Merge branch 'main' into 5165-password-strength-indicator

* main: (23 commits)
  web: bump API Client version (#5935)
  sources/ldap: add support for cert based auth (#5850)
  ci: replace status with state for auto-deployment
  ci: don't write CI status to file
  ci: add workflow to automatically update next branch (#5921)
  providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933)
  root: revert to use secret_key for JWT signing (#5934)
  sources/ldap: fix duplicate bind when authenticating user directly to… (#5927)
  web: bump core-js from 3.30.2 to 3.31.0 in /web (#5928)
  core: bump pytest from 7.3.1 to 7.3.2 (#5929)
  web: bump @rollup/plugin-commonjs from 25.0.0 to 25.0.1 in /web (#5931)
  web: bump @formatjs/intl-listformat from 7.3.0 to 7.4.0 in /web (#5932)
  core: bump github.com/go-ldap/ldap/v3 from 3.4.4 to 3.4.5 (#5930)
  website/integrations: Fix header in dokuwiki instructions (#5926)
  providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918)
  web: bump @babel/core from 7.22.1 to 7.22.5 in /web (#5909)
  web: bump @babel/plugin-proposal-decorators from 7.22.3 to 7.22.5 in /web (#5910)
  web: bump @babel/preset-typescript from 7.21.5 to 7.22.5 in /web (#5912)
  web: bump @babel/preset-env from 7.22.4 to 7.22.5 in /web (#5915)
  core: bump requests-mock from 1.10.0 to 1.11.0 (#5911)
  ...
This commit is contained in:
Ken Sternberg 2023-06-12 09:55:35 -07:00
commit a75c9434d9
39 changed files with 1426 additions and 824 deletions

View file

@ -0,0 +1,25 @@
name: authentik-on-release-next-branch
on:
schedule:
- cron: "0 12 * * *" # every day at noon
workflow_dispatch:
permissions:
contents: write
jobs:
update-next:
runs-on: ubuntu-latest
environment: internal-production
steps:
- uses: actions/checkout@v3
with:
ref: main
- id: main-state
run: |
state=$(curl -fsSL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ github.token }}" "https://api.github.com/repos/${{ github.repository }}/commits/HEAD/state" | jq -r '.state')
echo "state=${state}" >> $GITHUB_OUTPUT
- if: ${{ steps.main-state.outputs.state == 'success' }}
run: |
git push origin next --force

View file

@ -151,7 +151,7 @@ web-check-compile:
cd web && npm run tsc cd web && npm run tsc
web-i18n-extract: web-i18n-extract:
cd web && npm run extract cd web && npm run extract-locales
######################### #########################
## Website ## Website

View file

@ -376,10 +376,10 @@ class Application(SerializerModel, PolicyBindingModel):
def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]: def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
"""Get launch URL if set, otherwise attempt to get launch URL based on provider.""" """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
url = None url = None
if provider := self.get_provider():
url = provider.launch_url
if self.meta_launch_url: if self.meta_launch_url:
url = self.meta_launch_url url = self.meta_launch_url
elif provider := self.get_provider():
url = provider.launch_url
if user and url: if user and url:
if isinstance(user, SimpleLazyObject): if isinstance(user, SimpleLazyObject):
user._setup() user._setup()

View file

@ -105,7 +105,9 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
class LDAPOutpostConfigViewSet(ReadOnlyModelViewSet): class LDAPOutpostConfigViewSet(ReadOnlyModelViewSet):
"""LDAPProvider Viewset""" """LDAPProvider Viewset"""
queryset = LDAPProvider.objects.filter(application__isnull=False) queryset = LDAPProvider.objects.filter(
Q(application__isnull=False) | Q(backchannel_application__isnull=False)
)
serializer_class = LDAPOutpostConfigSerializer serializer_class = LDAPOutpostConfigSerializer
ordering = ["name"] ordering = ["name"]
search_fields = ["name"] search_fields = ["name"]

View file

@ -0,0 +1,52 @@
"""LDAP Provider API tests"""
from json import loads
from django.urls import reverse
from rest_framework.test import APITestCase
from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.lib.generators import generate_id
from authentik.providers.ldap.models import LDAPProvider
class TestLDAPProviderAPI(APITestCase):
"""LDAP Provider API tests"""
def test_outpost_application(self):
"""Test outpost-like provider retrieval (direct connection)"""
provider = LDAPProvider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
)
Application.objects.create(
name=generate_id(),
slug=generate_id(),
provider=provider,
)
user = create_test_admin_user()
self.client.force_login(user)
res = self.client.get(reverse("authentik_api:ldapprovideroutpost-list"))
self.assertEqual(res.status_code, 200)
data = loads(res.content.decode())
self.assertEqual(data["pagination"]["count"], 1)
self.assertEqual(len(data["results"]), 1)
def test_outpost_application_backchannel(self):
"""Test outpost-like provider retrieval (backchannel connection)"""
provider = LDAPProvider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
)
app: Application = Application.objects.create(
name=generate_id(),
slug=generate_id(),
)
app.backchannel_providers.add(provider)
user = create_test_admin_user()
self.client.force_login(user)
res = self.client.get(reverse("authentik_api:ldapprovideroutpost-list"))
self.assertEqual(res.status_code, 200)
data = loads(res.content.decode())
self.assertEqual(data["pagination"]["count"], 1)
self.assertEqual(len(data["results"]), 1)

View file

@ -2,6 +2,6 @@
from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
api_urlpatterns = [ api_urlpatterns = [
("outposts/ldap", LDAPOutpostConfigViewSet), ("outposts/ldap", LDAPOutpostConfigViewSet, "ldapprovideroutpost"),
("providers/ldap", LDAPProviderViewSet), ("providers/ldap", LDAPProviderViewSet),
] ]

View file

@ -17,6 +17,7 @@ from django.urls import reverse
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from jwt import encode from jwt import encode
from rest_framework.serializers import Serializer from rest_framework.serializers import Serializer
from structlog.stdlib import get_logger
from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
from authentik.crypto.models import CertificateKeyPair from authentik.crypto.models import CertificateKeyPair
@ -26,6 +27,8 @@ from authentik.lib.utils.time import timedelta_string_validator
from authentik.providers.oauth2.id_token import IDToken, SubModes from authentik.providers.oauth2.id_token import IDToken, SubModes
from authentik.sources.oauth.models import OAuthSource from authentik.sources.oauth.models import OAuthSource
LOGGER = get_logger()
def generate_client_secret() -> str: def generate_client_secret() -> str:
"""Generate client secret with adequate length""" """Generate client secret with adequate length"""
@ -251,8 +254,12 @@ class OAuth2Provider(Provider):
if self.redirect_uris == "": if self.redirect_uris == "":
return None return None
main_url = self.redirect_uris.split("\n", maxsplit=1)[0] main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
launch_url = urlparse(main_url)._replace(path="") try:
return urlunparse(launch_url) launch_url = urlparse(main_url)._replace(path="")
return urlunparse(launch_url)
except ValueError as exc:
LOGGER.warning("Failed to format launch url", exc=exc)
return None
@property @property
def component(self) -> str: def component(self) -> str:

View file

@ -1,5 +1,7 @@
"""Test OAuth2 API""" """Test OAuth2 API"""
from json import loads from json import loads
from sys import version_info
from unittest import skipUnless
from django.urls import reverse from django.urls import reverse
from rest_framework.test import APITestCase from rest_framework.test import APITestCase
@ -42,3 +44,14 @@ class TestAPI(APITestCase):
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
body = loads(response.content.decode()) body = loads(response.content.decode())
self.assertEqual(body["issuer"], "http://testserver/application/o/test/") self.assertEqual(body["issuer"], "http://testserver/application/o/test/")
# https://github.com/goauthentik/authentik/pull/5918
@skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
def test_launch_url(self):
"""Test launch_url"""
self.provider.redirect_uris = (
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
)
self.provider.save()
self.provider.refresh_from_db()
self.assertIsNone(self.provider.launch_url)

View file

@ -2,6 +2,6 @@
from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
api_urlpatterns = [ api_urlpatterns = [
("outposts/proxy", ProxyOutpostConfigViewSet), ("outposts/proxy", ProxyOutpostConfigViewSet, "proxyprovideroutpost"),
("providers/proxy", ProxyProviderViewSet), ("providers/proxy", ProxyProviderViewSet),
] ]

View file

@ -2,6 +2,6 @@
from authentik.providers.radius.api import RadiusOutpostConfigViewSet, RadiusProviderViewSet from authentik.providers.radius.api import RadiusOutpostConfigViewSet, RadiusProviderViewSet
api_urlpatterns = [ api_urlpatterns = [
("outposts/radius", RadiusOutpostConfigViewSet), ("outposts/radius", RadiusOutpostConfigViewSet, "radiusprovideroutpost"),
("providers/radius", RadiusProviderViewSet), ("providers/radius", RadiusProviderViewSet),
] ]

View file

@ -1,5 +1,4 @@
"""Dynamically set SameSite depending if the upstream connection is TLS or not""" """Dynamically set SameSite depending if the upstream connection is TLS or not"""
from functools import lru_cache
from hashlib import sha512 from hashlib import sha512
from time import time from time import time
from timeit import default_timer from timeit import default_timer
@ -17,16 +16,10 @@ from jwt import PyJWTError, decode, encode
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.lib.utils.http import get_client_ip from authentik.lib.utils.http import get_client_ip
from authentik.root.install_id import get_install_id
LOGGER = get_logger("authentik.asgi") LOGGER = get_logger("authentik.asgi")
ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default" ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default"
SIGNING_HASH = sha512(settings.SECRET_KEY.encode()).hexdigest()
@lru_cache
def get_signing_hash():
"""Get cookie JWT signing hash"""
return sha512(get_install_id().encode()).hexdigest()
class SessionMiddleware(UpstreamSessionMiddleware): class SessionMiddleware(UpstreamSessionMiddleware):
@ -54,7 +47,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
# for testing setups, where the session is directly set # for testing setups, where the session is directly set
session_key = key if settings.TEST else None session_key = key if settings.TEST else None
try: try:
session_payload = decode(key, get_signing_hash(), algorithms=["HS256"]) session_payload = decode(key, SIGNING_HASH, algorithms=["HS256"])
session_key = session_payload["sid"] session_key = session_payload["sid"]
except (KeyError, PyJWTError): except (KeyError, PyJWTError):
pass pass
@ -121,7 +114,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
} }
if request.user.is_authenticated: if request.user.is_authenticated:
payload["sub"] = request.user.uid payload["sub"] = request.user.uid
value = encode(payload=payload, key=get_signing_hash()) value = encode(payload=payload, key=SIGNING_HASH)
if settings.TEST: if settings.TEST:
value = request.session.session_key value = request.session.session_key
response.set_cookie( response.set_cookie(

View file

@ -8,6 +8,7 @@ from drf_spectacular.utils import extend_schema, extend_schema_field, inline_ser
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError from rest_framework.exceptions import ValidationError
from rest_framework.fields import DictField, ListField from rest_framework.fields import DictField, ListField
from rest_framework.relations import PrimaryKeyRelatedField
from rest_framework.request import Request from rest_framework.request import Request
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet from rest_framework.viewsets import ModelViewSet
@ -16,6 +17,7 @@ from authentik.admin.api.tasks import TaskSerializer
from authentik.core.api.propertymappings import PropertyMappingSerializer from authentik.core.api.propertymappings import PropertyMappingSerializer
from authentik.core.api.sources import SourceSerializer from authentik.core.api.sources import SourceSerializer
from authentik.core.api.used_by import UsedByMixin from authentik.core.api.used_by import UsedByMixin
from authentik.crypto.models import CertificateKeyPair
from authentik.events.monitored_tasks import TaskInfo from authentik.events.monitored_tasks import TaskInfo
from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
from authentik.sources.ldap.tasks import SYNC_CLASSES from authentik.sources.ldap.tasks import SYNC_CLASSES
@ -24,6 +26,15 @@ from authentik.sources.ldap.tasks import SYNC_CLASSES
class LDAPSourceSerializer(SourceSerializer): class LDAPSourceSerializer(SourceSerializer):
"""LDAP Source Serializer""" """LDAP Source Serializer"""
client_certificate = PrimaryKeyRelatedField(
allow_null=True,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
queryset=CertificateKeyPair.objects.exclude(
key_data__exact="",
),
required=False,
)
def validate(self, attrs: dict[str, Any]) -> dict[str, Any]: def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
"""Check that only a single source has password_sync on""" """Check that only a single source has password_sync on"""
sync_users_password = attrs.get("sync_users_password", True) sync_users_password = attrs.get("sync_users_password", True)
@ -42,9 +53,11 @@ class LDAPSourceSerializer(SourceSerializer):
fields = SourceSerializer.Meta.fields + [ fields = SourceSerializer.Meta.fields + [
"server_uri", "server_uri",
"peer_certificate", "peer_certificate",
"client_certificate",
"bind_cn", "bind_cn",
"bind_password", "bind_password",
"start_tls", "start_tls",
"sni",
"base_dn", "base_dn",
"additional_user_dn", "additional_user_dn",
"additional_group_dn", "additional_group_dn",
@ -75,7 +88,9 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
"server_uri", "server_uri",
"bind_cn", "bind_cn",
"peer_certificate", "peer_certificate",
"client_certificate",
"start_tls", "start_tls",
"sni",
"base_dn", "base_dn",
"additional_user_dn", "additional_user_dn",
"additional_group_dn", "additional_group_dn",

View file

@ -57,13 +57,13 @@ class LDAPBackend(InbuiltBackend):
# Try to bind as new user # Try to bind as new user
LOGGER.debug("Attempting to bind as user", user=user) LOGGER.debug("Attempting to bind as user", user=user)
try: try:
temp_connection = source.connection( # source.connection also attempts to bind
source.connection(
connection_kwargs={ connection_kwargs={
"user": user.attributes.get(LDAP_DISTINGUISHED_NAME), "user": user.attributes.get(LDAP_DISTINGUISHED_NAME),
"password": password, "password": password,
} }
) )
temp_connection.bind()
return user return user
except LDAPInvalidCredentialsResult as exc: except LDAPInvalidCredentialsResult as exc:
LOGGER.debug("invalid LDAP credentials", user=user, exc=exc) LOGGER.debug("invalid LDAP credentials", user=user, exc=exc)

View file

@ -0,0 +1,45 @@
# Generated by Django 4.1.7 on 2023-06-06 18:33
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_crypto", "0004_alter_certificatekeypair_name"),
("authentik_sources_ldap", "0002_auto_20211203_0900"),
]
operations = [
migrations.AddField(
model_name="ldapsource",
name="client_certificate",
field=models.ForeignKey(
default=None,
help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_client_certificates",
to="authentik_crypto.certificatekeypair",
),
),
migrations.AddField(
model_name="ldapsource",
name="sni",
field=models.BooleanField(
default=False, verbose_name="Use Server URI for SNI verification"
),
),
migrations.AlterField(
model_name="ldapsource",
name="peer_certificate",
field=models.ForeignKey(
default=None,
help_text="Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair.",
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
related_name="ldap_peer_certificates",
to="authentik_crypto.certificatekeypair",
),
),
]

View file

@ -1,11 +1,13 @@
"""authentik LDAP Models""" """authentik LDAP Models"""
from os import chmod
from ssl import CERT_REQUIRED from ssl import CERT_REQUIRED
from tempfile import NamedTemporaryFile, mkdtemp
from typing import Optional from typing import Optional
from django.db import models from django.db import models
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
from ldap3.core.exceptions import LDAPSchemaError from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
from rest_framework.serializers import Serializer from rest_framework.serializers import Serializer
from authentik.core.models import Group, PropertyMapping, Source from authentik.core.models import Group, PropertyMapping, Source
@ -39,14 +41,24 @@ class LDAPSource(Source):
on_delete=models.SET_DEFAULT, on_delete=models.SET_DEFAULT,
default=None, default=None,
null=True, null=True,
related_name="ldap_peer_certificates",
help_text=_( help_text=_(
"Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair." "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
), ),
) )
client_certificate = models.ForeignKey(
CertificateKeyPair,
on_delete=models.SET_DEFAULT,
default=None,
null=True,
related_name="ldap_client_certificates",
help_text=_("Client certificate to authenticate against the LDAP Server's Certificate."),
)
bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True) bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True)
bind_password = models.TextField(blank=True) bind_password = models.TextField(blank=True)
start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS")) start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS"))
sni = models.BooleanField(default=False, verbose_name=_("Use Server URI for SNI verification"))
base_dn = models.TextField(verbose_name=_("Base DN")) base_dn = models.TextField(verbose_name=_("Base DN"))
additional_user_dn = models.TextField( additional_user_dn = models.TextField(
@ -112,8 +124,22 @@ class LDAPSource(Source):
if self.peer_certificate: if self.peer_certificate:
tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
tls_kwargs["validate"] = CERT_REQUIRED tls_kwargs["validate"] = CERT_REQUIRED
if self.client_certificate:
temp_dir = mkdtemp()
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_cert:
temp_cert.write(self.client_certificate.certificate_data)
certificate_file = temp_cert.name
chmod(certificate_file, 0o600)
with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_key:
temp_key.write(self.client_certificate.key_data)
private_key_file = temp_key.name
chmod(private_key_file, 0o600)
tls_kwargs["local_private_key_file"] = private_key_file
tls_kwargs["local_certificate_file"] = certificate_file
if ciphers := CONFIG.y("ldap.tls.ciphers", None): if ciphers := CONFIG.y("ldap.tls.ciphers", None):
tls_kwargs["ciphers"] = ciphers.strip() tls_kwargs["ciphers"] = ciphers.strip()
if self.sni:
tls_kwargs["sni"] = self.server_uri.split(",", maxsplit=1)[0].strip()
server_kwargs = { server_kwargs = {
"get_info": ALL, "get_info": ALL,
"connect_timeout": LDAP_TIMEOUT, "connect_timeout": LDAP_TIMEOUT,
@ -133,8 +159,10 @@ class LDAPSource(Source):
"""Get a fully connected and bound LDAP Connection""" """Get a fully connected and bound LDAP Connection"""
server_kwargs = server_kwargs or {} server_kwargs = server_kwargs or {}
connection_kwargs = connection_kwargs or {} connection_kwargs = connection_kwargs or {}
connection_kwargs.setdefault("user", self.bind_cn) if self.bind_cn is not None:
connection_kwargs.setdefault("password", self.bind_password) connection_kwargs.setdefault("user", self.bind_cn)
if self.bind_password is not None:
connection_kwargs.setdefault("password", self.bind_password)
connection = Connection( connection = Connection(
self.server(**server_kwargs), self.server(**server_kwargs),
raise_exceptions=True, raise_exceptions=True,
@ -145,15 +173,18 @@ class LDAPSource(Source):
if self.start_tls: if self.start_tls:
connection.start_tls(read_server_info=False) connection.start_tls(read_server_info=False)
try: try:
connection.bind() successful = connection.bind()
except LDAPSchemaError as exc: if successful:
return connection
except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
# Schema error, so try connecting without schema info # Schema error, so try connecting without schema info
# See https://github.com/goauthentik/authentik/issues/4590 # See https://github.com/goauthentik/authentik/issues/4590
# See also https://github.com/goauthentik/authentik/issues/3399
if server_kwargs.get("get_info", ALL) == NONE: if server_kwargs.get("get_info", ALL) == NONE:
raise exc raise exc
server_kwargs["get_info"] = NONE server_kwargs["get_info"] = NONE
return self.connection(server_kwargs, connection_kwargs) return self.connection(server_kwargs, connection_kwargs)
return connection return RuntimeError("Failed to bind")
class Meta: class Meta:
verbose_name = _("LDAP Source") verbose_name = _("LDAP Source")

View file

@ -29,6 +29,37 @@ class LDAPSyncTests(TestCase):
additional_group_dn="ou=groups", additional_group_dn="ou=groups",
) )
def test_auth_direct_user_ad(self):
"""Test direct auth"""
self.source.property_mappings.set(
LDAPPropertyMapping.objects.filter(
Q(managed__startswith="goauthentik.io/sources/ldap/default-")
| Q(managed__startswith="goauthentik.io/sources/ldap/ms-")
)
)
raw_conn = mock_ad_connection(LDAP_PASSWORD)
bind_mock = Mock(wraps=raw_conn.bind)
raw_conn.bind = bind_mock
connection = MagicMock(return_value=raw_conn)
with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
user_sync = UserLDAPSynchronizer(self.source)
user_sync.sync()
user = User.objects.get(username="user0_sn")
# auth_user_by_bind = Mock(return_value=user)
backend = LDAPBackend()
self.assertEqual(
backend.authenticate(None, username="user0_sn", password=LDAP_PASSWORD),
user,
)
connection.assert_called_with(
connection_kwargs={
"user": "cn=user0,ou=users,dc=goauthentik,dc=io",
"password": LDAP_PASSWORD,
}
)
bind_mock.assert_not_called()
def test_auth_synced_user_ad(self): def test_auth_synced_user_ad(self):
"""Test Cached auth""" """Test Cached auth"""
self.source.property_mappings.set( self.source.property_mappings.set(

View file

@ -0,0 +1,222 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "false"
name: Example - Google Secure LDAP mappings
entries:
- identifiers:
managed: goauthentik.io/sources/ldap/google-uid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uid"
object_field: "username"
expression: |
return ldap.get('uid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleUid"
object_field: "attributes.googleUid"
expression: |
return ldap.get('googleUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-posixuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: posixUid"
object_field: "attributes.posixUid"
expression: |
return ldap.get('posixUid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-cn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: cn"
object_field: "name"
expression: |
return ldap.get('cn')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sn
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sn"
object_field: "attributes.sn"
expression: |
return list_flatten(ldap.get('sn'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-givenname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: givenName"
object_field: "attributes.givenName"
expression: |
return list_flatten(ldap.get('givenName'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-displayname
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: displayName"
object_field: "attributes.displayName"
expression: |
return ldap.get('displayName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-mail
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: mail"
object_field: "email"
expression: |
return ldap.get('mail')
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberof
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberOf"
object_field: "attributes.memberOf"
expression: |
return ldap.get('memberOf')
- identifiers:
managed: goauthentik.io/sources/ldap/google-title
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: title"
object_field: "attributes.title"
expression: |
return ldap.get('title')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeenumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeNumber"
object_field: "attributes.employeeNumber"
expression: |
return ldap.get('employeeNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-employeetype
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: employeeType"
object_field: "attributes.employeeType"
expression: |
return ldap.get('employeeType')
- identifiers:
managed: goauthentik.io/sources/ldap/google-departmentnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: departmentNumber"
object_field: "attributes.departmentNumber"
expression: |
return ldap.get('departmentNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-physicaldeliveryofficename
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: physicalDeliveryOfficeName"
object_field: "attributes.physicalDeliveryOfficeName"
expression: |
return ldap.get('physicalDeliveryOfficeName')
- identifiers:
managed: goauthentik.io/sources/ldap/google-jpegphoto
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: jpegPhoto"
object_field: "attributes.jpegPhoto"
expression: |
return ldap.get('jpegPhoto')
- identifiers:
managed: goauthentik.io/sources/ldap/google-entryuuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: entryUuid"
object_field: "attributes.entryUuid"
expression: |
return ldap.get('entryUuid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-objectsid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: objectSid"
object_field: "attributes.objectSid"
expression: |
return ldap.get('objectSid')
- identifiers:
managed: goauthentik.io/sources/ldap/google-uidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: uidNumber"
object_field: "attributes.uidNumber"
expression: |
return ldap.get('uidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-homedirectory
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: homeDirectory"
object_field: "attributes.homeDirectory"
expression: |
return ldap.get('homeDirectory')
- identifiers:
managed: goauthentik.io/sources/ldap/google-loginshell
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: loginShell"
object_field: "attributes.loginShell"
expression: |
return ldap.get('loginShell')
- identifiers:
managed: goauthentik.io/sources/ldap/google-gidnumber
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: gidNumber"
object_field: "attributes.gidNumber"
expression: |
return ldap.get('gidNumber')
- identifiers:
managed: goauthentik.io/sources/ldap/google-sshpublickey
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: sshPublicKey"
object_field: "attributes.sshPublicKey"
expression: |
return list_flatten(ldap.get('sshPublicKey'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-description
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: description"
object_field: "attributes.description"
expression: |
return list_flatten(ldap.get('description'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-member
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: member"
object_field: "attributes.member"
expression: |
return list_flatten(ldap.get('member'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-memberuid
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: memberUid"
object_field: "attributes.memberUid"
expression: |
return list_flatten(ldap.get('memberUid'))
- identifiers:
managed: goauthentik.io/sources/ldap/google-googleadmincreated
model: authentik_sources_ldap.ldappropertymapping
attrs:
name: "Google Secure LDAP Mapping: googleAdminCreated"
object_field: "attributes.googleAdminCreated"
expression: |
return list_flatten(ldap.get('googleAdminCreated'))

View file

@ -4732,6 +4732,11 @@
"title": "Peer certificate", "title": "Peer certificate",
"description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair." "description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
}, },
"client_certificate": {
"type": "integer",
"title": "Client certificate",
"description": "Client certificate to authenticate against the LDAP Server's Certificate."
},
"bind_cn": { "bind_cn": {
"type": "string", "type": "string",
"title": "Bind CN" "title": "Bind CN"
@ -4744,6 +4749,10 @@
"type": "boolean", "type": "boolean",
"title": "Enable Start TLS" "title": "Enable Start TLS"
}, },
"sni": {
"type": "boolean",
"title": "Use Server URI for SNI verification"
},
"base_dn": { "base_dn": {
"type": "string", "type": "string",
"minLength": 1, "minLength": 1,

4
go.mod
View file

@ -9,7 +9,7 @@ require (
github.com/garyburd/redigo v1.6.4 github.com/garyburd/redigo v1.6.4
github.com/getsentry/sentry-go v0.21.0 github.com/getsentry/sentry-go v0.21.0
github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1 github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
github.com/go-ldap/ldap/v3 v3.4.4 github.com/go-ldap/ldap/v3 v3.4.5
github.com/go-openapi/runtime v0.26.0 github.com/go-openapi/runtime v0.26.0
github.com/go-openapi/strfmt v0.21.7 github.com/go-openapi/strfmt v0.21.7
github.com/golang-jwt/jwt v3.2.2+incompatible github.com/golang-jwt/jwt v3.2.2+incompatible
@ -36,7 +36,7 @@ require (
) )
require ( require (
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/beorn7/perks v1.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect

15
go.sum
View file

@ -1,13 +1,15 @@
beryju.io/ldap v0.1.0 h1:rPjGE3qR1Klbvn9N+iECWdzt/tK87XHgz8W5wZJg9B8= beryju.io/ldap v0.1.0 h1:rPjGE3qR1Klbvn9N+iECWdzt/tK87XHgz8W5wZJg9B8=
beryju.io/ldap v0.1.0/go.mod h1:sOrYV+ZlDTDu/IvIiEiuAaXzjcpMBE+XXr4V+NJ0pWI= beryju.io/ldap v0.1.0/go.mod h1:sOrYV+ZlDTDu/IvIiEiuAaXzjcpMBE+XXr4V+NJ0pWI=
cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb h1:w9IDEB7P1VzNcBpOG7kMpFkZp2DkyJIUt0gDx5MBhRU= github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb h1:w9IDEB7P1VzNcBpOG7kMpFkZp2DkyJIUt0gDx5MBhRU=
github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb/go.mod h1:9XMFaCeRyW7fC9XJOWQ+NdAv8VLG7ys7l3x4ozEGLUQ= github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb/go.mod h1:9XMFaCeRyW7fC9XJOWQ+NdAv8VLG7ys7l3x4ozEGLUQ=
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@ -37,8 +39,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4= github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno= github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw= github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs= github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8=
github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI= github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@ -216,7 +218,6 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@ -265,6 +266,7 @@ golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
@ -294,11 +296,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@ -307,6 +311,7 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

View file

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2023-05-21 21:59+0000\n" "POT-Creation-Date: 2023-06-12 12:11+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -31,16 +31,16 @@ msgstr ""
msgid "Validation Error" msgid "Validation Error"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:43 #: authentik/blueprints/api.py:44
msgid "Blueprint file does not exist" msgid "Blueprint file does not exist"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:54 #: authentik/blueprints/api.py:55
#, python-format #, python-format
msgid "Failed to validate blueprint: %(logs)s" msgid "Failed to validate blueprint: %(logs)s"
msgstr "" msgstr ""
#: authentik/blueprints/api.py:59 #: authentik/blueprints/api.py:60
msgid "Either path or content must be set." msgid "Either path or content must be set."
msgstr "" msgstr ""
@ -69,24 +69,24 @@ msgstr ""
msgid "authentik Export - %(date)s" msgid "authentik Export - %(date)s"
msgstr "" msgstr ""
#: authentik/blueprints/v1/tasks.py:149 authentik/crypto/tasks.py:93 #: authentik/blueprints/v1/tasks.py:150 authentik/crypto/tasks.py:93
#, python-format #, python-format
msgid "Successfully imported %(count)d files." msgid "Successfully imported %(count)d files."
msgstr "" msgstr ""
#: authentik/core/api/providers.py:113 #: authentik/core/api/providers.py:120
msgid "SAML Provider from Metadata" msgid "SAML Provider from Metadata"
msgstr "" msgstr ""
#: authentik/core/api/providers.py:114 #: authentik/core/api/providers.py:121
msgid "Create a SAML Provider by importing its Metadata." msgid "Create a SAML Provider by importing its Metadata."
msgstr "" msgstr ""
#: authentik/core/api/users.py:118 #: authentik/core/api/users.py:143
msgid "No leading or trailing slashes allowed." msgid "No leading or trailing slashes allowed."
msgstr "" msgstr ""
#: authentik/core/api/users.py:121 #: authentik/core/api/users.py:146
msgid "No empty segments in user path allowed." msgid "No empty segments in user path allowed."
msgstr "" msgstr ""
@ -1365,7 +1365,7 @@ msgstr ""
msgid "Authentication token" msgid "Authentication token"
msgstr "" msgstr ""
#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:82 #: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
msgid "Property mappings used for group creation/updating." msgid "Property mappings used for group creation/updating."
msgstr "" msgstr ""
@ -1426,79 +1426,88 @@ msgstr ""
msgid "Used recovery-link to authenticate." msgid "Used recovery-link to authenticate."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:35 #: authentik/sources/ldap/models.py:37
msgid "Server URI" msgid "Server URI"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:43 #: authentik/sources/ldap/models.py:46
msgid "" msgid ""
"Optionally verify the LDAP Server's Certificate against the CA Chain in this " "Optionally verify the LDAP Server's Certificate against the CA Chain in this "
"keypair." "keypair."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:47 #: authentik/sources/ldap/models.py:55
msgid "Bind CN" msgid ""
msgstr "" "Client certificate to authenticate against the LDAP Server's Certificate."
#: authentik/sources/ldap/models.py:49
msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:51
msgid "Base DN"
msgstr ""
#: authentik/sources/ldap/models.py:53
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:54
msgid "Addition User DN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:58 #: authentik/sources/ldap/models.py:58
msgid "Prepended to Base DN for Group-queries." msgid "Bind CN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:59 #: authentik/sources/ldap/models.py:60
msgid "Addition Group DN" msgid "Enable Start TLS"
msgstr ""
#: authentik/sources/ldap/models.py:61
msgid "Use Server URI for SNI verification"
msgstr ""
#: authentik/sources/ldap/models.py:63
msgid "Base DN"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:65 #: authentik/sources/ldap/models.py:65
msgid "Prepended to Base DN for User-queries."
msgstr ""
#: authentik/sources/ldap/models.py:66
msgid "Addition User DN"
msgstr ""
#: authentik/sources/ldap/models.py:70
msgid "Prepended to Base DN for Group-queries."
msgstr ""
#: authentik/sources/ldap/models.py:71
msgid "Addition Group DN"
msgstr ""
#: authentik/sources/ldap/models.py:77
msgid "Consider Objects matching this filter to be Users." msgid "Consider Objects matching this filter to be Users."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:68 #: authentik/sources/ldap/models.py:80
msgid "Field which contains members of a group." msgid "Field which contains members of a group."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:72 #: authentik/sources/ldap/models.py:84
msgid "Consider Objects matching this filter to be Groups." msgid "Consider Objects matching this filter to be Groups."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:75 #: authentik/sources/ldap/models.py:87
msgid "Field which contains a unique Identifier." msgid "Field which contains a unique Identifier."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:89 #: authentik/sources/ldap/models.py:101
msgid "" msgid ""
"When a user changes their password, sync it back to LDAP. This can only be " "When a user changes their password, sync it back to LDAP. This can only be "
"enabled on a single LDAP source." "enabled on a single LDAP source."
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:159 #: authentik/sources/ldap/models.py:188
msgid "LDAP Source" msgid "LDAP Source"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:160 #: authentik/sources/ldap/models.py:189
msgid "LDAP Sources" msgid "LDAP Sources"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:182 #: authentik/sources/ldap/models.py:211
msgid "LDAP Property Mapping" msgid "LDAP Property Mapping"
msgstr "" msgstr ""
#: authentik/sources/ldap/models.py:183 #: authentik/sources/ldap/models.py:212
msgid "LDAP Property Mappings" msgid "LDAP Property Mappings"
msgstr "" msgstr ""

203
poetry.lock generated

File diff suppressed because it is too large Load diff

View file

@ -17096,6 +17096,11 @@ paths:
name: bind_cn name: bind_cn
schema: schema:
type: string type: string
- in: query
name: client_certificate
schema:
type: string
format: uuid
- in: query - in: query
name: enabled name: enabled
schema: schema:
@ -17171,6 +17176,10 @@ paths:
name: slug name: slug
schema: schema:
type: string type: string
- in: query
name: sni
schema:
type: boolean
- in: query - in: query
name: start_tls name: start_tls
schema: schema:
@ -30950,11 +30959,20 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
additional_user_dn: additional_user_dn:
@ -31064,6 +31082,12 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
bind_password: bind_password:
@ -31072,6 +31096,9 @@ components:
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
minLength: 1 minLength: 1
@ -36356,6 +36383,12 @@ components:
nullable: true nullable: true
description: Optionally verify the LDAP Server's Certificate against the description: Optionally verify the LDAP Server's Certificate against the
CA Chain in this keypair. CA Chain in this keypair.
client_certificate:
type: string
format: uuid
nullable: true
description: Client certificate to authenticate against the LDAP Server's
Certificate.
bind_cn: bind_cn:
type: string type: string
bind_password: bind_password:
@ -36364,6 +36397,9 @@ components:
start_tls: start_tls:
type: boolean type: boolean
title: Enable Start TLS title: Enable Start TLS
sni:
type: boolean
title: Use Server URI for SNI verification
base_dn: base_dn:
type: string type: string
minLength: 1 minLength: 1

1032
web/package-lock.json generated

File diff suppressed because it is too large Load diff

View file

@ -32,9 +32,9 @@
"@codemirror/lang-xml": "^6.0.2", "@codemirror/lang-xml": "^6.0.2",
"@codemirror/legacy-modes": "^6.3.2", "@codemirror/legacy-modes": "^6.3.2",
"@codemirror/theme-one-dark": "^6.1.2", "@codemirror/theme-one-dark": "^6.1.2",
"@formatjs/intl-listformat": "^7.3.0", "@formatjs/intl-listformat": "^7.4.0",
"@fortawesome/fontawesome-free": "^6.4.0", "@fortawesome/fontawesome-free": "^6.4.0",
"@goauthentik/api": "^2023.5.3-1685646044", "@goauthentik/api": "^2023.5.3-1686577333",
"@lit/localize": "^0.11.4", "@lit/localize": "^0.11.4",
"@patternfly/patternfly": "^4.224.2", "@patternfly/patternfly": "^4.224.2",
"@sentry/browser": "^7.54.0", "@sentry/browser": "^7.54.0",
@ -45,30 +45,30 @@
"chartjs-adapter-moment": "^1.0.1", "chartjs-adapter-moment": "^1.0.1",
"codemirror": "^6.0.1", "codemirror": "^6.0.1",
"construct-style-sheets-polyfill": "^3.1.0", "construct-style-sheets-polyfill": "^3.1.0",
"core-js": "^3.30.2", "core-js": "^3.31.0",
"country-flag-icons": "^1.5.7", "country-flag-icons": "^1.5.7",
"fuse.js": "^6.6.2", "fuse.js": "^6.6.2",
"lit": "^2.7.5", "lit": "^2.7.5",
"mermaid": "^10.2.2", "mermaid": "^10.2.3",
"rapidoc": "^9.3.4", "rapidoc": "^9.3.4",
"webcomponent-qr-code": "^1.1.1", "webcomponent-qr-code": "^1.1.1",
"yaml": "^2.3.1", "yaml": "^2.3.1",
"zxcvbn": "^4.4.2" "zxcvbn": "^4.4.2"
}, },
"devDependencies": { "devDependencies": {
"@babel/core": "^7.22.1", "@babel/core": "^7.22.5",
"@babel/plugin-proposal-class-properties": "^7.18.6", "@babel/plugin-proposal-class-properties": "^7.18.6",
"@babel/plugin-proposal-decorators": "^7.22.3", "@babel/plugin-proposal-decorators": "^7.22.5",
"@babel/plugin-proposal-private-methods": "^7.18.6", "@babel/plugin-proposal-private-methods": "^7.18.6",
"@babel/plugin-transform-runtime": "^7.22.4", "@babel/plugin-transform-runtime": "^7.22.5",
"@babel/preset-env": "^7.22.4", "@babel/preset-env": "^7.22.5",
"@babel/preset-typescript": "^7.21.5", "@babel/preset-typescript": "^7.22.5",
"@hcaptcha/types": "^1.0.3", "@hcaptcha/types": "^1.0.3",
"@jackfranklin/rollup-plugin-markdown": "^0.4.0", "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
"@jeysal/storybook-addon-css-user-preferences": "^0.2.0", "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
"@lit/localize-tools": "^0.6.9", "@lit/localize-tools": "^0.6.9",
"@rollup/plugin-babel": "^6.0.3", "@rollup/plugin-babel": "^6.0.3",
"@rollup/plugin-commonjs": "^25.0.0", "@rollup/plugin-commonjs": "^25.0.1",
"@rollup/plugin-node-resolve": "^15.0.2", "@rollup/plugin-node-resolve": "^15.0.2",
"@rollup/plugin-replace": "^5.0.2", "@rollup/plugin-replace": "^5.0.2",
"@rollup/plugin-typescript": "^11.1.1", "@rollup/plugin-typescript": "^11.1.1",

View file

@ -184,6 +184,26 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
${msg("To use SSL instead, use 'ldaps://' and disable this option.")} ${msg("To use SSL instead, use 'ldaps://' and disable this option.")}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal name="sni">
<label class="pf-c-switch">
<input
class="pf-c-switch__input"
type="checkbox"
?checked=${first(this.instance?.sni, false)}
/>
<span class="pf-c-switch__toggle">
<span class="pf-c-switch__toggle-icon">
<i class="fas fa-check" aria-hidden="true"></i>
</span>
</span>
<span class="pf-c-switch__label"
>${msg("Use Server URI for SNI verification")}</span
>
</label>
<p class="pf-c-form__helper-text">
${msg("Required for servers using TLS 1.3+")}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal <ak-form-element-horizontal
label=${msg("TLS Verification Certificate")} label=${msg("TLS Verification Certificate")}
name="peerCertificate" name="peerCertificate"
@ -222,6 +242,45 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
)} )}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("TLS Client authentication certificate")}
name="clientCertificate"
>
<ak-search-select
.fetchObjects=${async (
query?: string,
): Promise<CertificateKeyPair[]> => {
const args: CryptoCertificatekeypairsListRequest = {
ordering: "name",
hasKey: true,
includeDetails: false,
};
if (query !== undefined) {
args.search = query;
}
const certificates = await new CryptoApi(
DEFAULT_CONFIG,
).cryptoCertificatekeypairsList(args);
return certificates.results;
}}
.renderElement=${(item: CertificateKeyPair): string => {
return item.name;
}}
.value=${(item: CertificateKeyPair | undefined): string | undefined => {
return item?.pk;
}}
.selected=${(item: CertificateKeyPair): boolean => {
return item.pk === this.instance?.clientCertificate;
}}
?blankable=${true}
>
</ak-search-select>
<p class="pf-c-form__helper-text">
${msg(
"Client certificate keypair to authenticate against the LDAP Server's Certificate.",
)}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn"> <ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn">
<input <input
type="text" type="text"

View file

@ -748,13 +748,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Zertifikat</target> <target>Zertifikat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Wenn sich mehrere Anbieter einen Außenposten teilen, wird ein selbstsigniertes Zertifikat verwendet.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID-Startnummer</target> <target>UID-Startnummer</target>
@ -5722,6 +5715,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Aktivieren</target> <target>Aktivieren</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -777,14 +777,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificate</target> <target>Certificate</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>If multiple providers share an outpost, a self-signed certificate is used.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID start number</target> <target>UID start number</target>
@ -6039,6 +6031,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activate</target> <target>Activate</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -733,13 +733,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificado</target> <target>Certificado</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si varios proveedores comparten un puesto avanzado, se utiliza un certificado autofirmado.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Número inicial de UID</target> <target>Número inicial de UID</target>
@ -5630,6 +5623,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activar</target> <target>Activar</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -749,13 +749,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certificat</target> <target>Certificat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Numéro de départ d'UID</target> <target>Numéro de départ d'UID</target>
@ -5737,6 +5730,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Activer</target> <target>Activer</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -752,13 +752,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Certyfikat</target> <target>Certyfikat</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Jeśli wielu dostawców współdzieli placówkę, używany jest certyfikat z podpisem własnym.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>Numer początkowy UID</target> <target>Numer początkowy UID</target>
@ -5869,6 +5862,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Aktywuj</target> <target>Aktywuj</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -761,14 +761,6 @@
<trans-unit id="sb157267c85fdff30"> <trans-unit id="sb157267c85fdff30">
<source>Certificate</source> <source>Certificate</source>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
</trans-unit> </trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
@ -5973,6 +5965,27 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s27976e94b05c6970"> <trans-unit id="s27976e94b05c6970">
<source>Activate</source> <source>Activate</source>
</trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

View file

@ -733,13 +733,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>Sertifika</target> <target>Sertifika</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır.</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID başlangıç numarası</target> <target>UID başlangıç numarası</target>
@ -5620,6 +5613,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>Etkinleştir</target> <target>Etkinleştir</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -965,16 +965,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
<target>由于协议限制,只在前哨有单个提供程序,或所有提供程序都使用相同证书时才使用此证书。</target>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供程序共享同一个前哨,则使用自签名证书。</target>
</trans-unit> </trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
@ -7547,6 +7537,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<target>激活</target> <target>激活</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -740,13 +740,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID 起始编号</target> <target>UID 起始编号</target>
@ -5675,6 +5668,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>启用</target> <target>启用</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -740,13 +740,6 @@
<source>Certificate</source> <source>Certificate</source>
<target>证书</target> <target>证书</target>
</trans-unit> </trans-unit>
<trans-unit id="s4eb524a2bb358f8b">
<source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
</trans-unit>
<trans-unit id="s73e9d580d6d96b02">
<source>If multiple providers share an outpost, a self-signed certificate is used.</source>
<target>如果多个提供商共享一个 Outpost则使用自签名证书。</target>
</trans-unit>
<trans-unit id="sac43cb9690260b86"> <trans-unit id="sac43cb9690260b86">
<source>UID start number</source> <source>UID start number</source>
<target>UID 起始编号</target> <target>UID 起始编号</target>
@ -5674,6 +5667,27 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Activate</source> <source>Activate</source>
<target>启用</target> <target>启用</target>
</trans-unit> </trans-unit>
<trans-unit id="s1024166475850a65">
<source>Use Server URI for SNI verification</source>
</trans-unit>
<trans-unit id="se65beb94fffc3c4b">
<source>Required for servers using TLS 1.3+</source>
</trans-unit>
<trans-unit id="s5506b35a1bceb141">
<source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
</trans-unit>
<trans-unit id="s4647b2c92638d6fd">
<source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
</trans-unit>
<trans-unit id="scd247ffad6e04ac0">
<source>TLS Server name</source>
</trans-unit>
<trans-unit id="s2acef4f6ba39bf11">
<source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
</trans-unit>
<trans-unit id="s000ee3e634868b3c">
<source>TLS Client authentication certificate</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

View file

@ -4,7 +4,7 @@ title: DokuWiki
<span class="badge badge--secondary">Support level: Community</span> <span class="badge badge--secondary">Support level: Community</span>
## What is Service Name ## What is DokuWiki
From https://en.wikipedia.org/wiki/DokuWiki From https://en.wikipedia.org/wiki/DokuWiki

View file

@ -65,12 +65,12 @@ Review each setting and choose the ones that you require for your installation.
### Step 3 - authentik ### Step 3 - authentik
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings. In authentik, create an application which uses this provider and directly launches Wordpress' backend login-screen. Optionally apply access restrictions to the application using policy bindings.
- Name: Wordpress - Name: Wordpress
- Slug: wordpress - Slug: wordpress
- Provider: wordpress - Provider: wordpress
- Launch URL: https://wp.company - Launch URL: https://wp.company/wp-login.php
## Notes ## Notes