Merge branch 'main' into 5165-password-strength-indicator

* main: (23 commits)
  web: bump API Client version (#5935)
  sources/ldap: add support for cert based auth (#5850)
  ci: replace status with state for auto-deployment
  ci: don't write CI status to file
  ci: add workflow to automatically update next branch (#5921)
  providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933)
  root: revert to use secret_key for JWT signing (#5934)
  sources/ldap: fix duplicate bind when authenticating user directly to… (#5927)
  web: bump core-js from 3.30.2 to 3.31.0 in /web (#5928)
  core: bump pytest from 7.3.1 to 7.3.2 (#5929)
  web: bump @rollup/plugin-commonjs from 25.0.0 to 25.0.1 in /web (#5931)
  web: bump @formatjs/intl-listformat from 7.3.0 to 7.4.0 in /web (#5932)
  core: bump github.com/go-ldap/ldap/v3 from 3.4.4 to 3.4.5 (#5930)
  website/integrations: Fix header in dokuwiki instructions (#5926)
  providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918)
  web: bump @babel/core from 7.22.1 to 7.22.5 in /web (#5909)
  web: bump @babel/plugin-proposal-decorators from 7.22.3 to 7.22.5 in /web (#5910)
  web: bump @babel/preset-typescript from 7.21.5 to 7.22.5 in /web (#5912)
  web: bump @babel/preset-env from 7.22.4 to 7.22.5 in /web (#5915)
  core: bump requests-mock from 1.10.0 to 1.11.0 (#5911)
  ...

.github/workflows/release-next-branch.yml

@@ -0,0 +1,25 @@
+name: authentik-on-release-next-branch
+
+on:
+  schedule:
+    - cron: "0 12 * * *" # every day at noon
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  update-next:
+    runs-on: ubuntu-latest
+    environment: internal-production
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: main
+      - id: main-state
+        run: |
+          state=$(curl -fsSL -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ github.token }}" "https://api.github.com/repos/${{ github.repository }}/commits/HEAD/state" | jq -r '.state')
+          echo "state=${state}" >> $GITHUB_OUTPUT
+      - if: ${{ steps.main-state.outputs.state == 'success' }}
+        run: |
+          git push origin next --force

Makefile

@@ -151,7 +151,7 @@ web-check-compile:
 	cd web && npm run tsc
 
 web-i18n-extract:
-	cd web && npm run extract
+	cd web && npm run extract-locales
 
 #########################
 ## Website

authentik/core/models.py

@@ -376,10 +376,10 @@ class Application(SerializerModel, PolicyBindingModel):
     def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         url = None
-        if provider := self.get_provider():
-            url = provider.launch_url
         if self.meta_launch_url:
             url = self.meta_launch_url
+        elif provider := self.get_provider():
+            url = provider.launch_url
         if user and url:
             if isinstance(user, SimpleLazyObject):
                 user._setup()

authentik/providers/ldap/api.py

@@ -105,7 +105,9 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
 class LDAPOutpostConfigViewSet(ReadOnlyModelViewSet):
     """LDAPProvider Viewset"""
 
-    queryset = LDAPProvider.objects.filter(application__isnull=False)
+    queryset = LDAPProvider.objects.filter(
+        Q(application__isnull=False) | Q(backchannel_application__isnull=False)
+    )
     serializer_class = LDAPOutpostConfigSerializer
     ordering = ["name"]
     search_fields = ["name"]

authentik/providers/ldap/tests/test_api.py

@@ -0,0 +1,52 @@
+"""LDAP Provider API tests"""
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
+from authentik.providers.ldap.models import LDAPProvider
+
+
+class TestLDAPProviderAPI(APITestCase):
+    """LDAP Provider API tests"""
+
+    def test_outpost_application(self):
+        """Test outpost-like provider retrieval (direct connection)"""
+        provider = LDAPProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            provider=provider,
+        )
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        res = self.client.get(reverse("authentik_api:ldapprovideroutpost-list"))
+        self.assertEqual(res.status_code, 200)
+        data = loads(res.content.decode())
+        self.assertEqual(data["pagination"]["count"], 1)
+        self.assertEqual(len(data["results"]), 1)
+
+    def test_outpost_application_backchannel(self):
+        """Test outpost-like provider retrieval (backchannel connection)"""
+        provider = LDAPProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        app: Application = Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+        )
+        app.backchannel_providers.add(provider)
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        res = self.client.get(reverse("authentik_api:ldapprovideroutpost-list"))
+        self.assertEqual(res.status_code, 200)
+        data = loads(res.content.decode())
+        self.assertEqual(data["pagination"]["count"], 1)
+        self.assertEqual(len(data["results"]), 1)

authentik/providers/ldap/urls.py

@@ -2,6 +2,6 @@
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
 
 api_urlpatterns = [
-    ("outposts/ldap", LDAPOutpostConfigViewSet),
+    ("outposts/ldap", LDAPOutpostConfigViewSet, "ldapprovideroutpost"),
     ("providers/ldap", LDAPProviderViewSet),
 ]

authentik/providers/oauth2/models.py

@@ -17,6 +17,7 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from jwt import encode
 from rest_framework.serializers import Serializer
+from structlog.stdlib import get_logger
 
 from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
 from authentik.crypto.models import CertificateKeyPair
@@ -26,6 +27,8 @@ from authentik.lib.utils.time import timedelta_string_validator
 from authentik.providers.oauth2.id_token import IDToken, SubModes
 from authentik.sources.oauth.models import OAuthSource
 
+LOGGER = get_logger()
+
 
 def generate_client_secret() -> str:
     """Generate client secret with adequate length"""
@@ -251,8 +254,12 @@ class OAuth2Provider(Provider):
         if self.redirect_uris == "":
             return None
         main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
-        launch_url = urlparse(main_url)._replace(path="")
+        try:
-        return urlunparse(launch_url)
+            launch_url = urlparse(main_url)._replace(path="")
+            return urlunparse(launch_url)
+        except ValueError as exc:
+            LOGGER.warning("Failed to format launch url", exc=exc)
+            return None
 
     @property
     def component(self) -> str:

authentik/providers/oauth2/tests/test_api.py

@@ -1,5 +1,7 @@
 """Test OAuth2 API"""
 from json import loads
+from sys import version_info
+from unittest import skipUnless
 
 from django.urls import reverse
 from rest_framework.test import APITestCase
@@ -42,3 +44,14 @@ class TestAPI(APITestCase):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(body["issuer"], "http://testserver/application/o/test/")
+
+    # https://github.com/goauthentik/authentik/pull/5918
+    @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
+    def test_launch_url(self):
+        """Test launch_url"""
+        self.provider.redirect_uris = (
+            "https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
+        )
+        self.provider.save()
+        self.provider.refresh_from_db()
+        self.assertIsNone(self.provider.launch_url)

authentik/providers/proxy/urls.py

@@ -2,6 +2,6 @@
 from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
 
 api_urlpatterns = [
-    ("outposts/proxy", ProxyOutpostConfigViewSet),
+    ("outposts/proxy", ProxyOutpostConfigViewSet, "proxyprovideroutpost"),
     ("providers/proxy", ProxyProviderViewSet),
 ]

authentik/providers/radius/urls.py

@@ -2,6 +2,6 @@
 from authentik.providers.radius.api import RadiusOutpostConfigViewSet, RadiusProviderViewSet
 
 api_urlpatterns = [
-    ("outposts/radius", RadiusOutpostConfigViewSet),
+    ("outposts/radius", RadiusOutpostConfigViewSet, "radiusprovideroutpost"),
     ("providers/radius", RadiusProviderViewSet),
 ]

authentik/root/middleware.py

@@ -1,5 +1,4 @@
 """Dynamically set SameSite depending if the upstream connection is TLS or not"""
-from functools import lru_cache
 from hashlib import sha512
 from time import time
 from timeit import default_timer
@@ -17,16 +16,10 @@ from jwt import PyJWTError, decode, encode
 from structlog.stdlib import get_logger
 
 from authentik.lib.utils.http import get_client_ip
-from authentik.root.install_id import get_install_id
 
 LOGGER = get_logger("authentik.asgi")
 ACR_AUTHENTIK_SESSION = "goauthentik.io/core/default"
-
+SIGNING_HASH = sha512(settings.SECRET_KEY.encode()).hexdigest()
-
-@lru_cache
-def get_signing_hash():
-    """Get cookie JWT signing hash"""
-    return sha512(get_install_id().encode()).hexdigest()
 
 
 class SessionMiddleware(UpstreamSessionMiddleware):
@@ -54,7 +47,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
         # for testing setups, where the session is directly set
         session_key = key if settings.TEST else None
         try:
-            session_payload = decode(key, get_signing_hash(), algorithms=["HS256"])
+            session_payload = decode(key, SIGNING_HASH, algorithms=["HS256"])
             session_key = session_payload["sid"]
         except (KeyError, PyJWTError):
             pass
@@ -121,7 +114,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
                     }
                     if request.user.is_authenticated:
                         payload["sub"] = request.user.uid
-                    value = encode(payload=payload, key=get_signing_hash())
+                    value = encode(payload=payload, key=SIGNING_HASH)
                     if settings.TEST:
                         value = request.session.session_key
                     response.set_cookie(

authentik/sources/ldap/api.py

@@ -8,6 +8,7 @@ from drf_spectacular.utils import extend_schema, extend_schema_field, inline_ser
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import DictField, ListField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
@@ -16,6 +17,7 @@ from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 from authentik.sources.ldap.tasks import SYNC_CLASSES
@@ -24,6 +26,15 @@ from authentik.sources.ldap.tasks import SYNC_CLASSES
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
+    client_certificate = PrimaryKeyRelatedField(
+        allow_null=True,
+        help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
+        queryset=CertificateKeyPair.objects.exclude(
+            key_data__exact="",
+        ),
+        required=False,
+    )
+
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -42,9 +53,11 @@ class LDAPSourceSerializer(SourceSerializer):
         fields = SourceSerializer.Meta.fields + [
             "server_uri",
             "peer_certificate",
+            "client_certificate",
             "bind_cn",
             "bind_password",
             "start_tls",
+            "sni",
             "base_dn",
             "additional_user_dn",
             "additional_group_dn",
@@ -75,7 +88,9 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "server_uri",
         "bind_cn",
         "peer_certificate",
+        "client_certificate",
         "start_tls",
+        "sni",
         "base_dn",
         "additional_user_dn",
         "additional_group_dn",

authentik/sources/ldap/auth.py

@@ -57,13 +57,13 @@ class LDAPBackend(InbuiltBackend):
         # Try to bind as new user
         LOGGER.debug("Attempting to bind as user", user=user)
         try:
-            temp_connection = source.connection(
+            # source.connection also attempts to bind
+            source.connection(
                 connection_kwargs={
                     "user": user.attributes.get(LDAP_DISTINGUISHED_NAME),
                     "password": password,
                 }
             )
-            temp_connection.bind()
             return user
         except LDAPInvalidCredentialsResult as exc:
             LOGGER.debug("invalid LDAP credentials", user=user, exc=exc)

authentik/sources/ldap/migrations/0003_ldapsource_client_certificate_ldapsource_sni_and_more.py

@@ -0,0 +1,45 @@
+# Generated by Django 4.1.7 on 2023-06-06 18:33
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_sources_ldap", "0002_auto_20211203_0900"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="client_certificate",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="ldap_client_certificates",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+        migrations.AddField(
+            model_name="ldapsource",
+            name="sni",
+            field=models.BooleanField(
+                default=False, verbose_name="Use Server URI for SNI verification"
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ldapsource",
+            name="peer_certificate",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="ldap_peer_certificates",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -1,11 +1,13 @@
 """authentik LDAP Models"""
+from os import chmod
 from ssl import CERT_REQUIRED
+from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPSchemaError
+from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -39,14 +41,24 @@ class LDAPSource(Source):
         on_delete=models.SET_DEFAULT,
         default=None,
         null=True,
+        related_name="ldap_peer_certificates",
         help_text=_(
             "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
         ),
     )
+    client_certificate = models.ForeignKey(
+        CertificateKeyPair,
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        related_name="ldap_client_certificates",
+        help_text=_("Client certificate to authenticate against the LDAP Server's Certificate."),
+    )
 
     bind_cn = models.TextField(verbose_name=_("Bind CN"), blank=True)
     bind_password = models.TextField(blank=True)
     start_tls = models.BooleanField(default=False, verbose_name=_("Enable Start TLS"))
+    sni = models.BooleanField(default=False, verbose_name=_("Use Server URI for SNI verification"))
 
     base_dn = models.TextField(verbose_name=_("Base DN"))
     additional_user_dn = models.TextField(
@@ -112,8 +124,22 @@ class LDAPSource(Source):
         if self.peer_certificate:
             tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
             tls_kwargs["validate"] = CERT_REQUIRED
+        if self.client_certificate:
+            temp_dir = mkdtemp()
+            with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_cert:
+                temp_cert.write(self.client_certificate.certificate_data)
+                certificate_file = temp_cert.name
+                chmod(certificate_file, 0o600)
+            with NamedTemporaryFile(mode="w", delete=False, dir=temp_dir) as temp_key:
+                temp_key.write(self.client_certificate.key_data)
+                private_key_file = temp_key.name
+                chmod(private_key_file, 0o600)
+            tls_kwargs["local_private_key_file"] = private_key_file
+            tls_kwargs["local_certificate_file"] = certificate_file
         if ciphers := CONFIG.y("ldap.tls.ciphers", None):
             tls_kwargs["ciphers"] = ciphers.strip()
+        if self.sni:
+            tls_kwargs["sni"] = self.server_uri.split(",", maxsplit=1)[0].strip()
         server_kwargs = {
             "get_info": ALL,
             "connect_timeout": LDAP_TIMEOUT,
@@ -133,8 +159,10 @@ class LDAPSource(Source):
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
         connection_kwargs = connection_kwargs or {}
-        connection_kwargs.setdefault("user", self.bind_cn)
+        if self.bind_cn is not None:
-        connection_kwargs.setdefault("password", self.bind_password)
+            connection_kwargs.setdefault("user", self.bind_cn)
+        if self.bind_password is not None:
+            connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
             self.server(**server_kwargs),
             raise_exceptions=True,
@@ -145,15 +173,18 @@ class LDAPSource(Source):
         if self.start_tls:
             connection.start_tls(read_server_info=False)
         try:
-            connection.bind()
+            successful = connection.bind()
-        except LDAPSchemaError as exc:
+            if successful:
+                return connection
+        except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
             # Schema error, so try connecting without schema info
             # See https://github.com/goauthentik/authentik/issues/4590
+            # See also https://github.com/goauthentik/authentik/issues/3399
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE
             return self.connection(server_kwargs, connection_kwargs)
-        return connection
+        return RuntimeError("Failed to bind")
 
     class Meta:
         verbose_name = _("LDAP Source")

authentik/sources/ldap/tests/test_auth.py

@@ -29,6 +29,37 @@ class LDAPSyncTests(TestCase):
             additional_group_dn="ou=groups",
         )
 
+    def test_auth_direct_user_ad(self):
+        """Test direct auth"""
+        self.source.property_mappings.set(
+            LDAPPropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default-")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/ms-")
+            )
+        )
+        raw_conn = mock_ad_connection(LDAP_PASSWORD)
+        bind_mock = Mock(wraps=raw_conn.bind)
+        raw_conn.bind = bind_mock
+        connection = MagicMock(return_value=raw_conn)
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync()
+
+            user = User.objects.get(username="user0_sn")
+            # auth_user_by_bind = Mock(return_value=user)
+            backend = LDAPBackend()
+            self.assertEqual(
+                backend.authenticate(None, username="user0_sn", password=LDAP_PASSWORD),
+                user,
+            )
+            connection.assert_called_with(
+                connection_kwargs={
+                    "user": "cn=user0,ou=users,dc=goauthentik,dc=io",
+                    "password": LDAP_PASSWORD,
+                }
+            )
+            bind_mock.assert_not_called()
+
     def test_auth_synced_user_ad(self):
         """Test Cached auth"""
         self.source.property_mappings.set(

blueprints/example/sources-google-ldap-mappings.yaml

@@ -0,0 +1,222 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "false"
+  name: Example - Google Secure LDAP mappings
+entries:
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-uid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: uid"
+      object_field: "username"
+      expression: |
+        return ldap.get('uid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-googleuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: googleUid"
+      object_field: "attributes.googleUid"
+      expression: |
+        return ldap.get('googleUid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-posixuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: posixUid"
+      object_field: "attributes.posixUid"
+      expression: |
+        return ldap.get('posixUid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-cn
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: cn"
+      object_field: "name"
+      expression: |
+        return ldap.get('cn')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-sn
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: sn"
+      object_field: "attributes.sn"
+      expression: |
+        return list_flatten(ldap.get('sn'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-givenname
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: givenName"
+      object_field: "attributes.givenName"
+      expression: |
+        return list_flatten(ldap.get('givenName'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-displayname
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: displayName"
+      object_field: "attributes.displayName"
+      expression: |
+        return ldap.get('displayName')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-mail
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: mail"
+      object_field: "email"
+      expression: |
+        return ldap.get('mail')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-memberof
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: memberOf"
+      object_field: "attributes.memberOf"
+      expression: |
+        return ldap.get('memberOf')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-title
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: title"
+      object_field: "attributes.title"
+      expression: |
+        return ldap.get('title')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-employeenumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: employeeNumber"
+      object_field: "attributes.employeeNumber"
+      expression: |
+        return ldap.get('employeeNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-employeetype
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: employeeType"
+      object_field: "attributes.employeeType"
+      expression: |
+        return ldap.get('employeeType')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-departmentnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: departmentNumber"
+      object_field: "attributes.departmentNumber"
+      expression: |
+        return ldap.get('departmentNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-physicaldeliveryofficename
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: physicalDeliveryOfficeName"
+      object_field: "attributes.physicalDeliveryOfficeName"
+      expression: |
+        return ldap.get('physicalDeliveryOfficeName')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-jpegphoto
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: jpegPhoto"
+      object_field: "attributes.jpegPhoto"
+      expression: |
+        return ldap.get('jpegPhoto')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-entryuuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: entryUuid"
+      object_field: "attributes.entryUuid"
+      expression: |
+        return ldap.get('entryUuid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-objectsid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: objectSid"
+      object_field: "attributes.objectSid"
+      expression: |
+        return ldap.get('objectSid')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-uidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: uidNumber"
+      object_field: "attributes.uidNumber"
+      expression: |
+        return ldap.get('uidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-gidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: gidNumber"
+      object_field: "attributes.gidNumber"
+      expression: |
+        return ldap.get('gidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-homedirectory
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: homeDirectory"
+      object_field: "attributes.homeDirectory"
+      expression: |
+        return ldap.get('homeDirectory')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-loginshell
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: loginShell"
+      object_field: "attributes.loginShell"
+      expression: |
+        return ldap.get('loginShell')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-gidnumber
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: gidNumber"
+      object_field: "attributes.gidNumber"
+      expression: |
+        return ldap.get('gidNumber')
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-sshpublickey
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: sshPublicKey"
+      object_field: "attributes.sshPublicKey"
+      expression: |
+        return list_flatten(ldap.get('sshPublicKey'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-description
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: description"
+      object_field: "attributes.description"
+      expression: |
+        return list_flatten(ldap.get('description'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-member
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: member"
+      object_field: "attributes.member"
+      expression: |
+        return list_flatten(ldap.get('member'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-memberuid
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: memberUid"
+      object_field: "attributes.memberUid"
+      expression: |
+        return list_flatten(ldap.get('memberUid'))
+  - identifiers:
+      managed: goauthentik.io/sources/ldap/google-googleadmincreated
+    model: authentik_sources_ldap.ldappropertymapping
+    attrs:
+      name: "Google Secure LDAP Mapping: googleAdminCreated"
+      object_field: "attributes.googleAdminCreated"
+      expression: |
+        return list_flatten(ldap.get('googleAdminCreated'))

blueprints/schema.json

@@ -4732,6 +4732,11 @@
                     "title": "Peer certificate",
                     "description": "Optionally verify the LDAP Server's Certificate against the CA Chain in this keypair."
                 },
+                "client_certificate": {
+                    "type": "integer",
+                    "title": "Client certificate",
+                    "description": "Client certificate to authenticate against the LDAP Server's Certificate."
+                },
                 "bind_cn": {
                     "type": "string",
                     "title": "Bind CN"
@@ -4744,6 +4749,10 @@
                     "type": "boolean",
                     "title": "Enable Start TLS"
                 },
+                "sni": {
+                    "type": "boolean",
+                    "title": "Use Server URI for SNI verification"
+                },
                 "base_dn": {
                     "type": "string",
                     "minLength": 1,

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/garyburd/redigo v1.6.4
 	github.com/getsentry/sentry-go v0.21.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
-	github.com/go-ldap/ldap/v3 v3.4.4
+	github.com/go-ldap/ldap/v3 v3.4.5
 	github.com/go-openapi/runtime v0.26.0
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -36,7 +36,7 @@ require (
 )
 
 require (
-	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect

go.sum

@@ -1,13 +1,15 @@
 beryju.io/ldap v0.1.0 h1:rPjGE3qR1Klbvn9N+iECWdzt/tK87XHgz8W5wZJg9B8=
 beryju.io/ldap v0.1.0/go.mod h1:sOrYV+ZlDTDu/IvIiEiuAaXzjcpMBE+XXr4V+NJ0pWI=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb h1:w9IDEB7P1VzNcBpOG7kMpFkZp2DkyJIUt0gDx5MBhRU=
 github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb/go.mod h1:9XMFaCeRyW7fC9XJOWQ+NdAv8VLG7ys7l3x4ozEGLUQ=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@@ -37,8 +39,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
+github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8=
-github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
+github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
 github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -216,7 +218,6 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@@ -265,6 +266,7 @@ golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
@@ -294,11 +296,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@@ -307,6 +311,7 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-05-21 21:59+0000\n"
+"POT-Creation-Date: 2023-06-12 12:11+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -31,16 +31,16 @@ msgstr ""
 msgid "Validation Error"
 msgstr ""
 
-#: authentik/blueprints/api.py:43
+#: authentik/blueprints/api.py:44
 msgid "Blueprint file does not exist"
 msgstr ""
 
-#: authentik/blueprints/api.py:54
+#: authentik/blueprints/api.py:55
 #, python-format
 msgid "Failed to validate blueprint: %(logs)s"
 msgstr ""
 
-#: authentik/blueprints/api.py:59
+#: authentik/blueprints/api.py:60
 msgid "Either path or content must be set."
 msgstr ""
 
@@ -69,24 +69,24 @@ msgstr ""
 msgid "authentik Export - %(date)s"
 msgstr ""
 
-#: authentik/blueprints/v1/tasks.py:149 authentik/crypto/tasks.py:93
+#: authentik/blueprints/v1/tasks.py:150 authentik/crypto/tasks.py:93
 #, python-format
 msgid "Successfully imported %(count)d files."
 msgstr ""
 
-#: authentik/core/api/providers.py:113
+#: authentik/core/api/providers.py:120
 msgid "SAML Provider from Metadata"
 msgstr ""
 
-#: authentik/core/api/providers.py:114
+#: authentik/core/api/providers.py:121
 msgid "Create a SAML Provider by importing its Metadata."
 msgstr ""
 
-#: authentik/core/api/users.py:118
+#: authentik/core/api/users.py:143
 msgid "No leading or trailing slashes allowed."
 msgstr ""
 
-#: authentik/core/api/users.py:121
+#: authentik/core/api/users.py:146
 msgid "No empty segments in user path allowed."
 msgstr ""
 
@@ -1365,7 +1365,7 @@ msgstr ""
 msgid "Authentication token"
 msgstr ""
 
-#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:82
+#: authentik/providers/scim/models.py:33 authentik/sources/ldap/models.py:94
 msgid "Property mappings used for group creation/updating."
 msgstr ""
 
@@ -1426,79 +1426,88 @@ msgstr ""
 msgid "Used recovery-link to authenticate."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:35
+#: authentik/sources/ldap/models.py:37
 msgid "Server URI"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:43
+#: authentik/sources/ldap/models.py:46
 msgid ""
 "Optionally verify the LDAP Server's Certificate against the CA Chain in this "
 "keypair."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:47
+#: authentik/sources/ldap/models.py:55
-msgid "Bind CN"
+msgid ""
-msgstr ""
+"Client certificate to authenticate against the LDAP Server's Certificate."
-
-#: authentik/sources/ldap/models.py:49
-msgid "Enable Start TLS"
-msgstr ""
-
-#: authentik/sources/ldap/models.py:51
-msgid "Base DN"
-msgstr ""
-
-#: authentik/sources/ldap/models.py:53
-msgid "Prepended to Base DN for User-queries."
-msgstr ""
-
-#: authentik/sources/ldap/models.py:54
-msgid "Addition User DN"
 msgstr ""
 
 #: authentik/sources/ldap/models.py:58
-msgid "Prepended to Base DN for Group-queries."
+msgid "Bind CN"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:59
+#: authentik/sources/ldap/models.py:60
-msgid "Addition Group DN"
+msgid "Enable Start TLS"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:61
+msgid "Use Server URI for SNI verification"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:63
+msgid "Base DN"
 msgstr ""
 
 #: authentik/sources/ldap/models.py:65
+msgid "Prepended to Base DN for User-queries."
+msgstr ""
+
+#: authentik/sources/ldap/models.py:66
+msgid "Addition User DN"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:70
+msgid "Prepended to Base DN for Group-queries."
+msgstr ""
+
+#: authentik/sources/ldap/models.py:71
+msgid "Addition Group DN"
+msgstr ""
+
+#: authentik/sources/ldap/models.py:77
 msgid "Consider Objects matching this filter to be Users."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:68
+#: authentik/sources/ldap/models.py:80
 msgid "Field which contains members of a group."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:72
+#: authentik/sources/ldap/models.py:84
 msgid "Consider Objects matching this filter to be Groups."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:75
+#: authentik/sources/ldap/models.py:87
 msgid "Field which contains a unique Identifier."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:89
+#: authentik/sources/ldap/models.py:101
 msgid ""
 "When a user changes their password, sync it back to LDAP. This can only be "
 "enabled on a single LDAP source."
 msgstr ""
 
-#: authentik/sources/ldap/models.py:159
+#: authentik/sources/ldap/models.py:188
 msgid "LDAP Source"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:160
+#: authentik/sources/ldap/models.py:189
 msgid "LDAP Sources"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:182
+#: authentik/sources/ldap/models.py:211
 msgid "LDAP Property Mapping"
 msgstr ""
 
-#: authentik/sources/ldap/models.py:183
+#: authentik/sources/ldap/models.py:212
 msgid "LDAP Property Mappings"
 msgstr ""
 

schema.yml

@@ -17096,6 +17096,11 @@ paths:
         name: bind_cn
         schema:
           type: string
+      - in: query
+        name: client_certificate
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: enabled
         schema:
@@ -17171,6 +17176,10 @@ paths:
         name: slug
         schema:
           type: string
+      - in: query
+        name: sni
+        schema:
+          type: boolean
       - in: query
         name: start_tls
         schema:
@@ -30950,11 +30959,20 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
         additional_user_dn:
@@ -31064,6 +31082,12 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         bind_password:
@@ -31072,6 +31096,9 @@ components:
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
           minLength: 1
@@ -36356,6 +36383,12 @@ components:
           nullable: true
           description: Optionally verify the LDAP Server's Certificate against the
             CA Chain in this keypair.
+        client_certificate:
+          type: string
+          format: uuid
+          nullable: true
+          description: Client certificate to authenticate against the LDAP Server's
+            Certificate.
         bind_cn:
           type: string
         bind_password:
@@ -36364,6 +36397,9 @@ components:
         start_tls:
           type: boolean
           title: Enable Start TLS
+        sni:
+          type: boolean
+          title: Use Server URI for SNI verification
         base_dn:
           type: string
           minLength: 1

web/package.json

@@ -32,9 +32,9 @@
         "@codemirror/lang-xml": "^6.0.2",
         "@codemirror/legacy-modes": "^6.3.2",
         "@codemirror/theme-one-dark": "^6.1.2",
-        "@formatjs/intl-listformat": "^7.3.0",
+        "@formatjs/intl-listformat": "^7.4.0",
         "@fortawesome/fontawesome-free": "^6.4.0",
-        "@goauthentik/api": "^2023.5.3-1685646044",
+        "@goauthentik/api": "^2023.5.3-1686577333",
         "@lit/localize": "^0.11.4",
         "@patternfly/patternfly": "^4.224.2",
         "@sentry/browser": "^7.54.0",
@@ -45,30 +45,30 @@
         "chartjs-adapter-moment": "^1.0.1",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
-        "core-js": "^3.30.2",
+        "core-js": "^3.31.0",
         "country-flag-icons": "^1.5.7",
         "fuse.js": "^6.6.2",
         "lit": "^2.7.5",
-        "mermaid": "^10.2.2",
+        "mermaid": "^10.2.3",
         "rapidoc": "^9.3.4",
         "webcomponent-qr-code": "^1.1.1",
         "yaml": "^2.3.1",
         "zxcvbn": "^4.4.2"
     },
     "devDependencies": {
-        "@babel/core": "^7.22.1",
+        "@babel/core": "^7.22.5",
         "@babel/plugin-proposal-class-properties": "^7.18.6",
-        "@babel/plugin-proposal-decorators": "^7.22.3",
+        "@babel/plugin-proposal-decorators": "^7.22.5",
         "@babel/plugin-proposal-private-methods": "^7.18.6",
-        "@babel/plugin-transform-runtime": "^7.22.4",
+        "@babel/plugin-transform-runtime": "^7.22.5",
-        "@babel/preset-env": "^7.22.4",
+        "@babel/preset-env": "^7.22.5",
-        "@babel/preset-typescript": "^7.21.5",
+        "@babel/preset-typescript": "^7.22.5",
         "@hcaptcha/types": "^1.0.3",
         "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
         "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
         "@lit/localize-tools": "^0.6.9",
         "@rollup/plugin-babel": "^6.0.3",
-        "@rollup/plugin-commonjs": "^25.0.0",
+        "@rollup/plugin-commonjs": "^25.0.1",
         "@rollup/plugin-node-resolve": "^15.0.2",
         "@rollup/plugin-replace": "^5.0.2",
         "@rollup/plugin-typescript": "^11.1.1",

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -184,6 +184,26 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
                             ${msg("To use SSL instead, use 'ldaps://' and disable this option.")}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="sni">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.sni, false)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Use Server URI for SNI verification")}</span
+                            >
+                        </label>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Required for servers using TLS 1.3+")}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("TLS Verification Certificate")}
                         name="peerCertificate"
@@ -222,6 +242,45 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("TLS Client authentication certificate")}
+                        name="clientCertificate"
+                    >
+                        <ak-search-select
+                            .fetchObjects=${async (
+                                query?: string,
+                            ): Promise<CertificateKeyPair[]> => {
+                                const args: CryptoCertificatekeypairsListRequest = {
+                                    ordering: "name",
+                                    hasKey: true,
+                                    includeDetails: false,
+                                };
+                                if (query !== undefined) {
+                                    args.search = query;
+                                }
+                                const certificates = await new CryptoApi(
+                                    DEFAULT_CONFIG,
+                                ).cryptoCertificatekeypairsList(args);
+                                return certificates.results;
+                            }}
+                            .renderElement=${(item: CertificateKeyPair): string => {
+                                return item.name;
+                            }}
+                            .value=${(item: CertificateKeyPair | undefined): string | undefined => {
+                                return item?.pk;
+                            }}
+                            .selected=${(item: CertificateKeyPair): boolean => {
+                                return item.pk === this.instance?.clientCertificate;
+                            }}
+                            ?blankable=${true}
+                        >
+                        </ak-search-select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Client certificate keypair to authenticate against the LDAP Server's Certificate.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal label=${msg("Bind CN")} name="bindCn">
                         <input
                             type="text"

web/xliff/de.xlf

@@ -748,13 +748,6 @@
         <source>Certificate</source>
         <target>Zertifikat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Wenn sich mehrere Anbieter einen Außenposten teilen, wird ein selbstsigniertes Zertifikat verwendet.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID-Startnummer</target>
@@ -5722,6 +5715,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Aktivieren</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/en.xlf

@@ -777,14 +777,6 @@
         <source>Certificate</source>
         <target>Certificate</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        <target>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</target>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>If multiple providers share an outpost, a self-signed certificate is used.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID start number</target>
@@ -6039,6 +6031,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activate</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/es.xlf

@@ -733,13 +733,6 @@
         <source>Certificate</source>
         <target>Certificado</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Si varios proveedores comparten un puesto avanzado, se utiliza un certificado autofirmado.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Número inicial de UID</target>
@@ -5630,6 +5623,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activar</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/fr_FR.xlf

@@ -749,13 +749,6 @@
         <source>Certificate</source>
         <target>Certificat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Numéro de départ d'UID</target>
@@ -5737,6 +5730,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Activer</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/pl.xlf

@@ -752,13 +752,6 @@
         <source>Certificate</source>
         <target>Certyfikat</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Jeśli wielu dostawców współdzieli placówkę, używany jest certyfikat z podpisem własnym.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>Numer początkowy UID</target>
@@ -5869,6 +5862,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Aktywuj</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/pseudo-LOCALE.xlf

@@ -761,14 +761,6 @@
       <trans-unit id="sb157267c85fdff30">
         <source>Certificate</source>
         
-      </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        
       </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
@@ -5973,6 +5965,27 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s27976e94b05c6970">
   <source>Activate</source>
+</trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -733,13 +733,6 @@
         <source>Certificate</source>
         <target>Sertifika</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır.</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID başlangıç numarası</target>
@@ -5620,6 +5613,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>Etkinleştir</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -965,16 +965,6 @@
         <source>Certificate</source>
         <target>证书</target>
         
-      </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-        <target>由于协议限制，只在前哨有单个提供程序，或所有提供程序都使用相同证书时才使用此证书。</target>
-        
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供程序共享同一个前哨，则使用自签名证书。</target>
-        
       </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
@@ -7547,6 +7537,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <target>激活</target>
         
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh-Hant.xlf

@@ -740,13 +740,6 @@
         <source>Certificate</source>
         <target>证书</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供商共享一个 Outpost，则使用自签名证书。</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID 起始编号</target>
@@ -5675,6 +5668,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>启用</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

web/xliff/zh_TW.xlf

@@ -740,13 +740,6 @@
         <source>Certificate</source>
         <target>证书</target>
       </trans-unit>
-      <trans-unit id="s4eb524a2bb358f8b">
-        <source>Due to protocol limitations, this certificate is only used when the outpost has a single provider, or all providers use the same certificate.</source>
-      </trans-unit>
-      <trans-unit id="s73e9d580d6d96b02">
-        <source>If multiple providers share an outpost, a self-signed certificate is used.</source>
-        <target>如果多个提供商共享一个 Outpost，则使用自签名证书。</target>
-      </trans-unit>
       <trans-unit id="sac43cb9690260b86">
         <source>UID start number</source>
         <target>UID 起始编号</target>
@@ -5674,6 +5667,27 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Activate</source>
         <target>启用</target>
       </trans-unit>
+<trans-unit id="s1024166475850a65">
+  <source>Use Server URI for SNI verification</source>
+</trans-unit>
+<trans-unit id="se65beb94fffc3c4b">
+  <source>Required for servers using TLS 1.3+</source>
+</trans-unit>
+<trans-unit id="s5506b35a1bceb141">
+  <source>Client certificate keypair to authenticate against the LDAP Server's Certificate.</source>
+</trans-unit>
+<trans-unit id="s4647b2c92638d6fd">
+  <source>The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.</source>
+</trans-unit>
+<trans-unit id="scd247ffad6e04ac0">
+  <source>TLS Server name</source>
+</trans-unit>
+<trans-unit id="s2acef4f6ba39bf11">
+  <source>DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.</source>
+</trans-unit>
+<trans-unit id="s000ee3e634868b3c">
+  <source>TLS Client authentication certificate</source>
+</trans-unit>
     </body>
   </file>
 </xliff>

website/integrations/services/dokuwiki/index.md

@@ -4,7 +4,7 @@ title: DokuWiki
 
 <span class="badge badge--secondary">Support level: Community</span>
 
-## What is Service Name
+## What is DokuWiki
 
 From https://en.wikipedia.org/wiki/DokuWiki
 

website/integrations/services/wordpress/index.md

@@ -65,12 +65,12 @@ Review each setting and choose the ones that you require for your installation.
 
 ### Step 3 - authentik
 
-In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
+In authentik, create an application which uses this provider and directly launches Wordpress' backend login-screen. Optionally apply access restrictions to the application using policy bindings.
 
 -   Name: Wordpress
 -   Slug: wordpress
 -   Provider: wordpress
--   Launch URL: https://wp.company
+-   Launch URL: https://wp.company/wp-login.php
 
 ## Notes