habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into web/update-provider-forms-for-invalidation

Browse Source 
* main:
  web/admin: Add InvalidationFlow to Radius Provider dialogues (#11786)
  core, web: update translations (#11782)
  providers/oauth2: fix amr claim not set due to login event not associated (#11780)
This commit is contained in:
Ken Sternberg
2024-10-23 14:45:21 -07:00
parent e497dbc314 9b64db7076
commit 6ff260df01
33 changed files with 1391 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
authentik/events/signals.py
View File

@ -1,13 +1,16 @@
"""authentik events signal listener""" """authentik events signal listener"""
from importlib import import_module
from typing import Any from typing import Any
from django.conf import settings
from django.contrib.auth.signals import user_logged_in, user_logged_out from django.contrib.auth.signals import user_logged_in, user_logged_out
from django.db.models.signals import post_save, pre_delete from django.db.models.signals import post_save, pre_delete
from django.dispatch import receiver from django.dispatch import receiver
from django.http import HttpRequest from django.http import HttpRequest
from rest_framework.request import Request
from authentik.core.models import User from authentik.core.models import AuthenticatedSession, User
from authentik.core.signals import login_failed, password_changed from authentik.core.signals import login_failed, password_changed
from authentik.events.apps import SYSTEM_TASK_STATUS from authentik.events.apps import SYSTEM_TASK_STATUS
from authentik.events.models import Event, EventAction, SystemTask from authentik.events.models import Event, EventAction, SystemTask
@ -23,6 +26,7 @@ from authentik.stages.user_write.signals import user_write
from authentik.tenants.utils import get_current_tenant from authentik.tenants.utils import get_current_tenant
SESSION_LOGIN_EVENT = "login_event" SESSION_LOGIN_EVENT = "login_event"
_session_engine = import_module(settings.SESSION_ENGINE)
@receiver(user_logged_in) @receiver(user_logged_in)
@ -43,11 +47,20 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST] kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user) event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
request.session[SESSION_LOGIN_EVENT] = event request.session[SESSION_LOGIN_EVENT] = event
request.session.save()
def get_login_event(request: HttpRequest) -> Event | None: def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None:
"""Wrapper to get login event that can be mocked in tests""" """Wrapper to get login event that can be mocked in tests"""
return request.session.get(SESSION_LOGIN_EVENT, None) session = None
if not request_or_session:
return None
if isinstance(request_or_session, HttpRequest | Request):
session = request_or_session.session
if isinstance(request_or_session, AuthenticatedSession):
SessionStore = _session_engine.SessionStore
session = SessionStore(request_or_session.session_key)
return session.get(SESSION_LOGIN_EVENT, None)
@receiver(user_logged_out) @receiver(user_logged_out)

17
authentik/providers/oauth2/id_token.py
View File

@ -1,6 +1,7 @@
"""id_token utils""" """id_token utils"""
from dataclasses import asdict, dataclass, field from dataclasses import asdict, dataclass, field
from hashlib import sha256
from typing import TYPE_CHECKING, Any from typing import TYPE_CHECKING, Any
from django.db import models from django.db import models
@ -23,8 +24,13 @@ if TYPE_CHECKING:
from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider
def hash_session_key(session_key: str) -> str:
"""Hash the session key for inclusion in JWTs as `sid`"""
return sha256(session_key.encode("ascii")).hexdigest()
class SubModes(models.TextChoices): class SubModes(models.TextChoices):
"""Mode after which 'sub' attribute is generateed, for compatibility reasons""" """Mode after which 'sub' attribute is generated, for compatibility reasons"""
HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID") HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
USER_ID = "user_id", _("Based on user ID") USER_ID = "user_id", _("Based on user ID")
@ -51,7 +57,8 @@ class IDToken:
and potentially other requested Claims. The ID Token is represented as a and potentially other requested Claims. The ID Token is represented as a
JSON Web Token (JWT) [JWT]. JSON Web Token (JWT) [JWT].
https://openid.net/specs/openid-connect-core-1_0.html#IDToken""" https://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://www.iana.org/assignments/jwt/jwt.xhtml"""
# Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1 # Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1
iss: str | None = None iss: str | None = None
@ -79,6 +86,8 @@ class IDToken:
nonce: str | None = None nonce: str | None = None
# Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html # Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html
at_hash: str | None = None at_hash: str | None = None
# Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
sid: str | None = None
claims: dict[str, Any] = field(default_factory=dict) claims: dict[str, Any] = field(default_factory=dict)
@ -116,9 +125,11 @@ class IDToken:
now = timezone.now() now = timezone.now()
id_token.iat = int(now.timestamp()) id_token.iat = int(now.timestamp())
id_token.auth_time = int(token.auth_time.timestamp()) id_token.auth_time = int(token.auth_time.timestamp())
if token.session:
id_token.sid = hash_session_key(token.session.session_key)
# We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
auth_event = get_login_event(request) auth_event = get_login_event(token.session)
if auth_event: if auth_event:
# Also check which method was used for authentication # Also check which method was used for authentication
method = auth_event.context.get(PLAN_CONTEXT_METHOD, "") method = auth_event.context.get(PLAN_CONTEXT_METHOD, "")

3
authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py
View File

@ -3,6 +3,7 @@
import django.db.models.deletion import django.db.models.deletion
from django.apps.registry import Apps from django.apps.registry import Apps
from django.db import migrations, models from django.db import migrations, models
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
import authentik.lib.utils.time import authentik.lib.utils.time
@ -14,7 +15,7 @@ scope_uid_map = {
} }
def set_managed_flag(apps: Apps, schema_editor): def set_managed_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
ScopeMapping = apps.get_model("authentik_providers_oauth2", "ScopeMapping") ScopeMapping = apps.get_model("authentik_providers_oauth2", "ScopeMapping")
db_alias = schema_editor.connection.alias db_alias = schema_editor.connection.alias
for mapping in ScopeMapping.objects.using(db_alias).filter(name__startswith="Autogenerated "): for mapping in ScopeMapping.objects.using(db_alias).filter(name__startswith="Autogenerated "):

113
authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py Normal file
View File

@ -0,0 +1,113 @@
# Generated by Django 5.0.9 on 2024-10-23 13:38
from hashlib import sha256
import django.db.models.deletion
from django.db import migrations, models
from django.apps.registry import Apps
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from authentik.lib.migrations import progress_bar
def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
AuthenticatedSession = apps.get_model("authentik_core", "authenticatedsession")
AuthorizationCode = apps.get_model("authentik_providers_oauth2", "authorizationcode")
AccessToken = apps.get_model("authentik_providers_oauth2", "accesstoken")
RefreshToken = apps.get_model("authentik_providers_oauth2", "refreshtoken")
db_alias = schema_editor.connection.alias
print(f"\nFetching session keys, this might take a couple of minutes...")
session_ids = {}
for session in progress_bar(AuthenticatedSession.objects.using(db_alias).all()):
session_ids[sha256(session.session_key.encode("ascii")).hexdigest()] = session.session_key
for model in [AuthorizationCode, AccessToken, RefreshToken]:
print(
f"\nAdding session to {model._meta.verbose_name}, this might take a couple of minutes..."
)
for code in progress_bar(model.objects.using(db_alias).all()):
if code.session_id_old not in session_ids:
continue
code.session = (
AuthenticatedSession.objects.using(db_alias)
.filter(session_key=session_ids[code.session_id_old])
.first()
)
code.save()
class Migration(migrations.Migration):
dependencies = [
("authentik_core", "0040_provider_invalidation_flow"),
("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"),
]
operations = [
migrations.RenameField(
model_name="accesstoken",
old_name="session_id",
new_name="session_id_old",
),
migrations.RenameField(
model_name="authorizationcode",
old_name="session_id",
new_name="session_id_old",
),
migrations.RenameField(
model_name="refreshtoken",
old_name="session_id",
new_name="session_id_old",
),
migrations.AddField(
model_name="accesstoken",
name="session",
field=models.ForeignKey(
default=None,
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
to="authentik_core.authenticatedsession",
),
),
migrations.AddField(
model_name="authorizationcode",
name="session",
field=models.ForeignKey(
default=None,
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
to="authentik_core.authenticatedsession",
),
),
migrations.AddField(
model_name="devicetoken",
name="session",
field=models.ForeignKey(
default=None,
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
to="authentik_core.authenticatedsession",
),
),
migrations.AddField(
model_name="refreshtoken",
name="session",
field=models.ForeignKey(
default=None,
null=True,
on_delete=django.db.models.deletion.SET_DEFAULT,
to="authentik_core.authenticatedsession",
),
),
migrations.RunPython(migrate_session),
migrations.RemoveField(
model_name="accesstoken",
name="session_id_old",
),
migrations.RemoveField(
model_name="authorizationcode",
name="session_id_old",
),
migrations.RemoveField(
model_name="refreshtoken",
name="session_id_old",
),
]

15
authentik/providers/oauth2/models.py
View File

@ -26,7 +26,13 @@ from rest_framework.serializers import Serializer
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.brands.models import WebfingerProvider from authentik.brands.models import WebfingerProvider
from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User from authentik.core.models import (
AuthenticatedSession,
ExpiringModel,
PropertyMapping,
Provider,
User,
)
from authentik.crypto.models import CertificateKeyPair from authentik.crypto.models import CertificateKeyPair
from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key
from authentik.lib.models import SerializerModel from authentik.lib.models import SerializerModel
@ -353,7 +359,9 @@ class BaseGrantModel(models.Model):
revoked = models.BooleanField(default=False) revoked = models.BooleanField(default=False)
_scope = models.TextField(default="", verbose_name=_("Scopes")) _scope = models.TextField(default="", verbose_name=_("Scopes"))
auth_time = models.DateTimeField(verbose_name="Authentication time") auth_time = models.DateTimeField(verbose_name="Authentication time")
session_id = models.CharField(default="", blank=True) session = models.ForeignKey(
AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
)
class Meta: class Meta:
abstract = True abstract = True
@ -491,6 +499,9 @@ class DeviceToken(ExpiringModel):
device_code = models.TextField(default=generate_key) device_code = models.TextField(default=generate_key)
user_code = models.TextField(default=generate_code_fixed_length) user_code = models.TextField(default=generate_code_fixed_length)
_scope = models.TextField(default="", verbose_name=_("Scopes")) _scope = models.TextField(default="", verbose_name=_("Scopes"))
session = models.ForeignKey(
AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
)
@property @property
def scope(self) -> list[str]: def scope(self) -> list[str]:

5
authentik/providers/oauth2/signals.py
View File

@ -1,5 +1,3 @@
from hashlib import sha256
from django.contrib.auth.signals import user_logged_out from django.contrib.auth.signals import user_logged_out
from django.dispatch import receiver from django.dispatch import receiver
from django.http import HttpRequest from django.http import HttpRequest
@ -13,5 +11,4 @@ def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User,
"""Revoke access tokens upon user logout""" """Revoke access tokens upon user logout"""
if not request.session or not request.session.session_key: if not request.session or not request.session.session_key:
return return
hashed_session_key = sha256(request.session.session_key.encode("ascii")).hexdigest() AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
AccessToken.objects.filter(user=user, session_id=hashed_session_key).delete()

11
authentik/providers/oauth2/views/authorize.py
View File

@ -2,7 +2,6 @@
from dataclasses import InitVar, dataclass, field from dataclasses import InitVar, dataclass, field
from datetime import timedelta from datetime import timedelta
from hashlib import sha256
from json import dumps from json import dumps
from re import error as RegexError from re import error as RegexError
from re import fullmatch from re import fullmatch
@ -16,7 +15,7 @@ from django.utils import timezone
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.core.models import Application from authentik.core.models import Application, AuthenticatedSession
from authentik.events.models import Event, EventAction from authentik.events.models import Event, EventAction
from authentik.events.signals import get_login_event from authentik.events.signals import get_login_event
from authentik.flows.challenge import ( from authentik.flows.challenge import (
@ -318,7 +317,9 @@ class OAuthAuthorizationParams:
expires=now + timedelta_from_string(self.provider.access_code_validity), expires=now + timedelta_from_string(self.provider.access_code_validity),
scope=self.scope, scope=self.scope,
nonce=self.nonce, nonce=self.nonce,
session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(), session=AuthenticatedSession.objects.filter(
session_key=request.session.session_key
).first(),
) )
if self.code_challenge and self.code_challenge_method: if self.code_challenge and self.code_challenge_method:
@ -610,7 +611,9 @@ class OAuthFulfillmentStage(StageView):
expires=access_token_expiry, expires=access_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=auth_event.created if auth_event else now, auth_time=auth_event.created if auth_event else now,
session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(), session=AuthenticatedSession.objects.filter(
session_key=self.request.session.session_key
).first(),
) )
id_token = IDToken.new(self.provider, token, self.request) id_token = IDToken.new(self.provider, token, self.request)

11
authentik/providers/oauth2/views/token.py
View File

@ -550,7 +550,7 @@ class TokenView(View):
# Keep same scopes as previous token # Keep same scopes as previous token
scope=self.params.authorization_code.scope, scope=self.params.authorization_code.scope,
auth_time=self.params.authorization_code.auth_time, auth_time=self.params.authorization_code.auth_time,
session_id=self.params.authorization_code.session_id, session=self.params.authorization_code.session,
) )
access_id_token = IDToken.new( access_id_token = IDToken.new(
self.provider, self.provider,
@ -578,7 +578,7 @@ class TokenView(View):
expires=refresh_token_expiry, expires=refresh_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=self.params.authorization_code.auth_time, auth_time=self.params.authorization_code.auth_time,
session_id=self.params.authorization_code.session_id, session=self.params.authorization_code.session,
) )
id_token = IDToken.new( id_token = IDToken.new(
self.provider, self.provider,
@ -611,7 +611,7 @@ class TokenView(View):
# Keep same scopes as previous token # Keep same scopes as previous token
scope=self.params.refresh_token.scope, scope=self.params.refresh_token.scope,
auth_time=self.params.refresh_token.auth_time, auth_time=self.params.refresh_token.auth_time,
session_id=self.params.refresh_token.session_id, session=self.params.refresh_token.session,
) )
access_token.id_token = IDToken.new( access_token.id_token = IDToken.new(
self.provider, self.provider,
@ -627,7 +627,7 @@ class TokenView(View):
expires=refresh_token_expiry, expires=refresh_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=self.params.refresh_token.auth_time, auth_time=self.params.refresh_token.auth_time,
session_id=self.params.refresh_token.session_id, session=self.params.refresh_token.session,
) )
id_token = IDToken.new( id_token = IDToken.new(
self.provider, self.provider,
@ -685,13 +685,14 @@ class TokenView(View):
raise DeviceCodeError("authorization_pending") raise DeviceCodeError("authorization_pending")
now = timezone.now() now = timezone.now()
access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity) access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity)
auth_event = get_login_event(self.request) auth_event = get_login_event(self.params.device_code.session)
access_token = AccessToken( access_token = AccessToken(
provider=self.provider, provider=self.provider,
user=self.params.device_code.user, user=self.params.device_code.user,
expires=access_token_expiry, expires=access_token_expiry,
scope=self.params.device_code.scope, scope=self.params.device_code.scope,
auth_time=auth_event.created if auth_event else now, auth_time=auth_event.created if auth_event else now,
session=self.params.device_code.session,
) )
access_token.id_token = IDToken.new( access_token.id_token = IDToken.new(
self.provider, self.provider,

5
authentik/providers/proxy/tasks.py
View File

@ -1,13 +1,12 @@
"""proxy provider tasks""" """proxy provider tasks"""
from hashlib import sha256
from asgiref.sync import async_to_sync from asgiref.sync import async_to_sync
from channels.layers import get_channel_layer from channels.layers import get_channel_layer
from django.db import DatabaseError, InternalError, ProgrammingError from django.db import DatabaseError, InternalError, ProgrammingError
from authentik.outposts.consumer import OUTPOST_GROUP from authentik.outposts.consumer import OUTPOST_GROUP
from authentik.outposts.models import Outpost, OutpostType from authentik.outposts.models import Outpost, OutpostType
from authentik.providers.oauth2.id_token import hash_session_key
from authentik.providers.proxy.models import ProxyProvider from authentik.providers.proxy.models import ProxyProvider
from authentik.root.celery import CELERY_APP from authentik.root.celery import CELERY_APP
@ -26,7 +25,7 @@ def proxy_set_defaults():
def proxy_on_logout(session_id: str): def proxy_on_logout(session_id: str):
"""Update outpost instances connected to a single outpost""" """Update outpost instances connected to a single outpost"""
layer = get_channel_layer() layer = get_channel_layer()
hashed_session_id = sha256(session_id.encode("ascii")).hexdigest() hashed_session_id = hash_session_key(session_id)
for outpost in Outpost.objects.filter(type=OutpostType.PROXY): for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)} group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
async_to_sync(layer.group_send)( async_to_sync(layer.group_send)(

4
blueprints/system/providers-proxy.yaml
View File

@ -14,11 +14,7 @@ entries:
expression: | expression: |
# This mapping is used by the authentik proxy. It passes extra user attributes, # This mapping is used by the authentik proxy. It passes extra user attributes,
# which are used for example for the HTTP-Basic Authentication mapping. # which are used for example for the HTTP-Basic Authentication mapping.
session_id = None
if "token" in request.context:
session_id = request.context.get("token").session_id
return { return {
"sid": session_id,
"ak_proxy": { "ak_proxy": {
"user_attributes": request.user.group_attributes(request), "user_attributes": request.user.group_attributes(request),
"is_superuser": request.user.is_superuser, "is_superuser": request.user.is_superuser,

107
locale/en/LC_MESSAGES/django.po
View File

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-10-23 00:08+0000\n" "POT-Creation-Date: 2024-10-23 16:39+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -1843,6 +1843,107 @@ msgstr ""
msgid "Used recovery-link to authenticate." msgid "Used recovery-link to authenticate."
msgstr "" msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Kerberos realm"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Custom krb5.conf to use. Uses the system one by default"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Sync users from Kerberos into authentik"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "When a user changes their password, sync it back to Kerberos"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Principal to authenticate to kadmin for sync."
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Password to authenticate to kadmin for sync"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid ""
"Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
"form TYPE:residual"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid ""
"Credentials cache to authenticate to kadmin for sync. Must be in the form "
"TYPE:residual"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid ""
"Force the use of a specific server name for SPNEGO. Must be in the form "
"HTTP@hostname"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Credential cache to use for SPNEGO in form type:residual"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid ""
"If enabled, the authentik-stored password will be updated upon login with "
"the Kerberos password backend"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Kerberos Source"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Kerberos Sources"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Kerberos Source Property Mapping"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Kerberos Source Property Mappings"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "User Kerberos Source Connection"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "User Kerberos Source Connections"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Group Kerberos Source Connection"
msgstr ""
#: authentik/sources/kerberos/models.py
msgid "Group Kerberos Source Connections"
msgstr ""
#: authentik/sources/kerberos/views.py
msgid "SPNEGO authentication required"
msgstr ""
#: authentik/sources/kerberos/views.py
msgid ""
"\n"
" Make sure you have valid tickets (obtainable via kinit)\n"
" and configured the browser correctly.\n"
" Please contact your administrator.\n"
" "
msgstr ""
#: authentik/sources/ldap/api.py #: authentik/sources/ldap/api.py
msgid "Only a single LDAP Source with password synchronization is allowed" msgid "Only a single LDAP Source with password synchronization is allowed"
msgstr "" msgstr ""
@ -2848,6 +2949,10 @@ msgstr ""
msgid "User database + LDAP password" msgid "User database + LDAP password"
msgstr "" msgstr ""
#: authentik/stages/password/models.py
msgid "User database + Kerberos password"
msgstr ""
#: authentik/stages/password/models.py #: authentik/stages/password/models.py
msgid "Selection of backends to test the password against." msgid "Selection of backends to test the password against."
msgstr "" msgstr ""

BIN
locale/ru/LC_MESSAGES/django.mo
View File

Binary file not shown.

1
tests/e2e/test_provider_oidc.py
View File

@ -157,6 +157,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text) body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username) self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username)
self.assertEqual(body["IDTokenClaims"]["amr"], ["pwd"])
self.assertEqual(body["UserInfo"]["nickname"], self.user.username) self.assertEqual(body["UserInfo"]["nickname"], self.user.username)
self.assertEqual(body["IDTokenClaims"]["name"], self.user.name) self.assertEqual(body["IDTokenClaims"]["name"], self.user.name)

6
tests/e2e/test_provider_proxy.py
View File

@ -8,6 +8,7 @@ from time import sleep
from unittest.case import skip, skipUnless from unittest.case import skip, skipUnless
from channels.testing import ChannelsLiveServerTestCase from channels.testing import ChannelsLiveServerTestCase
from jwt import decode
from selenium.webdriver.common.by import By from selenium.webdriver.common.by import By
from authentik.blueprints.tests import apply_blueprint, reconcile_app from authentik.blueprints.tests import apply_blueprint, reconcile_app
@ -107,6 +108,11 @@ class TestProviderProxy(SeleniumTestCase):
self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username]) self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username])
self.assertEqual(body["headers"]["X-Foo"], ["bar"]) self.assertEqual(body["headers"]["X-Foo"], ["bar"])
raw_jwt: str = body["headers"]["X-Authentik-Jwt"][0]
jwt = decode(raw_jwt, options={"verify_signature": False})
self.assertIsNotNone(jwt["sid"])
self.assertIsNotNone(jwt["ak_proxy"])
self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out") self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
sleep(2) sleep(2)

20
web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts
View File

@ -75,6 +75,26 @@ export class ApplicationWizardAuthenticationByRadius extends WithBrandConfig(Bas
></ak-text-input> ></ak-text-input>
</div> </div>
</ak-form-group> </ak-form-group>
<ak-form-group>
<span slot="header"> ${msg("Advanced flow settings")} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${msg("Invalidation flow")}
name="invalidationFlow"
required
>
<ak-flow-search
flowType=${FlowsInstancesListDesignationEnum.Invalidation}
.currentFlow=${provider?.invalidationFlow}
defaultFlowSlug="default-provider-invalidation-flow"
required
></ak-flow-search>
<p class="pf-c-form__helper-text">
${msg("Flow used when logging out of this provider.")}
</p>
</ak-form-element-horizontal>
</div></ak-form-group
>
</form>`; </form>`;
} }
} }

36
web/src/admin/providers/radius/RadiusProviderForm.ts
View File

@ -1,3 +1,5 @@
import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
@ -70,7 +72,8 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
// weird-- we're looking up Authentication flows, but we're storing them in the Authorization // weird-- we're looking up Authentication flows, but we're storing them in the Authorization
// field of the target Provider. // field of the target Provider.
renderForm(): TemplateResult { renderForm(): TemplateResult {
return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name"> return html`
<ak-form-element-horizontal label=${msg("Name")} required name="name">
<input <input
type="text" type="text"
value="${ifDefined(this.instance?.name)}" value="${ifDefined(this.instance?.name)}"
@ -80,7 +83,7 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal <ak-form-element-horizontal
label=${msg("Authentication flow")} label=${msg("Authentication flow")}
?required=${true} required
name="authorizationFlow" name="authorizationFlow"
> >
<ak-branded-flow-search <ak-branded-flow-search
@ -112,12 +115,12 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-group .expanded=${true}> <ak-form-group expanded>
<span slot="header"> ${msg("Protocol settings")} </span> <span slot="header"> ${msg("Protocol settings")} </span>
<div slot="body" class="pf-c-form"> <div slot="body" class="pf-c-form">
<ak-form-element-horizontal <ak-form-element-horizontal
label=${msg("Shared secret")} label=${msg("Shared secret")}
?required=${true} required
name="sharedSecret" name="sharedSecret"
> >
<input <input
@ -132,7 +135,7 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal <ak-form-element-horizontal
label=${msg("Client Networks")} label=${msg("Client Networks")}
?required=${true} required
name="clientNetworks" name="clientNetworks"
> >
<input <input
@ -161,7 +164,28 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
></ak-dual-select-dynamic-selected> ></ak-dual-select-dynamic-selected>
</ak-form-element-horizontal> </ak-form-element-horizontal>
</div> </div>
</ak-form-group>`; </ak-form-group>
<ak-form-group>
<span slot="header"> ${msg("Advanced flow settings")} </span>
<div slot="body" class="pf-c-form">
<ak-form-element-horizontal
label=${msg("Invalidation flow")}
name="invalidationFlow"
required
>
<ak-flow-search
flowType=${FlowsInstancesListDesignationEnum.Invalidation}
.currentFlow=${this.instance?.invalidationFlow}
defaultFlowSlug="default-provider-invalidation-flow"
required
></ak-flow-search>
<p class="pf-c-form__helper-text">
${msg("Flow used when logging out of this provider.")}
</p>
</ak-form-element-horizontal>
</div></ak-form-group
>
`;
} }
} }

4
web/src/admin/stages/identification/IdentificationStageForm.ts
View File

@ -236,8 +236,8 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
<ak-dual-select-dynamic-selected <ak-dual-select-dynamic-selected
.provider=${sourcesProvider} .provider=${sourcesProvider}
.selector=${makeSourcesSelector(this.instance?.sources)} .selector=${makeSourcesSelector(this.instance?.sources)}
available-label="${msg("Available Stages")}" available-label="${msg("Available Sources")}"
selected-label="${msg("Selected Stages")}" selected-label="${msg("Selected Sources")}"
></ak-dual-select-dynamic-selected> ></ak-dual-select-dynamic-selected>
<p class="pf-c-form__helper-text"> <p class="pf-c-form__helper-text">
${msg( ${msg(

2
web/src/elements/oauth/UserAccessTokenList.ts
View File

@ -34,7 +34,7 @@ export class UserOAuthAccessTokenList extends Table<TokenModel> {
} }
checkbox = true; checkbox = true;
order = "expires"; order = "-expires";
columns(): TableColumn[] { columns(): TableColumn[] {
return [ return [

2
web/src/elements/oauth/UserRefreshTokenList.ts
View File

@ -35,7 +35,7 @@ export class UserOAuthRefreshTokenList extends Table<TokenModel> {
checkbox = true; checkbox = true;
clearOnRefresh = true; clearOnRefresh = true;
order = "expires"; order = "-expires";
columns(): TableColumn[] { columns(): TableColumn[] {
return [ return [

75
web/xliff/de.xlf
View File

@ -6940,6 +6940,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/en.xlf
View File

@ -7205,6 +7205,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/es.xlf
View File

@ -6857,6 +6857,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/fr.xlf
View File

@ -9140,6 +9140,81 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/ko.xlf
View File

@ -8774,6 +8774,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/nl.xlf
View File

@ -8620,6 +8620,81 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/pl.xlf
View File

@ -9039,6 +9039,81 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/pseudo-LOCALE.xlf
View File

@ -9079,4 +9079,79 @@ Bindings to groups/users are checked against the user of the event.</source>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit> </trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit>
</body></file></xliff> </body></file></xliff>

75
web/xliff/ru.xlf
View File

@ -9102,6 +9102,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/tr.xlf
View File

@ -6850,6 +6850,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/zh-CN.xlf
View File

@ -5788,6 +5788,81 @@ Bindings to groups/users are checked against the user of the event.</source>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit> </trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit>
</body> </body>
</file> </file>
</xliff> </xliff>

75
web/xliff/zh-Hans.xlf
View File

@ -9142,6 +9142,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/zh-Hant.xlf
View File

@ -6898,6 +6898,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>

75
web/xliff/zh_TW.xlf
View File

@ -8735,6 +8735,81 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit> </trans-unit>
<trans-unit id="s013620384af7c8b4"> <trans-unit id="s013620384af7c8b4">
<source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source> <source>Device type <x id="0" equiv-text="${device.verboseName}"/> cannot be edited</source>
</trans-unit>
<trans-unit id="s4347135696fc7cde">
<source>Advanced flow settings</source>
</trans-unit>
<trans-unit id="sf52ff57fd136cc2f">
<source>Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.</source>
</trans-unit>
<trans-unit id="s14a16542f956e11d">
<source>Realm settings</source>
</trans-unit>
<trans-unit id="s9c2eae548d3c1c30">
<source>Realm</source>
</trans-unit>
<trans-unit id="s6b032212997e2491">
<source>Kerberos 5 configuration</source>
</trans-unit>
<trans-unit id="sbf50181022f47de3">
<source>Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.</source>
</trans-unit>
<trans-unit id="s2386539a0bd62fab">
<source>Sync connection settings</source>
</trans-unit>
<trans-unit id="s0d1a6f3fe81351f8">
<source>Sync principal</source>
</trans-unit>
<trans-unit id="sa691d6e1974295fa">
<source>Principal used to authenticate to the KDC for syncing.</source>
</trans-unit>
<trans-unit id="s977b9c629eed3d33">
<source>Sync password</source>
</trans-unit>
<trans-unit id="s77772860385de948">
<source>Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.</source>
</trans-unit>
<trans-unit id="sc59ec59c3d5e74dc">
<source>Sync keytab</source>
</trans-unit>
<trans-unit id="scd42997958453f05">
<source>Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s60eaf439ccdca1f2">
<source>Sync credentials cache</source>
</trans-unit>
<trans-unit id="s95722900b0c9026f">
<source>Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="sf9c055db98d7994a">
<source>SPNEGO settings</source>
</trans-unit>
<trans-unit id="sab580a45dc46937f">
<source>SPNEGO server name</source>
</trans-unit>
<trans-unit id="s7a79d6174d17ab2d">
<source>Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain</source>
</trans-unit>
<trans-unit id="sa4ba2b2081472ccd">
<source>SPNEGO keytab</source>
</trans-unit>
<trans-unit id="s64adda975c1106c0">
<source>Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s92247825b92587b5">
<source>SPNEGO credentials cache</source>
</trans-unit>
<trans-unit id="sd9757c345e4062f8">
<source>Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.</source>
</trans-unit>
<trans-unit id="s734ab8fbcae0b69e">
<source>Kerberos Attribute mapping</source>
</trans-unit>
<trans-unit id="s2c378e86e025fdb2">
<source>Update Kerberos Source</source>
</trans-unit>
<trans-unit id="s03e4044abe0b556c">
<source>User database + Kerberos password</source>
</trans-unit> </trans-unit>
</body> </body>
</file> </file>