2021-12-03 17:37:25 +00:00
Configuration
#############
Here are the different options you can have in your configuration file.
.. contents ::
:local:
Sections
========
Miscellaneous
-------------
Canaille is based on Flask, so any `flask configuration <https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values> `_ option will be usable with canaille:
:SECRET_KEY:
**Required.** The Flask secret key. You should set a random string here.
:NAME:
*Optional.* The name of your organization. If not set `Canaille`
:LOGO:
*Optional.* The URL ot the logo of your organization. The default is the canaille logo.
:FAVICON:
*Optional.* An URL to a favicon. The default is the value of `` LOGO `` .
:THEME:
*Optional.* The name or the path to a canaille theme.
If the value is just a name, the theme should be in a directory with that namein the *themes* directory.
:LANGUAGE:
*Optional.* The locale code of the language to use. If not set, the language of the browser will be used.
:SENTRY_DSN:
*Optional.* A DSN to a sentry instance.
This needs the `` sentry_sdk `` python package to be installed.
This is useful if you want to collect the canaille exceptions in a production environment.
:HIDE_INVALID_LOGINS:
*Optional.* Wether to tell the users if a username exists during failing login attempts.
2022-04-05 07:49:45 +00:00
Defaults to `` True `` . This may be a security issue to disable this, as this give a way to malicious people to if an account exists on this canaille instance.
:ENABLE_PASSWORD_RECOVERY:
*Optional* Wether the password recovery feature is enabled or not.
Defaults to `` True `` .
2021-12-03 17:37:25 +00:00
2022-01-01 10:56:48 +00:00
:INVITATION_EXPIRATION:
*Optional* The validity duration of registration invitations, in seconds.
Defaults to 2 days.
2021-12-03 17:37:25 +00:00
LOGGING
-------
:LEVEL:
*Optional.* The logging level. Must be an either *DEBUG* , *INFO* , *WARNING* , *ERROR* or *CRITICAL* . Defults to *WARNING* .
:PATH:
*Optional.* The log file path. If not set, logs are written in the standard error output.
LDAP
----
:URI:
**Required.** The URI to the LDAP server.
e.g. `` ldaps://ldad.mydomain.tld ``
:ROOT_DN:
**Required.** The root DN of your LDAP server.
e.g. `` dc=mydomain,dc=tld ``
:BIND_DN:
**Required.** The LDAP DN to bind with.
e.g. `` cn=admin,dc=mydomain,dc=tld ``
:BIND_PW:
**Required.** The LDAP user associated with `` BIND_DN `` .
:TIMEOUT:
*Optional.* The time to wait for the LDAP server to respond before considering it is not functional.
:USER_BASE:
**Required.** The DN of the node in which users will be searched for, and created.
e.g. `` ou=users,dc=mydomain,dc=tld ``
:USER_CLASS:
*Optional.* The LDAP object class to filter existing users, and create new users.
Defaults to `` inetOrgPerson `` .
:USER_ID_ATTRIBUTE:
*Optional.* The attribute to identify an object in the User DN.
For example, if it has the value `` uid `` , users DN will be in the form `` uid=foobar,ou=users,dc=mydomain,dc=tld `` .
Defaults to `` cn `` .
:USER_FILTER:
*Optional.* The filter to match users on sign in.
Supports a variable {login} that can be used to compare against several LDAP attributes.
Defaults to `` (|(uid={login})(mail={login})) ``
:GROUP_BASE:
**Required.** The DN where of the node in which LDAP groups will be created and searched for.
e.g. `` ou=groups,dc=mydomain,dc=tld ``
:GROUP_CLASS:
*Optional.* The LDAP object class to filter existing groups, and create new groups.
Defaults to `` groupOfNames ``
:GROUP_ID_ATTRIBUTE:
*Optional.* The attribute to identify an object in a group DN.
For example, if it has the value `` cn `` , groups DN will be in the form `` cn=foobar,ou=users,dc=mydomain,dc=tld `` .
Defaults to `` cn ``
:GROUP_NAME_ATTRIBUTE:
*Optional.* The attribute to identify a group in the web interface.
Defaults to `` cn ``
:GROUP_USER_FILTER:
*Optional.* A filter to check if a user belongs to a group. A 'user' variable is available.
Defaults to `` member={user.dn} ``
ACL
---
You can define access controls that define what users can do on canaille
An access control consists in a `` FILTER `` to match users, a list of `` PERMISSIONS `` that users will be able to perform, and fields users will be able
to `` READ `` and `` WRITE `` . Users matching several filters will cumulate permissions.
The 'READ' and 'WRITE' attributes are the LDAP attributes of the user
object that users will be able to read and/or write.
:FILTER:
*Optional.* A filter to test on the users to test if they belong to this ACL.
If absent, all the users will have the permissions in this ACL.
e.g. `` uid=admin `` or `` memberof=cn=admin,ou=groups,dc=mydomain,dc=tld ``
:PERMISSIONS:
*Optional.* A list of items the users in the access control will be able to manage. Values can be:
2022-04-05 15:16:09 +00:00
- **edit_self** to allow users to edit their own profile
2021-12-03 17:37:25 +00:00
- **use_oidc** to allow OpenID Connect authentication
- **manage_oidc** to allow OpenID Connect client managements
- **manage_users** to allow other users management
- **manage_groups** to allow group edition and creation
- **delete_account** allows a user to delete his own account. If used with *manage_users* , the user can delete any account
- **impersonate_users** to allow a user to take the identity of another user
:READ:
*Optional.* A list of attributes of `` USER_CLASS `` the user will be able to see, but not edit.
2022-04-05 15:16:09 +00:00
If the users has the `` edit_self `` permission, they will be able to see those fields on their own account.
If the users has the `` manage_users `` permission, the user will be able to see this fields on other users profile.
2021-12-03 17:37:25 +00:00
If the list containts the special `` groups `` field, the user will be able to see the groups he belongs to.
:WRITE:
*Optional.* A list of attributes of `` USER_CLASS `` the user will be able to edit.
2022-04-05 15:16:09 +00:00
If the users has the `` edit_self `` permission, they will be able to edit those fields on their own account.
If the users has the `` manage_users `` permission, they will be able to edit those fields on other users profile.
2021-12-03 17:37:25 +00:00
If the list containts the special `` groups `` field, the user will be able to edit the groups he belongs to.
JWT
---
Canaille needs a key pair to sign the JWT. The installation command will generate a key pair for you, but you can also do it manually.
:PRIVATE_KEY:
**Required.** The path to the private key.
e.g. `` /path/to/canaille/conf/private.pem ``
:PUBLIC_KEY:
**Required.** The path to the public key.
e.g. `` /path/to/canaille/conf/private.pem ``
2022-04-10 14:00:51 +00:00
:ISS:
2022-11-17 16:44:54 +00:00
*Optional.* The URI of the identity provider.
Defaults to `` SERVER_NAME `` if set, else the current domain will be used.
2022-04-10 14:00:51 +00:00
e.g. `` https://auth.mydomain.tld ``
2021-12-03 17:37:25 +00:00
:KTY:
*Optional.* The key type parameter.
Defaults to `` RSA `` .
:ALG:
*Optional.* The key algorithm.
Defaults to `` RS256 `` .
:EXP:
*Optional.* The time the JWT will be valid, in seconds.
Defaults to `` 3600 ``
JWT.MAPPINGS
------------
A mapping where keys are JWT claims, and values are LDAP user object attributes.
2021-12-12 15:15:06 +00:00
Attributes are rendered using jinja2, and can use a `` user `` variable.
2021-12-03 17:37:25 +00:00
:SUB:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.uid[0] }} ``
2021-12-03 17:37:25 +00:00
:NAME:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.cn[0] }} ``
2021-12-03 17:37:25 +00:00
:PHONE_NUMBER:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.telephoneNumber[0] }} ``
2021-12-03 17:37:25 +00:00
:EMAIL:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.mail[0] }} ``
2021-12-03 17:37:25 +00:00
:GIVEN_NAME:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.givenName[0] }} ``
2021-12-03 17:37:25 +00:00
:FAMILY_NAME:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.sn[0] }} ``
2021-12-03 17:37:25 +00:00
:PREFERRED_USERNAME:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.displayName[0] }} ``
2021-12-03 17:37:25 +00:00
:LOCALE:
2023-01-24 17:15:26 +00:00
*Optional.* Defaults to `` {{ user.preferredLanguage }} ``
2021-12-03 17:37:25 +00:00
:ADDRESS:
2021-12-12 15:15:06 +00:00
*Optional.* Defaults to `` {{ user.postalAddress[0] }} ``
2021-12-03 17:37:25 +00:00
2021-12-13 21:50:53 +00:00
:PICTURE:
*Optional.* Defaults to `` {% if user.jpegPhoto %}{{ url_for('account.photo', uid=user.uid[0], field='jpegPhoto', _external=True) }}{% endif %} ``
2021-12-13 22:04:34 +00:00
:WEBSITE:
*Optional.* Defaults to `` {{ user.labeledURI[0] }} ``
2021-12-13 21:50:53 +00:00
2021-12-03 17:37:25 +00:00
SMTP
----
Canaille needs you to configure a SMTP server to send some mails, including the *I forgot my password* and the *invitation* mails.
Without this section Canaille will still be usable, but all the features related to mail will be disabled.
:HOST:
The SMTP server to connect to.
Defaults to `` localhost ``
:PORT:
The port to use with the SMTP connection.
Defaults to `` 25 ``
:TLS:
Whether the SMTP connection use TLS.
Default to `` False ``
:LOGIN:
The SMTP server authentication login.
*Optional.*
:PASSWORD:
The SMTP server authentication password.
*Optional.*
:FROM_ADDR:
2022-11-14 17:59:07 +00:00
*Optional.* The mail address to use as the sender for Canaille emails.
Defaults to `admin@<HOSTNAME>` `HOSTNAME`
