406 lines
14 KiB
INI
406 lines
14 KiB
INI
;==============================================================================
|
|
; LemonLDAP::NG local configuration parameters
|
|
;
|
|
; This file is dedicated to configuration parameters override
|
|
; You can set here configuration parameters that will be used only by
|
|
; local LemonLDAP::NG elements
|
|
;
|
|
; Section "all" is always read first before "portal", "handler"
|
|
; and "manager"
|
|
;
|
|
; Section "configuration" is used to load global configuration and set cache
|
|
; (replace old storage.conf file)
|
|
;
|
|
; Other section are only read by the specific LemonLDAP::NG component
|
|
;==============================================================================
|
|
|
|
[all]
|
|
|
|
; CUSTOM FUNCTION
|
|
; If you want to create customFunctions in rules, declare them here:
|
|
;customFunctions = function1 function2
|
|
;customFunctions = Package::func1 Package::func2
|
|
|
|
; CROSS-DOMAIN
|
|
; If you have some handlers that are not registered on the main domain,
|
|
; uncomment this
|
|
;cda = 1
|
|
|
|
; SAFE JAIL
|
|
; Uncomment this to disable Safe jail.
|
|
; Warning: this can allow malicious code in custom functions or rules
|
|
;useSafeJail = 0
|
|
|
|
; LOGGING
|
|
;
|
|
; 1 - Defined logging level
|
|
; Set here one of error, warn, notice, info or debug
|
|
logLevel = info
|
|
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
|
|
; instead
|
|
;
|
|
; 2 - Change logger
|
|
;
|
|
; By default, logging is set to:
|
|
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
|
|
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
|
|
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
|
|
; portal,...) when they are not
|
|
; launched by FastCGI server
|
|
; Other loggers availables:
|
|
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
|
|
;
|
|
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
|
|
; request failed
|
|
;
|
|
; You can overload this in this section (for all) or in another section if
|
|
; you want to change logger for a specified app.
|
|
;
|
|
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
|
|
; (userLogger). "userLogger" uses the same class as "logger" if not set.
|
|
;logger = Lemonldap::NG::Common::Logger::Syslog
|
|
;userLogger = Lemonldap::NG::Common::Logger::Std
|
|
;
|
|
; 2.1 - Using Syslog
|
|
;
|
|
; For Syslog logging, you can also overwrite facilities. Default values:
|
|
logger = Lemonldap::NG::Common::Logger::Syslog
|
|
syslogFacility = daemon
|
|
userSyslogFacility = auth
|
|
;
|
|
; 2.2 - Using Log4perl
|
|
;
|
|
; If you want to use Log4perl, you can set these parameters. Here are default
|
|
; values:
|
|
;logger = Lemonldap::NG::Common::Logger::Log4perl
|
|
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
|
|
;log4perlLogger = LLNG
|
|
;log4perlUserLogger = LLNG.user
|
|
;
|
|
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
|
|
; value points to the logger class. Example:
|
|
; log4perl.logger.LLNG = WARN, File1
|
|
; log4perl.logger.LLNG.user = INFO, File2
|
|
; ...
|
|
|
|
; CONFIGURATION CHECK
|
|
;
|
|
; LLNG verify configuration at server start. If you use "reload" mechanism,
|
|
; local cache will be updated. Configuration is checked locally every
|
|
; 10 minutes by each LLNG component. You can change this value using
|
|
; `checkTime` (time in seconds).
|
|
; To increase performances, you should comment this parameter and rely on cache.
|
|
checkTime = 1
|
|
|
|
[configuration]
|
|
|
|
; confTimeout: maximum time to get configuration (default 10)
|
|
;confTimeout = 5
|
|
|
|
; GLOBAL CONFIGURATION ACCESS TYPE
|
|
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
|
|
; Set here the parameters needed to access to LemonLDAP::NG configuration.
|
|
; You have to set "type" to one of the followings :
|
|
;
|
|
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
|
|
;
|
|
; type = File ; or type = YAMLFile
|
|
; dirName = /var/lib/lemonldap-ng/conf
|
|
;
|
|
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
|
|
; if needed. Example:
|
|
;
|
|
; type = RDBI
|
|
; ;type = CDBI
|
|
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
|
|
; dbiUser = lemonldap
|
|
; dbiPassword = password
|
|
;
|
|
; * REST: REST configuration access is a sort of proxy: the portal is
|
|
; configured to use the real session storage type (DBI or File for
|
|
; example).
|
|
; You have to set 'baseUrl' parameter. Example:
|
|
;
|
|
; type = REST
|
|
; baseUrl = https://auth.example.com/config
|
|
; proxyOptions = { timeout => 5 }
|
|
; User = lemonldap
|
|
; Password = mypassword
|
|
;
|
|
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
|
|
; configured to use the real session storage type (DBI or File for
|
|
; example).
|
|
; You have to set 'proxy' parameter. Example:
|
|
;
|
|
; type = SOAP
|
|
; proxy = https://auth.example.com/config
|
|
; proxyOptions = { timeout => 5 }
|
|
; User = lemonldap
|
|
; Password = mypassword
|
|
;
|
|
; * LDAP: you have to set ldapServer, ldapConfBase, ldapBindDN and ldapBindPassword.
|
|
;
|
|
; type = LDAP
|
|
; ldapServer = ldap://localhost
|
|
; ldapConfBase = ou=conf,ou=applications,dc=example,dc=com
|
|
; ldapBindDN = cn=manager,dc=example,dc=com
|
|
; ldapBindPassword = secret
|
|
; ldapObjectClass = applicationProcess
|
|
; ldapAttributeId = cn
|
|
; ldapAttributeContent = description
|
|
|
|
type=File
|
|
dirName = /var/lib/lemonldap-ng/conf
|
|
|
|
; LOCAL CACHE CONFIGURATION
|
|
;
|
|
; To increase performances, use a local cache for the configuration. You have
|
|
; to choose a Cache::Cache module and set its parameters. Example:
|
|
;
|
|
; localStorage = Cache::FileCache
|
|
; localStorageOptions={ \
|
|
; 'namespace' => 'lemonldap-ng-config',\
|
|
; 'default_expires_in' => 600, \
|
|
; 'directory_umask' => '007', \
|
|
; 'cache_root' => '/tmp', \
|
|
; 'cache_depth' => 3, \
|
|
; }
|
|
localStorage=Cache::FileCache
|
|
localStorageOptions={ \
|
|
'namespace' => 'lemonldap-ng-config',\
|
|
'default_expires_in' => 600, \
|
|
'directory_umask' => '007', \
|
|
'cache_root' => '/tmp', \
|
|
'cache_depth' => 3, \
|
|
}
|
|
|
|
[portal]
|
|
|
|
; PORTAL CUSTOMIZATION
|
|
|
|
; I - Required parameters
|
|
|
|
; staticPrefix: relative (or URL) location of static HTML components
|
|
staticPrefix = /static
|
|
|
|
; location of HTML templates directory
|
|
templateDir = /usr/share/lemonldap-ng/portal/templates
|
|
|
|
; languages: available languages for portal interface
|
|
# GNUNUX languages = fr, en, vi, it, ar, de, fi, tr
|
|
#>GNUNUX
|
|
languages = fr
|
|
#<GNUNUX
|
|
|
|
; II - Optional parameters (overwrite configuration)
|
|
|
|
; Name of the skin
|
|
portalSkin = bootstrap
|
|
; Modules displayed
|
|
;portalDisplayLogout = 1
|
|
;portalDisplayResetPassword = 1
|
|
portalDisplayChangePassword = 1
|
|
;portalDisplayAppslist = 1
|
|
;portalDisplayLoginHistory = 1
|
|
; Require the old password when changing password
|
|
portalRequireOldPassword = 1
|
|
; Attribute displayed as connected user
|
|
;portalUserAttr = mail
|
|
; Old menu HTML code
|
|
; Enable it if you use old templates
|
|
;useOldMenuItems=1
|
|
; Override error codes
|
|
;error_0 = You are well authenticated!
|
|
; Custom template parameters
|
|
; For example to use <TMPL_VAR NAME="myparam">
|
|
;tpl_myparam = test
|
|
|
|
; COMBINATION FORMS
|
|
; If you want to fix forms to display, you can use this;
|
|
;combinationForms = standardform, yubikeyform
|
|
|
|
;syslog = auth
|
|
; SOAP FUNCTIONS
|
|
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
|
|
; error(language, code)
|
|
;Soap = 1
|
|
; Note that getAttibutes() will be activated but on a different URI
|
|
; (http://auth.example.com/sessions)
|
|
; You can also restrict attributes and macros exported by getAttributes
|
|
;exportedAttr = uid mail
|
|
|
|
; PASSWORD POLICY
|
|
; Remove comment to use LDAP Password Policy
|
|
;ldapPpolicyControl = 1
|
|
; Remove comment to store password in session (use with caution)
|
|
;storePassword = 1
|
|
; Remove comment to use LDAP modify password extension
|
|
; (beware of compatibility with LDAP Password Policy)
|
|
;ldapSetPassword = 1
|
|
; RESET PASSWORD BY MAIL
|
|
; SMTP server (default to localhost), set to '' to use default mail service
|
|
;SMTPServer = localhost
|
|
; SMTP auth user
|
|
;SMTPAuthUser = toto
|
|
; SMTP auth password
|
|
;SMTPAuthPass = secret
|
|
; Mail From address
|
|
;mailFrom = noreply@example.com
|
|
; Reply To
|
|
;mailReplyTo = noreply@example.com
|
|
; Mail confirmation URL
|
|
;mailUrl = http://reset.example.com
|
|
; Mail subject for confirmation message
|
|
;mailConfirmSubject = [LemonLDAP::NG] Password reset confirmation
|
|
; Mail body for confiramtion (can use $url for confirmation URL, and other session
|
|
; infos, like $cn). Keep comment to use HTML templates
|
|
;mailConfirmBody = Hello $cn,\n\nClick here to receive your new password: $url
|
|
; Mail subject for new password message
|
|
;mailSubject = [LemonLDAP::NG] Your new password
|
|
; Mail body for new password (can use $password for generated password, and other session
|
|
; infos, like $cn). Keep comment to use HTML templates
|
|
;mailBody = Hello $cn,\n\nYour new password is $password
|
|
; LDAP filter to use
|
|
;mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))'
|
|
; Random regexp for password generation
|
|
;randomPasswordRegexp = [A-Z]{3}[a-z]{5}.\d{2}
|
|
; LDAP GROUPS
|
|
; Set the base DN of your groups branch
|
|
;ldapGroupBase = ou=groups,dc=example,dc=com
|
|
; Objectclass used by groups
|
|
;ldapGroupObjectClass = groupOfUniqueNames
|
|
; Attribute used by groups to store member
|
|
;ldapGroupAttributeName = uniqueMember
|
|
; Attribute used by user to link to groups
|
|
;ldapGroupAttributeNameUser = dn
|
|
; Attribute used to identify a group. The group will be displayed as
|
|
; cn|mail|status, where cn, mail and status will be replaced by their
|
|
; values.
|
|
;ldapGroupAttributeNameSearch = cn mail
|
|
|
|
; NOTIFICATIONS SERVICE
|
|
; Use it to be able to notify messages during authentication
|
|
;notification = 1
|
|
; Note that the SOAP function newNotification will be activated on
|
|
; http://auth.example.com/notification
|
|
; If you want to hide this, just protect "/index.fcgi/notification" in
|
|
; your Apache configuration file
|
|
; XSS protection bypass
|
|
; By default, the portal refuse redirections that comes from sites not
|
|
; registered in the configuration (manager) except for those coming
|
|
; from trusted domains. By default, trustedDomains contains the domain
|
|
; declared in the manager. You can set trustedDomains to empty value so
|
|
; that, undeclared sites will be rejected. You can also set here a list
|
|
; of trusted domains or hosts separated by spaces. This is usefull if
|
|
; your website use LemonLDAP::NG without handler with SOAP functions.
|
|
;trustedDomains = my.trusted.host example2.com
|
|
|
|
; Check XSS
|
|
; Set to 0 to disable error on XSS attack detection
|
|
;checkXSS = 0
|
|
|
|
; pdata cookie domain
|
|
; pdata cookie could not be sent with cross domains AJAX request
|
|
; Null is default value
|
|
;pdataDomain = example.com
|
|
|
|
; CUSTOM PLUGINS
|
|
; If you want to add custom plugins, set list here (comma separated)
|
|
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
|
|
;customPlugins = ::My::Package1, ::My::Package2
|
|
|
|
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
|
|
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
|
|
;forceGlobalStorageUpgradeOTT = 1
|
|
;forceGlobalStorageIssuerOTT = 1
|
|
|
|
[handler]
|
|
|
|
; Handler cache configuration
|
|
; You can overwrite here local session cache settings in manager:
|
|
; localSessionStorage=Cache::FileCache
|
|
; localSessionStorageOptions={ \
|
|
; 'namespace' => 'lemonldap-ng-sessions', \
|
|
; 'default_expires_in' => 600, \
|
|
; 'directory_umask' => '007', \
|
|
; 'cache_root' => '/tmp', \
|
|
; 'cache_depth' => 3, \
|
|
; }
|
|
|
|
; Set https to 1 if your handler protect a https website (used only for
|
|
; redirections to the portal)
|
|
https = 1
|
|
; Set port if your your hanlder protect a website on a non standard port
|
|
; - 80 for http, 443 for https (used only for redirections to the portal)
|
|
;port = 8080
|
|
; Set status to 1 if you want to have the report of activity (used for
|
|
; example to inform MRTG)
|
|
status = 0
|
|
; Set useRedirectOnForbidden to 1 if you want to use REDIRECT and not FORBIDDEN
|
|
; when a user is not allowed by Handler
|
|
;useRedirectOnForbidden = 1
|
|
; Hide LemonLDAP::NG Handler in Apache Server Signature
|
|
;hideSignature = 1
|
|
; Set ServiceToken timeout
|
|
;handlerServiceTokenTTL = 30
|
|
; Set Impersonation/ContextSwitching prefix
|
|
; impersonationPrefix = real_
|
|
useRedirectOnError = 1
|
|
|
|
; Zimbra Handler parameters
|
|
;zimbraPreAuthKey = XXXX
|
|
;zimbraAccountKey = uid
|
|
;zimbraBy =id
|
|
;zimbraUrl = /service/preauth
|
|
;zimbraSsoUrl = ^/zimbrasso$
|
|
|
|
[manager]
|
|
|
|
; Manager protection: by default, the manager is protected by a demo account.
|
|
; You can protect it :
|
|
; * by Apache itself,
|
|
; * by the parameter 'protection' which can take one of the following
|
|
; values :
|
|
; * authenticate : all authenticated users can access
|
|
; * manager : manager is protected like other virtual hosts: you
|
|
; have to set rules in the corresponding virtual host
|
|
; * <rule> : you can set here directly the rule to apply
|
|
; * none : no protection
|
|
protection = manager
|
|
|
|
; staticPrefix: relative (or URL) location of static HTML components
|
|
staticPrefix = /static
|
|
;
|
|
; location of HTML templates directory
|
|
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
|
|
|
|
; languages: available languages for manager interface
|
|
# GNUNUX languages = fr, en, it, vi, ar, tr
|
|
#>GNUNUX
|
|
languages = fr
|
|
#<GNUNUX
|
|
|
|
; Manager modules enabled
|
|
; Set here the list of modules you want to see in manager interface
|
|
; The first will be used as default module displayed
|
|
;enabledModules = conf, sessions, notifications, 2ndFA, viewer
|
|
enabledModules = conf, sessions, notifications, 2ndFA
|
|
|
|
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
|
|
; 'conf' is set by default
|
|
;defaultModule = viewer
|
|
|
|
; Viewer module allows us to edit configuration in read-only mode
|
|
; Options can be set with specific rules like this :
|
|
;viewerAllowBrowser = $uid eq 'dwho'
|
|
;viewerAllowDiff = $uid ne 'dwho'
|
|
;
|
|
; Viewer options - Default values
|
|
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
|
|
;viewerAllowBrowser = 0
|
|
;viewerAllowDiff = 0
|
|
|
|
;[node-handler]
|
|
;
|
|
;This section is for node-lemonldap-ng-handler
|
|
;nodeVhosts = test3.example.com, test4.example.com
|