Release 2023.6
New features
-
LDAP StartTLS support
authentik's LDAP Provider now supports StartTLS in addition to supporting SSL. The StartTLS is a more modern method of encrypting LDAP traffic. With this added support, the LDAP Outpost can now support multiple certificates.
-
LDAP Schema improvements
In addition to the StartTLS support, the schema support in the LDAP provider has been drastically overhauled. This will improve support with applications and clients relying on the schema to parse data received. Additionally, the base DN is no longer required to be set when binding, as the outpost now finds the correct provider based on the bind DN.
-
Event matcher policy can now match on individual models
Previously the Event matcher policy was only able to match on event actions, client IPs and apps, which made it a requirement to use expression policies to match only on certain model actions.
Upgrading
This release does not introduce any new requirements.
docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2023.6/docker-compose.yml
docker-compose up -d
The -O
flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.6
Minor changes/fixes
- *: use dataclass slots wherever applicable (#6005)
- blueprints: allow setting user's passwords from blueprints (#5797)
- blueprints: fix API validation with OCI blueprint path (#5822)
- blueprints: fix check for file path not being run on worker (#5703)
- blueprints: support custom ports for OCI blueprints (#5727)
- core: make groups field for user optional (#5702)
- core: prevent selecting a group as a parent of itself (#6016)
- events: fix ak_create_event using wrong request for event creation (#5731)
- lifecycle: Add depends_on for worker and server container (#5634)
- outposts/ldap: fix race condition when refreshing the provider
- outposts: fix missing radius outpost controller (#5730)
- policies/event_matcher: add model filter (#5802)
- policies/event_matcher: change empty values to null (#6032)
- providers/ldap: add StartTLS support (#5861)
- providers/ldap: fix LDAP Outpost application selection (#5812)
- providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933)
- providers/ldap: improve password totp detection (#6006)
- providers/ldap: rework Schema and DSE (#5838)
- providers/oauth2: correctly advertise code_challenge_methods_supported (#6007)
- providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918)
- providers/proxy: add support for traefik.io API and CRD (#5801)
- security: cure53 fix (#6039)
- sources/ldap: add support for cert based auth (#5850)
- sources/ldap: fix duplicate bind when authenticating user directly to… (#5927)
- sources/ldap: include UnwillingToPerformError as possible exception (#6031)
- sources/saml: separate verification cert (#5699)
- web/admin: fix codemirror not working on safari (#5943)
- web/admin: theme adjustments (#5944)
- web/flows: fix RedirectStage not detecting absolute URLs correctly (#5781)
- web/user: fix MFA enroll dropdown broken when password stage has no configuration flow (#5744)
- web/user: fix broken search on application library (#5743)
- web/user: fix search input styling (#5745)
- web/user: refactor LibraryPage for testing, add CTA (#5665)
- web: Replace lingui.js with lit-localize (#5761)
Fixed in 2023.6.1
- core: fix UUID filter field for users api (#6203)
- outposts/ldap: revert attribute filtering (#6188)
- outposts/ldap: add test for attribute filtering (#6189)
- sources/ldap: fix more errors (#6191)
- sources/ldap: fix page size (#6187)
Fixed in 2023.6.2
- *: fix CVE-2023-39522, Reported by @markrassamni