canaille-globuzma/canaille/conf/config.sample.toml

# All the Flask configuration values can be used:
# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values

# The flask secret key for cookies. You MUST change this.
SECRET_KEY = "change me before you go in production"

# Your organization name.
# NAME = "Canaille"

# The interface on which canaille will be served
# SERVER_NAME = "auth.mydomain.tld"
# PREFERRED_URL_SCHEME = "https"

# You can display a logo to be recognized on login screens
# LOGO = "/static/img/canaille-head.png"

# Your favicon. If unset the LOGO will be used.
# FAVICON = "/static/img/canaille-c.png"

# The name of a theme in the 'theme' directory, or an absolute path
# to a theme. Defaults to 'default'. Theming is done with
# https://github.com/tktech/flask-themer
# THEME = "default"

# If unset, language is detected
# LANGUAGE = "en"

# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS
# OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN = false

# A list of tokens that can be used for dynamic client registration
# OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
#     "xxxxxxx-yyyyyyy-zzzzzz",
# ]

# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"

# If HIDE_INVALID_LOGINS is set to true (the default), when a user
# tries to sign in with an invalid login, a message is shown indicating
# that the password is wrong, but does not give a clue wether the login
# exists or not.
# If HIDE_INVALID_LOGINS is set to false, when a user tries to sign in with
# an invalid login, a message is shown indicating that the login does not
# exist.
# HIDE_INVALID_LOGINS = true

# If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
# recovery link by email. This option is true by default.
# ENABLE_PASSWORD_RECOVERY = true

# The validity duration of registration invitations, in seconds.
# Defaults to 2 days
# INVITATION_EXPIRATION = 172800

[LOGGING]
# LEVEL can be one value among:
# DEBUG, INFO, WARNING, ERROR, CRITICAL
# Defaults to WARNING
# LEVEL = "WARNING"

# The path of the log file. If not set (the default) logs are
# written in the standard error output.
# PATH = ""

[LDAP]
URI = "ldap://ldap"
ROOT_DN = "dc=mydomain,dc=tld"
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
BIND_PW = "admin"
# TIMEOUT =

# Where to search for users?
USER_BASE = "ou=users,dc=mydomain,dc=tld"

# The object class to use for creating new users
# USER_CLASS = "inetOrgPerson"

# The attribute to identify an object in the User dn.
# USER_ID_ATTRIBUTE = "cn"

# Filter to match users on sign in. Supports a variable
# {login} that can be used to compare against several fields:
# USER_FILTER = "(|(uid={login})(mail={login}))"

# Where to search for groups?
GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"

# The object class to use for creating new groups
# GROUP_CLASS = "groupOfNames"

# The attribute to identify an object in the User dn.
# GROUP_ID_ATTRIBUTE = "cn"

# The attribute to use to identify a group
# GROUP_NAME_ATTRIBUTE = "cn"

# A filter to check if a user belongs to a group
# A 'user' variable is available.
# GROUP_USER_FILTER = "member={user.dn}"

# You can define access controls that define what users can do on canaille
# An access control consists in a FILTER to match users, a list of PERMISSIONS
# matched users will be able to perform, and fields users will be able
# to READ and WRITE. Users matching several filters will cumulate permissions.
#
# A 'FILTER' parameter that is a LDAP filter used to determine if a user
# belongs to an access control. If absent, all the users will match this
# access control. If your LDAP server has the 'memberof' overlay, you can
# filter against group membership.
# Here are some examples
#     FILTER = 'uid=admin'
#     FILTER = 'memberof=cn=admins,ou=groups,dc=mydomain,dc=tld'
#
# The 'PERMISSIONS' parameter that is an list of items the users in the access
# control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:
# - "edit_self" to allow users to edit their own profile
# - "use_oidc" to allow OpenID Connect authentication
# - "manage_oidc" to allow OpenID Connect client managements
# - "manage_users" to allow other users management
# - "manage_groups" to allow group edition and creation
# - "delete_account" allows a user to delete his own account. If used with
#                    manage_users, the user can delete any account
# - "impersonate_users" to allow a user to take the identity of another user
#
# The 'READ' and 'WRITE' attributes are the LDAP attributes of the user
# object that users will be able to read and/or write.
[ACL.DEFAULT]
PERMISSIONS = ["edit_self", "use_oidc"]
READ = ["uid", "groups"]
WRITE = [
    "givenName",
    "sn",
    "displayName",
    "userPassword",
    "telephoneNumber",
    "jpegPhoto",
    "mail",
    "labeledURI",
    "preferredLanguage",
    "employeeNumber",
    "departmentNumber",
]

[ACL.ADMIN]
FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
PERMISSIONS = [
    "manage_users",
    "manage_groups",
    "manage_oidc",
    "delete_account",
    "impersonate_users",
]
WRITE = ["groups"]

# The jwt configuration. You can generate a RSA keypair with:
# openssl genrsa -out private.pem 4096
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
# The path to the private key.
PRIVATE_KEY = "canaille/conf/private.pem"
# The path to the public key.
PUBLIC_KEY = "canaille/conf/public.pem"
# The URI of the identity provider
# ISS = "https://auth.mydomain.tld"
# The key type parameter
# KTY = "RSA"
# The key algorithm
# ALG = "RS256"
# The time the JWT will be valid, in seconds
# EXP = 3600

[JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass.
# {attribute} will be replaced by the user ldap attribute value.
# Default values fits inetOrgPerson.
SUB = "{{ user.uid[0] }}"
NAME = "{{ user.cn[0] }}"
PHONE_NUMBER = "{{ user.telephoneNumber[0] }}"
EMAIL = "{{ user.mail[0] }}"
GIVEN_NAME = "{{ user.givenName[0] }}"
FAMILY_NAME = "{{ user.sn[0] }}"
PREFERRED_USERNAME = "{{ user.displayName }}"
LOCALE = "{{ user.preferredLanguage }}"
ADDRESS = "{{ user.postalAddress[0] }}"
PICTURE = "{% if user.jpegPhoto %}{{ url_for('account.photo', uid=user.uid[0], field='jpegPhoto', _external=True) }}{% endif %}"
WEBSITE = "{{ user.labeledURI[0] }}"

# The SMTP server options. If not set, mail related features such as
# user invitations, and password reset emails, will be disabled.
[SMTP]
# HOST = "localhost"
# PORT = 25
# TLS = false
# SSL = false
# LOGIN = ""
# PASSWORD = ""
# FROM_ADDR = "admin@mydomain.tld"
Configuration header 2020-12-31 11:41:01 +00:00			`# All the Flask configuration values can be used:`
			`# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values`

Configuration comments 2020-08-31 12:09:28 +00:00			`# The flask secret key for cookies. You MUST change this.`
Configuration file 2020-08-17 09:05:01 +00:00			`SECRET_KEY = "change me before you go in production"`
Configuration comments 2020-08-31 12:09:28 +00:00
			`# Your organization name.`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# NAME = "Canaille"`
Configuration comments 2020-08-31 12:09:28 +00:00
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`# The interface on which canaille will be served`
Minor fixes 2020-10-29 12:43:53 +00:00			`# SERVER_NAME = "auth.mydomain.tld"`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`# PREFERRED_URL_SCHEME = "https"`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
Configuration comments 2020-08-31 12:09:28 +00:00			`# You can display a logo to be recognized on login screens`
Issuer 'ISS' configuration option is not mandatory anymore 2022-11-17 16:44:54 +00:00			`# LOGO = "/static/img/canaille-head.png"`
Canaille logo. Fixes #29 2020-11-05 11:18:17 +00:00
			`# Your favicon. If unset the LOGO will be used.`
Issuer 'ISS' configuration option is not mandatory anymore 2022-11-17 16:44:54 +00:00			`# FAVICON = "/static/img/canaille-c.png"`
Configuration file 2020-08-17 09:05:01 +00:00
use flask-themer to allow theme customization 2021-10-28 13:24:34 +00:00			`# The name of a theme in the 'theme' directory, or an absolute path`
			`# to a theme. Defaults to 'default'. Theming is done with`
			`# https://github.com/tktech/flask-themer`
			`# THEME = "default"`

i18n 2020-08-17 09:38:25 +00:00			`# If unset, language is detected`
Configuration comments 2020-08-31 12:09:28 +00:00			`# LANGUAGE = "en"`
i18n 2020-08-17 09:38:25 +00:00
Implemented dynamic client registration 2022-10-19 19:57:25 +00:00			`# Wether a token is needed for the RFC7591 dynamical client registration.`
			`# If true, no token is needed to register a client.`
			`# If false, dynamical client registration needs a token defined`
			`# in OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS`
			`# OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN = false`

			`# A list of tokens that can be used for dynamic client registration`
			`# OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS = [`
			`# "xxxxxxx-yyyyyyy-zzzzzz",`
			`# ]`

Sentry support 2020-09-01 15:27:56 +00:00			`# If you have a sentry instance, you can set its dsn here:`
			`# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"`

Fix typos and grammar errors. 2023-01-14 19:16:01 +00:00			`# If HIDE_INVALID_LOGINS is set to true (the default), when a user`
Fixed documentation about HIDE_INVALID_LOGINS 2022-04-06 15:32:11 +00:00			`# tries to sign in with an invalid login, a message is shown indicating`
			`# that the password is wrong, but does not give a clue wether the login`
			`# exists or not.`
Fix typos and grammar errors. 2023-01-14 19:16:01 +00:00			`# If HIDE_INVALID_LOGINS is set to false, when a user tries to sign in with`
Fixed documentation about HIDE_INVALID_LOGINS 2022-04-06 15:32:11 +00:00			`# an invalid login, a message is shown indicating that the login does not`
			`# exist.`
			`# HIDE_INVALID_LOGINS = true`
Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00
Added an option to disable password recovery 2022-04-05 07:49:45 +00:00			`# If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password`
			`# recovery link by email. This option is true by default.`
			`# ENABLE_PASSWORD_RECOVERY = true`

invitations expire after 48h 2022-01-01 10:56:48 +00:00			`# The validity duration of registration invitations, in seconds.`
			`# Defaults to 2 days`
			`# INVITATION_EXPIRATION = 172800`

Logging is configurable 2021-10-31 13:40:12 +00:00			`[LOGGING]`
			`# LEVEL can be one value among:`
			`# DEBUG, INFO, WARNING, ERROR, CRITICAL`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# Defaults to WARNING`
Logging is configurable 2021-10-31 13:40:12 +00:00			`# LEVEL = "WARNING"`

			`# The path of the log file. If not set (the default) logs are`
			`# written in the standard error output.`
			`# PATH = ""`

Configuration file 2020-08-17 09:05:01 +00:00			`[LDAP]`
tests workflow 2020-08-18 15:39:34 +00:00			`URI = "ldap://ldap"`
			`ROOT_DN = "dc=mydomain,dc=tld"`
			`BIND_DN = "cn=admin,dc=mydomain,dc=tld"`
Configuration file 2020-08-17 09:05:01 +00:00			`BIND_PW = "admin"`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# TIMEOUT =`
Admin login 2020-08-19 14:20:57 +00:00
USER_BASE configuration parameter 2020-09-01 15:11:30 +00:00			`# Where to search for users?`
			`USER_BASE = "ou=users,dc=mydomain,dc=tld"`

Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00			`# The object class to use for creating new users`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# USER_CLASS = "inetOrgPerson"`
Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00
			`# The attribute to identify an object in the User dn.`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# USER_ID_ATTRIBUTE = "cn"`
Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00
Alternate login filters 2020-08-20 08:45:33 +00:00			`# Filter to match users on sign in. Supports a variable`
Login placeholder depends on the USER_FILTER configuration attribute 2021-12-07 18:30:13 +00:00			`# {login} that can be used to compare against several fields:`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# USER_FILTER = "(\|(uid={login})(mail={login}))"`
Alternate login filters 2020-08-20 08:45:33 +00:00
Permissions overhaul 2021-12-02 17:23:14 +00:00			`# Where to search for groups?`
Documentation improvements 2021-12-03 17:37:25 +00:00			`GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"`
Permissions overhaul 2021-12-02 17:23:14 +00:00
			`# The object class to use for creating new groups`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# GROUP_CLASS = "groupOfNames"`
Permissions overhaul 2021-12-02 17:23:14 +00:00
Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00			`# The attribute to identify an object in the User dn.`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# GROUP_ID_ATTRIBUTE = "cn"`
Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00
Permissions overhaul 2021-12-02 17:23:14 +00:00			`# The attribute to use to identify a group`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# GROUP_NAME_ATTRIBUTE = "cn"`
Permissions overhaul 2021-12-02 17:23:14 +00:00
			`# A filter to check if a user belongs to a group`
Added configuration options to tune object IDs 2021-12-08 08:39:58 +00:00			`# A 'user' variable is available.`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# GROUP_USER_FILTER = "member={user.dn}"`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Permissions overhaul 2021-12-02 17:23:14 +00:00			`# You can define access controls that define what users can do on canaille`
			`# An access control consists in a FILTER to match users, a list of PERMISSIONS`
			`# matched users will be able to perform, and fields users will be able`
Option to not use OIDC 2021-12-06 23:07:32 +00:00			`# to READ and WRITE. Users matching several filters will cumulate permissions.`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`#`
			`# A 'FILTER' parameter that is a LDAP filter used to determine if a user`
			`# belongs to an access control. If absent, all the users will match this`
			`# access control. If your LDAP server has the 'memberof' overlay, you can`
			`# filter against group membership.`
			`# Here are some examples`
			`# FILTER = 'uid=admin'`
			`# FILTER = 'memberof=cn=admins,ou=groups,dc=mydomain,dc=tld'`
			`#`
			`# The 'PERMISSIONS' parameter that is an list of items the users in the access`
			`# control will be able to manage. 'PERMISSIONS' is optionnal. Values can be:`
Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`# - "edit_self" to allow users to edit their own profile`
Option to not use OIDC 2021-12-06 23:07:32 +00:00			`# - "use_oidc" to allow OpenID Connect authentication`
			`# - "manage_oidc" to allow OpenID Connect client managements`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`# - "manage_users" to allow other users management`
			`# - "manage_groups" to allow group edition and creation`
			`# - "delete_account" allows a user to delete his own account. If used with`
Option to not use OIDC 2021-12-06 23:07:32 +00:00			`# manage_users, the user can delete any account`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`# - "impersonate_users" to allow a user to take the identity of another user`
			`#`
			`# The 'READ' and 'WRITE' attributes are the LDAP attributes of the user`
			`# object that users will be able to read and/or write.`
			`[ACL.DEFAULT]`
Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`PERMISSIONS = ["edit_self", "use_oidc"]`
jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`READ = ["uid", "groups"]`
Users can choose their favourite display name 2022-12-02 17:47:16 +00:00			`WRITE = [`
			`"givenName",`
			`"sn",`
			`"displayName",`
			`"userPassword",`
			`"telephoneNumber",`
			`"jpegPhoto",`
			`"mail",`
			`"labeledURI",`
			`"preferredLanguage",`
departmentNumber edition support #129 2023-03-11 11:52:36 +00:00			`"employeeNumber",`
			`"departmentNumber",`
Users can choose their favourite display name 2022-12-02 17:47:16 +00:00			`]`
Permissions overhaul 2021-12-02 17:23:14 +00:00
			`[ACL.ADMIN]`
			`FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"`
			`PERMISSIONS = [`
			`"manage_users",`
			`"manage_groups",`
			`"manage_oidc",`
			`"delete_account",`
			`"impersonate_users",`
Profile editable fields are configurable 2020-11-26 14:29:14 +00:00			`]`
Option to not use OIDC 2021-12-06 23:07:32 +00:00			`WRITE = ["groups"]`
Profile editable fields are configurable 2020-11-26 14:29:14 +00:00
Configuration comments 2020-08-31 12:09:28 +00:00			`# The jwt configuration. You can generate a RSA keypair with:`
doc: installation improvements 2021-10-12 16:14:09 +00:00			`# openssl genrsa -out private.pem 4096`
Configuration comments 2020-08-31 12:09:28 +00:00			`# openssl rsa -in private.pem -pubout -outform PEM -out public.pem`
Claims are configurable 2020-08-24 08:03:48 +00:00			`[JWT]`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# The path to the private key.`
Renamed the project 'canaille' 2020-10-21 12:04:40 +00:00			`PRIVATE_KEY = "canaille/conf/private.pem"`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# The path to the public key.`
doc: installation improvements 2021-10-12 16:14:09 +00:00			`PUBLIC_KEY = "canaille/conf/public.pem"`
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`# The URI of the identity provider`
Issuer 'ISS' configuration option is not mandatory anymore 2022-11-17 16:44:54 +00:00			`# ISS = "https://auth.mydomain.tld"`
Documentation improvements 2021-12-03 17:37:25 +00:00			`# The key type parameter`
			`# KTY = "RSA"`
			`# The key algorithm`
			`# ALG = "RS256"`
			`# The time the JWT will be valid, in seconds`
			`# EXP = 3600`
Only commit changed fields 2020-08-24 09:28:15 +00:00
			`[JWT.MAPPING]`
TODO.md 2020-08-26 10:03:06 +00:00			`# Mapping between JWT fields and LDAP attributes from your`
customize jwt claims with format string in config file 2021-12-10 14:56:43 +00:00			`# User objectClass.`
			`# {attribute} will be replaced by the user ldap attribute value.`
			`# Default values fits inetOrgPerson.`
JWT mapping use jinja 2021-12-12 15:15:06 +00:00			`SUB = "{{ user.uid[0] }}"`
			`NAME = "{{ user.cn[0] }}"`
			`PHONE_NUMBER = "{{ user.telephoneNumber[0] }}"`
			`EMAIL = "{{ user.mail[0] }}"`
			`GIVEN_NAME = "{{ user.givenName[0] }}"`
			`FAMILY_NAME = "{{ user.sn[0] }}"`
Users can choose their favourite display name 2022-12-02 17:47:16 +00:00			`PREFERRED_USERNAME = "{{ user.displayName }}"`
Demo displays user preferred locale 2022-12-04 10:53:37 +00:00			`LOCALE = "{{ user.preferredLanguage }}"`
JWT mapping use jinja 2021-12-12 15:15:06 +00:00			`ADDRESS = "{{ user.postalAddress[0] }}"`
Default configuration and test client use user avatars 2021-12-13 21:50:53 +00:00			`PICTURE = "{% if user.jpegPhoto %}{{ url_for('account.photo', uid=user.uid[0], field='jpegPhoto', _external=True) }}{% endif %}"`
Manage user websites 2021-12-13 22:04:34 +00:00			`WEBSITE = "{{ user.labeledURI[0] }}"`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
The default configuration has no SMTP server defined 2021-12-07 16:18:41 +00:00			`# The SMTP server options. If not set, mail related features such as`
			`# user invitations, and password reset emails, will be disabled.`
Documentation improvements 2021-12-03 17:37:25 +00:00			`[SMTP]`
The default configuration has no SMTP server defined 2021-12-07 16:18:41 +00:00			`# HOST = "localhost"`
			`# PORT = 25`
			`# TLS = false`
Enable SSL SMTP 2023-02-28 08:53:47 +00:00			`# SSL = false`
The default configuration has no SMTP server defined 2021-12-07 16:18:41 +00:00			`# LOGIN = ""`
			`# PASSWORD = ""`
FROM_ADDR configuration option is not mandatory anymore 2022-11-14 17:59:07 +00:00			`# FROM_ADDR = "admin@mydomain.tld"`