers:
managed: goauthentik.io/sources/ldap/google-entryuuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: entryUuid"
object_field: "attributes.entryUuid"
expression: |
return ldap.get('entryUuid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-objectsid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: objectSid"
object_field: "attributes.objectSid"
expression: |
return ldap.get('objectSid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-uidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uidNumber"
object_field: "attributes.uidNumber"
expression: |
return ldap.get('uidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-homedirectory
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: homeDirectory"
object_field: "attributes.homeDirectory"
expression: |
return ldap.get('homeDirectory')
- identifiers:
managed: goauthentik.io/sources/ldap/google-loginshell
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: loginShell"
object_field: "attributes.loginShell"
expression: |
return ldap.get('loginShell')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sshpublickey
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sshPublicKey"
object_field: "attributes.sshPublicKey"
expression: |
return list_flatten(ldap.get('sshPublicKey'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-description
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: description"
object_field: "attributes.description"
expression: |
return list_flatten(ldap.get('description'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-member
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: member"
object_field: "attributes.member"
expression: |
return list_flatten(ldap.get('member'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberUid"
object_field: "attributes.memberUid"
expression: |
return list_flatten(ldap.get('memberUid'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleadmincreated
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleAdminCreated"
object_field: "attributes.googleAdminCreated"
expression: |
return list_flatten(ldap.get('googleAdminCreated'))

View file

@ -4732,6 +4732,11 @@
"title": "Peer certificate", "title": "Peer certificate",
"description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair." "description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
}, },
"client_certificate": {
"type": "integer",
"title": "Client certificate",
"description": "Client certificate to authenticate against the LDAP Server's Certificate."
},
"bind_cn": { "bind_cn": {
"type": "string", "type": "string",
"title": "Bind CN" "title": "Bind CN"
@ -4744,6 +4749,10 @@
"type": "boolean", "type": "boolean",
"title": "Enable Start TLS" "title": "Enable Start TLS"
}, },
"sni": {
"type": "boolean",
"title": "Use Server URI for SNI verification"
},
"base_dn": { "base_dn": {
"type": "string", "type": "string",
"minLength": 1, "minLength": 1,

View file

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2023-05-21 21:59+0000\n" "POT-Creation-Date: 2023-06-12 12:11+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -31,16 +31,16 @@ msgstr ""
msgid "Validation Error" msgid "Validation Error"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:43 #: authentik/blueprints/api.py:44
msgid "Blueprint file does not exist" msgid "Blueprint file does not exist"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:54 #: authentik/blueprints/api.py:55
#, python-format #, python-format
msgid "Failed to validate blueprint: %(logs)s" msgid "Failed to validate blueprint: %(logs)s"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:59 #: authentik/blueprints/api.py:60
msgid "Either path or content must be set." msgid "Either path or content must be set."
msgstr "" msgstr ""
@ -69,24 +69,24 @@ msgstr ""
msgid "authentik Export - %(date)s" msgid "authentik Export - %(date)s"
msgstr "" msgstr ""
#: authentik/blueprints/v1/tasks.py:149 authentik/crypto/tasks.py:93 #: authentik/blueprints/v1/tasks.py:150 authentik/crypto/tasks.py:93
#, python-format #, python-format
msgid "Successfully imported %(count)d files." msgid "Successfully imported %(count)d files."
msgstr "" msgstr ""
#: authentik/core/api/providers.py:113 #: authentik/core/api/providers.py:120
msgid "SAML Provider from Metadata" msgid "SAML Provider from Metadata"
msgstr "" msgstr ""
#: authentik/core/api/providers.py:114 #: authentik/core/api/providers.py:121
msgid "Create a SAML Provider by importing its Metadata." msgid "Create a SAML Provider by importing its Metadata."
msgstr "" msgstr ""
#: authentik/core/api/users.py:118 #: authentik/core/api/users.py:143
msgid "No leading or trailing slashes allowed." msgid "No leading or trailing slashes allowed."
msgstr "" msgstr ""
#: authentik/core/api/users.py:121 #: authentik/core/api/users.py:146
msgid "No empty segments in user path allowed." msgid "No empty segments in user path allowed."
msgstr "" msgstr ""
@ -1365,7 +1365,7 @@ msgstr ""
msgid "Authentication token" msgid "Authentication token"
msgstr "" msgstr ""
#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:82 #: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
msgid "Property mappings used for group creation/updating." msgid "Property mappings used for group creation/updating."
msgstr "" msgstr ""
@ -1426,79 +1426,88 @@ msgstr ""
msgid "Used recovery-link to authenticate." msgid "Used recovery-link to authenticate."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:35 #: authentik/sources/ldap/models.py:37
msgid "Server URI" msgid "Server URI"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:43 #: authentik/sources/ldap/models.py:46
msgid "" msgid ""
"Optionally verify the LDAP Server's Certificate against the CA Chain in this " "Optionally verify the LDAP Server's Certificate against the CA Chain in this "
"keypair." "keypair."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:47 #: authentik/sources/ldap/models.py:55
msgid "Bind CN" msgid ""
msgstr "" "Client certificate to authenticate against the LDAP Server's Certificate."
#: authentik/sources/ldap/models.py:49
msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:51
msgid "Base DN"
msgstr ""
#: authentik/sources/ldap/models.py:53
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:54
msgid "Addition User DN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:58 #: authentik/sources/ldap/models.py:58
msgid "Prepended to Base DN for Group-queries." msgid "Bind CN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:59 #: authentik/sources/ldap/models.py:60
msgid "Addition Group DN" msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:61
msgid "Use Server URI for SNI verification"
msgstr ""
#: authentik/sources/ldap/models.py:63
msgid "Base DN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:65 #: authentik/sources/ldap/models.py:65
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:66
msgid "Addition User DN"
msgstr ""
#: authentik/sources/ldap/models.py:70
msgid "Prepended to Base DN for Group-queries."
msgstr ""
#: authentik/sources/ldap/models.py:71
msgid "Addition Group DN"
msgstr ""
#: authentik/sources/ldap/models.py:77
msgid "Consider Objects matching this filter to be Users." msgid "Consider Objects matching this filter to be Users."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:68 #: authentik/sources/ldap/models.py:80
msgid "Field which contains members of a group." msgid "Field which contains members of a group."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:72 #: authentik/sources/ldap/models.py:84
msgid "Consider Objects matching this filter to be Groups." msgid "Consider Objects matching this filter to be Groups."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:75 #: authentik/sources/ldap/models.py:87
msgid "Field which contains a unique Identifier." msgid "Field which contains a unique Identifier."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:89 #: authentik/sources/ldap/models.py:101
msgid "" msgid ""
"When a user changes their password, sync it back to LDAP. This can only be " "When a user changes their password, sync it back to LDAP. This can only be "
"enabled on a single LDAP source." "enabled on a single LDAP source."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:159 #: authentik/sources/ldap/models.py:188
msgid "LDAP Source" msgid "LDAP Source"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:160 #: authentik/sources/ldap/models.py:189
msgid "LDAP Sources" msgid "LDAP Sources"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:182 #: authentik/sources/ldap/models.py:211
msgid "LDAP Property Mapping" msgid "LDAP Property Mapping"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:183 #: authentik/sources/ldap/models.py:212
msgid "LDAP Property Mappings" msgid "LDAP Property Mappings"
msgstr "" msgstr ""

View file

@ -17096,6 +17096,11 @@ paths:
name: bind_cn name: bind_cn
schema: schema:
type: string type: string
- in: query
name: client_certificate
schema:
type: string
format: uuid
- in: query - in: query
name: enabled name: enabled
schema: schema:
@ -17171,6 +17176,10 @@ paths:
name: slug name: slug
schema: schema:
type: string type: string
- in: query
name: sni
schema:
type: boolean
- in: query - in: query
name: start_tls name: start_tls
schema: schema:
@ -30950,11 +30959,20 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
additional_user_dn: additional_user_dn:
@ -31064,6 +31082,12 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
bind_password: bind_password:
@ -31072,6 +31096,9 @@ components:
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
minLength: 1 minLength: 1
@ -36356,6 +36383,12 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
bind_password: bind_password:
@ -36364,6 +36397,9 @@ components:
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
minLength: 1 minLength: 1

View file

@ -184,6 +184,26 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
${msg("To use SSL instead, use 'ldaps://' and disable this option.")} ${msg("To use SSL instead, use 'ldaps://' and disable this option.")}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal name="sni">
<label class="pf-c-switch">
<input
class="pf-c-switch__input"
type="checkbox"
?checked=${first(this.instance?.sni, false)}
/>
<span class="pf-c-switch__toggle">
<span class="pf-c-switch__toggle-icon">
<i class="fas fa-check" aria-hidden="true"></i>
</span>
</span>
<span class="pf-c-switch__label"
>${msg("Use Server URI for SNI verification")}</span
>
</label>
<p class="pf-c-form__helper-text">
${msg("Required for servers using TLS 1.3+")}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal <ak-form-element-horizontal
label=${msg("TLS Verification Certificate")} label=${msg("TLS Verification Certificate")}
name="peerCertificate" name="peerCertificate"
@ -222,6 +242,45 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
)} )}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("TLS Client authentication certificate")}
name="clientCertificate"
>
<ak-search-select
.fetchObjects=${async (
query?: string,
): Promise<CertificateKeyPair[]> => {
const args: CryptoCertificatekeypairsListRequest = {
ordering: "name",
hasKey: true,
includeDetails: false,
};
if (query !== undefined) {
args.search = query;
}
const certificates = await new CryptoApi(
DEFAULT_CONFIG,
).cryptoCertificatekeypairsList(args);
return certificates.results;
}}
.renderElement=${(item: CertificateKeyPair): string => {
return item.name;
}}
.value=${(item: CertificateKeyPair | undefined): string | undefined => {
return item?.pk;
}}
.selected=${(item: CertificateKeyPair): boolean => {
return item.pk === this.instance?.clientCertificate;
}}
?blankable=${true}
>
</ak-search-select>
<p class="pf-c-form__helper-text">
${msg(
"Client certificate keypair to authenticate against the LDAP Server's Certificate.",
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn"> <ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn">
<input <input
type="text" type="text"

View file

@ -748,13 +748,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Zertifikat</target> <target>Zertifikat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Wenn sich mehrere Anbieter einen Außenposten teilen, wird ein selbstsigniertes Zertifikat verwendet.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID-Startnummer</target> <target>UID-Startnummer</target>
@ -5722,6 +5715,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Aktivieren</target> <target>Aktivieren</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -777,14 +777,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificate</target> <target>Certificate</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>If multiple providers share an outpost, a self-signed certificate is used.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID start number</target> <target>UID start number</target>
@ -6039,6 +6031,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activate</target> <target>Activate</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -733,13 +733,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificado</target> <target>Certificado</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si varios proveedores comparten un puesto avanzado, se utiliza un certificado autofirmado.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Número inicial de UID</target> <target>Número inicial de UID</target>
@ -5630,6 +5623,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activar</target> <target>Activar</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -749,13 +749,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificat</target> <target>Certificat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Numéro de départ d'UID</target> <target>Numéro de départ d'UID</target>
@ -5737,6 +5730,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activer</target> <target>Activer</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -752,13 +752,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certyfikat</target> <target>Certyfikat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Jeśli wielu dostawców współdzieli placówkę, używany jest certyfikat z podpisem własnym.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Numer początkowy UID</target> <target>Numer początkowy UID</target>
@ -5869,6 +5862,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Aktywuj</target> <target>Aktywuj</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -761,14 +761,6 @@
<trans-unit id="sb157267c85fdff30"> <trans-unit id="sb157267c85fdff30">
<source>Certificate</source> <source>Certificate</source>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
</trans-unit> </trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
@ -5973,6 +5965,27 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s27976e94b05c6970"> <trans-unit id="s27976e94b05c6970">
<source>Activate</source> <source>Activate</source>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

View file

@ -733,13 +733,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Sertifika</target> <target>Sertifika</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID başlangıç numarası</target> <target>UID başlangıç numarası</target>
@ -5620,6 +5613,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Etkinleştir</target> <target>Etkinleştir</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -965,16 +965,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>由于协议限制,只在前哨有单个提供程序,或所有提供程序都使用相同证书时才使用此证书。</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供程序共享同一个前哨,则使用自签名证书。</target>
</trans-unit> </trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
@ -7547,6 +7537,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<target>激活</target> <target>激活</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -740,13 +740,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID 起始编号</target> <target>UID 起始编号</target>
@ -5675,6 +5668,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>启用</target> <target>启用</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -740,13 +740,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID 起始编号</target> <target>UID 起始编号</target>
@ -5674,6 +5667,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>启用</target> <target>启用</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>