sources/ldap: add support for cert based auth (#5850)

* ldap: support cert based auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ldap: default sni switch to off

* ldap: `get_info=NONE` on insufficient access error

* fix: Make file locale script

* ldap: add google ldap attribute mappings

* ldap: move google secure ldap blueprint to examples

Revert "ldap: add google ldap attribute mappings"

This reverts commit 8a861bb92c1bd763b6e7ec0513f73b3039a1adb4.

* ldap: remove `validate` for client cert auth

not strictly necessary

* ldap: write temp cert files more securely

* ldap: use first array value for sni when provided csv input

* don't specify tempdir

we set $TMPDIR in the dockerfile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* limit API to only allow certificate key pairs with private key

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use maxsplit

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

Makefile

@@ -151,7 +151,7 @@ web-check-compile:
 	cd web && npm run tsc
 
 web-i18n-extract:
-	cd web && npm run extract
+	cd web && npm run extract-locales
 
 #########################
 ## Website

authentik/sources/ldap/api.py

@@ -8,6 +8,7 @@ from drf_spectacular.utils import extend_schema, extend_schema_field, inline_ser
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import DictField, ListField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
@@ -16,6 +17,7 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 from authentik.sources.ldap.tasks import SYNC_CLASSES
@@ -24,6 +26,15 @@ from authentik.sources.ldap.tasks import SYNC_CLASSES
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
+    client_certificate = PrimaryKeyRelatedField(
+        allow_null=True,
+        help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
+        queryset=CertificateKeyPair.objects.exclude(
+            key_data__exact="",
+        ),
+        required=False,
+    )
+
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -42,9 +53,11 @@ class LDAPSourceSerializer(SourceSerializer):
         fields = SourceSerializer.Meta.fields + [
             "server_uri",
             "peer_certificate",
+            "client_certificate",
             "bind_cn",
             "bind_password",
             "start_tls",
+            "sni",
             "base_dn",
             "additional_user_dn",
             "additional_group_dn",
@@ -75,7 +88,9 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "server_uri",
         "bind_cn",
         "peer_certificate",
+        "client_certificate",
         "start_tls",
+        "sni",
         "base_dn",
         "additional_user_dn",
         "additional_group_dn",

authentik/sources/ldap/migrations/0003_ldapsource_client_certificate_ldapsource_sni_and_more.py

@@ -0,0 +1,45 @@
+# Generated by Django 4.1.7 on 2023-06-06 18:33
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_sources_ldap", "0002_auto_20211203_0900"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="client_certificate",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="ldap_client_certificates",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+        migrations.AddField(
+            model_name="ldapsource",
+            name="sni",
+            field=models.BooleanField(
+                default=False, verbose_name="Use Server URI for SNI verification"
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ldapsource",
+            name="peer_certificate",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="ldap_peer_certificates",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -1,11 +1,13 @@
 """authentik LDAP Models"""
+from os import chmod
 from ssl import CERT_REQUIRED
+from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPSchemaError
+from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -39,14 +41,24 @@ class LDAPSource(Source):
         on_delete=models.SET_DEFAULT,
         default=None,
         null=True,
+        related_name="ldap_peer_certificates",
         help_text=_(
             "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
         ),
     )
+    client_certificate = models.ForeignKey(
+        CertificateKeyPair,
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        related_name="ldap_client_certificates",
+        help_text=_("Client certificate to authenticate against the LDAP Server's Certificate."),
+    )
 
     bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True)
     bind_password = models.TextField(blank=True)
     start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS"))
+    sni = models.BooleanField(default=False, verbose_name=_("Use Server URI for SNI verification"))
 
     base_dn = models.TextField(verbose_name=_("Base DN"))
     additional_user_dn = models.TextField(
@@ -112,8 +124,22 @@ class LDAPSource(Source):
         if self.peer_certificate:
             tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
             tls_kwargs["validate"] = CERT_REQUIRED
+        if self.client_certificate:
+            temp_dir = mkdtemp()
+            with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_cert:
+                temp_cert.write(self.client_certificate.certificate_data)
+                certificate_file = temp_cert.name
+                chmod(certificate_file, 0o600)
+            with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_key:
+                temp_key.write(self.client_certificate.key_data)
+                private_key_file = temp_key.name
+                chmod(private_key_file, 0o600)
+            tls_kwargs["local_private_key_file"] = private_key_file
+            tls_kwargs["local_certificate_file"] = certificate_file
         if ciphers := CONFIG.y("ldap.tls.ciphers", None):
             tls_kwargs["ciphers"] = ciphers.strip()
+        if self.sni:
+            tls_kwargs["sni"] = self.server_uri.split(",", maxsplit=1)[0].strip()
         server_kwargs = {
             "get_info": ALL,
             "connect_timeout": LDAP_TIMEOUT,
@@ -133,8 +159,10 @@ class LDAPSource(Source):
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
         connection_kwargs = connection_kwargs or {}
-        connection_kwargs.setdefault("user", self.bind_cn)
+        if self.bind_cn is not None:
-        connection_kwargs.setdefault("password", self.bind_password)
+            connection_kwargs.setdefault("user", self.bind_cn)
+        if self.bind_password is not None:
+            connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
             self.server(**server_kwargs),
             raise_exceptions=True,
@@ -148,9 +176,10 @@ class LDAPSource(Source):
             successful = connection.bind()
             if successful:
                 return connection
-        except LDAPSchemaError as exc:
+        except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
             # Schema error, so try connecting without schema info
             # See https://github.com/goauthentik/authentik/issues/4590
+            # See also https://github.com/goauthentik/authentik/issues/3399
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE

blueprints/example/sources-google-ldap-mappings.yaml

@@ -0,0 +1,222 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "false"
+  name: Example - Google Secure LDAP mappings
+entries:
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-uid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: uid"
+      object_field: "username"
+      expression: |
+        return ldap.get('uid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-googleuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: googleUid"
+      object_field: "attributes.googleUid"
+      expression: |
+        return ldap.get('googleUid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-posixuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: posixUid"
+      object_field: "attributes.posixUid"
+      expression: |
+        return ldap.get('posixUid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-cn
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: cn"
+      object_field: "name"
+      expression: |
+        return ldap.get('cn')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-sn
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: sn"
+      object_field: "attributes.sn"
+      expression: |
+        return list_flatten(ldap.get('sn'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-givenname
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: givenName"
+      object_field: "attributes.givenName"
+      expression: |
+        return list_flatten(ldap.get('givenName'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-displayname
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: displayName"
+      object_field: "attributes.displayName"
+      expression: |
+        return ldap.get('displayName')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-mail
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: mail"
+      object_field: "email"
+      expression: |
+        return ldap.get('mail')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-memberof
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: memberOf"
+      object_field: "attributes.memberOf"
+      expression: |
+        return ldap.get('memberOf')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-title
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: title"
+      object_field: "attributes.title"
+      expression: |
+        return ldap.get('title')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-employeenumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: employeeNumber"
+      object_field: "attributes.employeeNumber"
+      expression: |
+        return ldap.get('employeeNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-employeetype
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: employeeType"
+      object_field: "attributes.employeeType"
+      expression: |
+        return ldap.get('employeeType')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-departmentnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: departmentNumber"
+      object_field: "attributes.departmentNumber"
+      expression: |
+        return ldap.get('departmentNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-physicaldeliveryofficename
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: physicalDeliveryOfficeName"
+      object_field: "attributes.physicalDeliveryOfficeName"
+      expression: |
+        return ldap.get('physicalDeliveryOfficeName')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-jpegphoto
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: jpegPhoto"
+      object_field: "attributes.jpegPhoto"
+      expression: |
+        return ldap.get('jpegPhoto')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-entryuuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: entryUuid"
+      object_field: "attributes.entryUuid"
+      expression: |
+        return ldap.get('entryUuid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-objectsid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: objectSid"
+      object_field: "attributes.objectSid"
+      expression: |
+        return ldap.get('objectSid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-uidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: uidNumber"
+      object_field: "attributes.uidNumber"
+      expression: |
+        return ldap.get('uidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-gidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: gidNumber"
+      object_field: "attributes.gidNumber"
+      expression: |
+        return ldap.get('gidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-homedirectory
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: homeDirectory"
+      object_field: "attributes.homeDirectory"
+      expression: |
+        return ldap.get('homeDirectory')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-loginshell
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: loginShell"
+      object_field: "attributes.loginShell"
+      expression: |
+        return ldap.get('loginShell')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-gidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: gidNumber"
+      object_field: "attributes.gidNumber"
+      expression: |
+        return ldap.get('gidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-sshpublickey
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: sshPublicKey"
+      object_field: "attributes.sshPublicKey"
+      expression: |
+        return list_flatten(ldap.get('sshPublicKey'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-description
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: description"
+      object_field: "attributes.description"
+      expression: |
+        return list_flatten(ldap.get('description'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-member
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: member"
+      object_field: "attributes.member"
+      expression: |
+        return list_flatten(ldap.get('member'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-memberuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: memberUid"
+      object_field: "attributes.memberUid"
+      expression: |
+        return list_flatten(ldap.get('memberUid'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-googleadmincreated
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: googleAdminCreated"
+      object_field: "attributes.googleAdminCreated"
+      expression: |
+        return list_flatten(ldap.get('googleAdminCreated'))

blueprints/schema.json

@@ -4732,6 +4732,11 @@
                     "title": "Peer certificate",
                     "description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
                 },
+                "client_certificate": {
+                    "type": "integer",
+                    "title": "Client certificate",
+                    "description": "Client certificate to authenticate against the LDAP Server's Certificate."
+                },
                 "bind_cn": {
                     "type": "string",
                     "title": "Bind CN"
@@ -4744,6 +4749,10 @@
                     "type": "boolean",
                     "title": "Enable Start TLS"
                 },
+                "sni": {
+                    "type": "boolean",
+                    "title": "Use Server URI for SNI verification"
+                },
                 "base_dn": {
                     "type": "string",
                     "minLength": 1,

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-05-21 21:59+0000\n"
+"POT-Creation-Date: 2023-06-12 12:11+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -31,16 +31,16 @@ msgstr ""
 msgid "Validation Error"
 msgstr ""
 
-#: authentik/blueprints/api.py:43
+#: authentik/blueprints/api.py:44
 msgid "Blueprint file does not exist"
 msgstr ""
 
-#: authentik/blueprints/api.py:54
+#: authentik/blueprints/api.py:55
 #, python-format
 msgid "Failed to validate blueprint: %(logs)s"
 msgstr ""
 
-#: authentik/blueprints/api.py:59
+#: authentik/blueprints/api.py:60
 msgid "Either path or content must be set."
 msgstr ""
 
@@ -69,24 +69,24 @@ msgstr ""
 msgid "authentik Export - %(date)s"
 msgstr ""
 
-#: authentik/blueprints/v1/tasks.py:149 authentik/crypto/tasks.py:93
+#: authentik/blueprints/v1/tasks.py:150 authentik/crypto/tasks.py:93
 #, python-format
 msgid "Successfully imported %(count)d files."
 msgstr ""
 
-#: authentik/core/api/providers.py:113
+#: authentik/core/api/providers.py:120
 msgid "SAML Provider from Metadata"
 msgstr ""
 
-#: authentik/core/api/providers.py:114
+#: authentik/core/api/providers.py:121
 msgid "Create a SAML Provider by importing its Metadata."
 msgstr ""
 
-#: authentik/core/api/users.py:118
+#: authentik/core/api/users.py:143
 msgid "No leading or trailing slashes allowed."
 msgstr ""
 
-#: authentik/core/api/users.py:121
+#: authentik/core/api/users.py:146
 msgid "No empty segments in user path allowed."
 msgstr ""
 
@@ -1365,7 +1365,7 @@ msgstr ""
 msgid "Authentication token"
 msgstr ""
 
-#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:82
+#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
 msgid "Property mappings used for group creation/updating."
 msgstr ""
 
@@ -1426,79 +1426,88 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:35
+#: authentik/sources/ldap/models.py:37
 msgid "Server URI"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:43
+#: authentik/sources/ldap/models.py:46
 msgid ""
 "Optionally verify the LDAP Server's Certificate against the CA Chain in this "
 "keypair."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:47
+#: authentik/sources/ldap/models.py:55
-msgid "Bind CN"
+msgid ""
-msgstr ""
+"Client certificate to authenticate against the LDAP Server's Certificate."
-
-#: authentik/sources/ldap/models.py:49
-msgid "Enable Start TLS"
-msgstr ""
-
-#: authentik/sources/ldap/models.py:51
-msgid "Base DN"
-msgstr ""
-
-#: authentik/sources/ldap/models.py:53
-msgid "Prepended to Base DN for User-queries."
-msgstr ""
-
-#: authentik/sources/ldap/models.py:54
-msgid "Addition User DN"
 msgstr ""
 
 #: authentik/sources/ldap/models.py:58
-msgid "Prepended to Base DN for Group-queries."
+msgid "Bind CN"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:59
+#: authentik/sources/ldap/models.py:60
-msgid "Addition Group DN"
+msgid "Enable Start TLS"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:61
+msgid "Use Server URI for SNI verification"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:63
+msgid "Base DN"
 msgstr ""
 
 #: authentik/sources/ldap/models.py:65
+msgid "Prepended to Base DN for User-queries."
+msgstr ""
+
+#: authentik/sources/ldap/models.py:66
+msgid "Addition User DN"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:70
+msgid "Prepended to Base DN for Group-queries."
+msgstr ""
+
+#: authentik/sources/ldap/models.py:71
+msgid "Addition Group DN"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:77
 msgid "Consider Objects matching this filter to be Users."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:68
+#: authentik/sources/ldap/models.py:80
 msgid "Field which contains members of a group."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:72
+#: authentik/sources/ldap/models.py:84
 msgid "Consider Objects matching this filter to be Groups."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:75
+#: authentik/sources/ldap/models.py:87
 msgid "Field which contains a unique Identifier."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:89
+#: authentik/sources/ldap/models.py:101
 msgid ""
 "When a user changes their password, sync it back to LDAP. This can only be "
 "enabled on a single LDAP source."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:159
+#: authentik/sources/ldap/models.py:188
 msgid "LDAP Source"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:160
+#: authentik/sources/ldap/models.py:189
 msgid "LDAP Sources"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:182
+#: authentik/sources/ldap/models.py:211
 msgid "LDAP Property Mapping"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:183
+#: authentik/sources/ldap/models.py:212
 msgid "LDAP Property Mappings"
 msgstr ""
 

schema.yml

@@ -17096,6 +17096,11 @@ paths:
         name: bind_cn
         schema:
           type: string
+      - in: query
+        name: client_certificate
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: enabled
         schema:
@@ -17171,6 +17176,10 @@ paths:
         name: slug
         schema:
           type: string
+      - in: query
+        name: sni
+        schema:
+          type: boolean
       - in: query
         name: start_tls
         schema:
@@ -30950,11 +30959,20 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
         additional_user_dn:
@@ -31064,6 +31082,12 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         bind_password:
@@ -31072,6 +31096,9 @@ components:
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
           minLength: 1
@@ -36356,6 +36383,12 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         bind_password:
@@ -36364,6 +36397,9 @@ components:
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
           minLength: 1

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -184,6 +184,26 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
                             ${msg("To use SSL instead, use 'ldaps://' and disable this option.")}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="sni">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.sni, false)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Use Server URI for SNI verification")}</span
+                            >
+                        </label>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Required for servers using TLS 1.3+")}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("TLS Verification Certificate")}
                         name="peerCertificate"
@@ -222,6 +242,45 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("TLS Client authentication certificate")}
+                        name="clientCertificate"
+                    >
+                        <ak-search-select
+                            .fetchObjects=${async (
+                                query?: string,
+                            ): Promise<CertificateKeyPair[]> => {
+                                const args: CryptoCertificatekeypairsListRequest = {
+                                    ordering: "name",
+                                    hasKey: true,
+                                    includeDetails: false,
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const certificates = await new CryptoApi(
+                                    DEFAULT_CONFIG,
+                                ).cryptoCertificatekeypairsList(args);
+                                return certificates.results;
+                            }}
+                            .renderElement=${(item: CertificateKeyPair): string => {
+                                return item.name;
+                            }}
+                            .value=${(item: CertificateKeyPair | undefined): string | undefined => {
+                                return item?.pk;
+                            }}
+                            .selected=${(item: CertificateKeyPair): boolean => {
+                                return item.pk === this.instance?.clientCertificate;
+                            }}
+                            ?blankable=${true}
+                        >
+                        </ak-search-select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Client certificate keypair to authenticate against the LDAP Server's Certificate.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn">
                         <input
                             type="text"

web/xliff/de.xlf

@@ -748,13 +748,6 @@
         <source>Certificate</source>
         <target>Zertifikat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Wenn sich mehrere Anbieter einen Außenposten teilen, wird ein selbstsigniertes Zertifikat verwendet.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID-Startnummer</target>
@@ -5722,6 +5715,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Aktivieren</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/en.xlf

@@ -777,14 +777,6 @@
         <source>Certificate</source>
         <target>Certificate</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        <target>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</target>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>If multiple providers share an outpost, a self-signed certificate is used.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID start number</target>
@@ -6039,6 +6031,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activate</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/es.xlf

@@ -733,13 +733,6 @@
         <source>Certificate</source>
         <target>Certificado</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Si varios proveedores comparten un puesto avanzado, se utiliza un certificado autofirmado.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Número inicial de UID</target>
@@ -5630,6 +5623,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activar</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/fr_FR.xlf

@@ -749,13 +749,6 @@
         <source>Certificate</source>
         <target>Certificat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Numéro de départ d'UID</target>
@@ -5737,6 +5730,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activer</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/pl.xlf

@@ -752,13 +752,6 @@
         <source>Certificate</source>
         <target>Certyfikat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Jeśli wielu dostawców współdzieli placówkę, używany jest certyfikat z podpisem własnym.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Numer początkowy UID</target>
@@ -5869,6 +5862,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Aktywuj</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/pseudo-LOCALE.xlf

@@ -761,14 +761,6 @@
       <trans-unit id="sb157267c85fdff30">
         <source>Certificate</source>
         
-      </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        
       </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
@@ -5973,6 +5965,27 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s27976e94b05c6970">
   <source>Activate</source>
+</trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -733,13 +733,6 @@
         <source>Certificate</source>
         <target>Sertifika</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID başlangıç numarası</target>
@@ -5620,6 +5613,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Etkinleştir</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -965,16 +965,6 @@
         <source>Certificate</source>
         <target>证书</target>
         
-      </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        <target>由于协议限制，只在前哨有单个提供程序，或所有提供程序都使用相同证书时才使用此证书。</target>
-        
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供程序共享同一个前哨，则使用自签名证书。</target>
-        
       </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
@@ -7547,6 +7537,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <target>激活</target>
         
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh-Hant.xlf

@@ -740,13 +740,6 @@
         <source>Certificate</source>
         <target>证书</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供商共享一个 Outpost，则使用自签名证书。</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID 起始编号</target>
@@ -5675,6 +5668,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>启用</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh_TW.xlf

@@ -740,13 +740,6 @@
         <source>Certificate</source>
         <target>证书</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供商共享一个 Outpost，则使用自签名证书。</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID 起始编号</target>
@@ -5674,6 +5667,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>启用</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>