canaille-globuzma/canaille/conf/config.sample.toml

# All the Flask configuration values can be used:
# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values

# The flask secret key for cookies. You MUST change this.
SECRET_KEY = "change me before you go in production"

# Your organization name.
NAME = "Canaille"

# The interface on which canaille will be served
# SERVER_NAME = "auth.mydomain.tld"
# PREFERRED_URL_SCHEME = "https"

# You can display a logo to be recognized on login screens
LOGO = "/static/img/canaille-head.png"

# Your favicon. If unset the LOGO will be used.
FAVICON = "/static/img/canaille-c.png"

# If unset, language is detected
# LANGUAGE = "en"

# Path to the RFC8414 metadata file. You should update those files
# with your production URLs.
OAUTH2_METADATA_FILE = "canaille/conf/oauth-authorization-server.json"
OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"

# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"

# If this option is set to true, when a user tries to sign in with
# an invalid login, a message is shown saying that the login does not
# exist. If this option is set to false (the default) a message is
# shown saying that the password is wrong, but does not give a clue
# wether the login exists or not.
# HIDE_INVALID_LOGINS = false

# SELF_DELETION controls the ability for a user to delete his own
# account. The default value is true.
# SELF_DELETION = true

[LDAP]
URI = "ldap://ldap"
ROOT_DN = "dc=mydomain,dc=tld"
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
BIND_PW = "admin"
TIMEOUT =

# Where to search for users?
USER_BASE = "ou=users,dc=mydomain,dc=tld"

# Filter to match users on sign in. Supports a variable
# {login}. For sigin against either uid or mail use:
# USER_FILTER = "(|(uid={login})(mail={login}))"
USER_FILTER = "(|(uid={login})(cn={login}))"

# A class to use for creating new users
USER_CLASS = "inetOrgPerson"

# Filter to match super admin users. Super admins can manage
# OAuth clients, tokens and authorizations. If your LDAP server has
# the 'memberof' overlay, you can filter against group membership.
# ADMIN_FILTER = "uid=admin"
ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"

# Filter to match super admin users. User admins can edit, create
# and delete user accounts. If your LDAP server has the 'memberof'
# overlay, you can filter against group membership.
# USER_ADMIN_FILTER = "uid=moderator"
USER_ADMIN_FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"

GROUP_BASE = "ou=groups"
GROUP_CLASS = "groupOfNames"
GROUP_NAME_ATTRIBUTE = "cn"
GROUP_USER_FILTER = "(member={user.dn})"

# The list of ldap fields you want to be editable by the
# users.
FIELDS = [
  "uid",
  "mail",
  "givenName",
  "sn",
  "userPassword",
  "telephoneNumber",
  "employeeNumber",
# "jpegPhoto",
  "groups",
]

# The jwt configuration. You can generate a RSA keypair with:
# ssh-keygen -t rsa -b 4096 -m PEM -f private.pem
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
PUBLIC_KEY = "canaille/conf/public.pem"
PRIVATE_KEY = "canaille/conf/private.pem"
KTY = "RSA"
ALG = "RS256"
EXP = 3600

[JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass. Default values fits inetOrgPerson.
SUB = "uid"
NAME = "cn"
PHONE_NUMBER = "telephoneNumber"
EMAIL = "mail"
GIVEN_NAME = "givenName"
FAMILY_NAME = "sn"
PREFERRED_USERNAME = "displayName"
LOCALE = "preferredLanguage"
PICTURE = "jpegPhoto"
ADDRESS = "postalAddress"

[SMTP]
HOST = "localhost"
PORT = 25
TLS = false
LOGIN = ""
PASSWORD = ""
FROM_ADDR = "admin@mydomain.tld"
Configuration header 2020-12-31 11:41:01 +00:00			`# All the Flask configuration values can be used:`
			`# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values`

Configuration comments 2020-08-31 12:09:28 +00:00			`# The flask secret key for cookies. You MUST change this.`
Configuration file 2020-08-17 09:05:01 +00:00			`SECRET_KEY = "change me before you go in production"`
Configuration comments 2020-08-31 12:09:28 +00:00
			`# Your organization name.`
Canaille logo. Fixes #29 2020-11-05 11:18:17 +00:00			`NAME = "Canaille"`
Configuration comments 2020-08-31 12:09:28 +00:00
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`# The interface on which canaille will be served`
Minor fixes 2020-10-29 12:43:53 +00:00			`# SERVER_NAME = "auth.mydomain.tld"`
Use SERVER_NAME instead of URL. Fixes #24 2020-10-29 12:20:27 +00:00			`# PREFERRED_URL_SCHEME = "https"`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
Configuration comments 2020-08-31 12:09:28 +00:00			`# You can display a logo to be recognized on login screens`
Canaille logo. Fixes #29 2020-11-05 11:18:17 +00:00			`LOGO = "/static/img/canaille-head.png"`

			`# Your favicon. If unset the LOGO will be used.`
			`FAVICON = "/static/img/canaille-c.png"`
Configuration file 2020-08-17 09:05:01 +00:00
i18n 2020-08-17 09:38:25 +00:00			`# If unset, language is detected`
Configuration comments 2020-08-31 12:09:28 +00:00			`# LANGUAGE = "en"`
i18n 2020-08-17 09:38:25 +00:00
Configuration comments 2020-08-31 12:09:28 +00:00			`# Path to the RFC8414 metadata file. You should update those files`
			`# with your production URLs.`
Renamed the project 'canaille' 2020-10-21 12:04:40 +00:00			`OAUTH2_METADATA_FILE = "canaille/conf/oauth-authorization-server.json"`
			`OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"`
Server metadata file 2020-08-25 09:15:38 +00:00
Sentry support 2020-09-01 15:27:56 +00:00			`# If you have a sentry instance, you can set its dsn here:`
			`# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"`

Customizable error message for invalid login. Fixes #48 2020-12-31 18:55:30 +00:00			`# If this option is set to true, when a user tries to sign in with`
			`# an invalid login, a message is shown saying that the login does not`
			`# exist. If this option is set to false (the default) a message is`
			`# shown saying that the password is wrong, but does not give a clue`
			`# wether the login exists or not.`
			`# HIDE_INVALID_LOGINS = false`

Demo configuration 2021-01-01 15:44:57 +00:00			`# SELF_DELETION controls the ability for a user to delete his own`
			`# account. The default value is true.`
			`# SELF_DELETION = true`

Configuration file 2020-08-17 09:05:01 +00:00			`[LDAP]`
tests workflow 2020-08-18 15:39:34 +00:00			`URI = "ldap://ldap"`
			`ROOT_DN = "dc=mydomain,dc=tld"`
			`BIND_DN = "cn=admin,dc=mydomain,dc=tld"`
Configuration file 2020-08-17 09:05:01 +00:00			`BIND_PW = "admin"`
configuration: dummy timeout entry 2021-08-31 13:49:59 +00:00			`TIMEOUT =`
Admin login 2020-08-19 14:20:57 +00:00
USER_BASE configuration parameter 2020-09-01 15:11:30 +00:00			`# Where to search for users?`
			`USER_BASE = "ou=users,dc=mydomain,dc=tld"`

Alternate login filters 2020-08-20 08:45:33 +00:00			`# Filter to match users on sign in. Supports a variable`
Configuration comments 2020-08-31 12:09:28 +00:00			`# {login}. For sigin against either uid or mail use:`
Alternate login filters 2020-08-20 08:45:33 +00:00			`# USER_FILTER = "(\|(uid={login})(mail={login}))"`
Better user objectClasses 2020-08-19 14:56:04 +00:00			`USER_FILTER = "(\|(uid={login})(cn={login}))"`
Alternate login filters 2020-08-20 08:45:33 +00:00
User admin page. Fixes #8 2020-11-01 10:33:56 +00:00			`# A class to use for creating new users`
			`USER_CLASS = "inetOrgPerson"`

Moderators group. #12 2020-11-02 11:13:03 +00:00			`# Filter to match super admin users. Super admins can manage`
			`# OAuth clients, tokens and authorizations. If your LDAP server has`
			`# the 'memberof' overlay, you can filter against group membership.`
Admin filters with memberof 2020-08-31 11:54:33 +00:00			`# ADMIN_FILTER = "uid=admin"`
Minor bootstrap fix 2020-09-17 07:44:45 +00:00			`ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"`
Claims are configurable 2020-08-24 08:03:48 +00:00
Moderators group. #12 2020-11-02 11:13:03 +00:00			`# Filter to match super admin users. User admins can edit, create`
			`# and delete user accounts. If your LDAP server has the 'memberof'`
			`# overlay, you can filter against group membership.`
			`# USER_ADMIN_FILTER = "uid=moderator"`
			`USER_ADMIN_FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`GROUP_BASE = "ou=groups"`
			`GROUP_CLASS = "groupOfNames"`
			`GROUP_NAME_ATTRIBUTE = "cn"`
			`GROUP_USER_FILTER = "(member={user.dn})"`

Profile editable fields are configurable 2020-11-26 14:29:14 +00:00			`# The list of ldap fields you want to be editable by the`
			`# users.`
			`FIELDS = [`
			`"uid",`
			`"mail",`
			`"givenName",`
			`"sn",`
			`"userPassword",`
			`"telephoneNumber",`
			`"employeeNumber",`
jpegPhoto may be better than photo 2020-12-31 17:10:54 +00:00			`# "jpegPhoto",`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`"groups",`
Profile editable fields are configurable 2020-11-26 14:29:14 +00:00			`]`

Configuration comments 2020-08-31 12:09:28 +00:00			`# The jwt configuration. You can generate a RSA keypair with:`
			`# ssh-keygen -t rsa -b 4096 -m PEM -f private.pem`
			`# openssl rsa -in private.pem -pubout -outform PEM -out public.pem`
Claims are configurable 2020-08-24 08:03:48 +00:00			`[JWT]`
Renamed the project 'canaille' 2020-10-21 12:04:40 +00:00			`PUBLIC_KEY = "canaille/conf/public.pem"`
			`PRIVATE_KEY = "canaille/conf/private.pem"`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`KTY = "RSA"`
			`ALG = "RS256"`
Claims are configurable 2020-08-24 08:03:48 +00:00			`EXP = 3600`
Only commit changed fields 2020-08-24 09:28:15 +00:00
			`[JWT.MAPPING]`
TODO.md 2020-08-26 10:03:06 +00:00			`# Mapping between JWT fields and LDAP attributes from your`
More fields by default in userinfo 2020-09-25 12:20:09 +00:00			`# User objectClass. Default values fits inetOrgPerson.`
Only commit changed fields 2020-08-24 09:28:15 +00:00			`SUB = "uid"`
			`NAME = "cn"`
			`PHONE_NUMBER = "telephoneNumber"`
More fields by default in userinfo 2020-09-25 12:20:09 +00:00			`EMAIL = "mail"`
			`GIVEN_NAME = "givenName"`
Fixed typo 2020-10-19 15:15:09 +00:00			`FAMILY_NAME = "sn"`
More fields by default in userinfo 2020-09-25 12:20:09 +00:00			`PREFERRED_USERNAME = "displayName"`
			`LOCALE = "preferredLanguage"`
jpegPhoto may be better than photo 2020-12-31 17:10:54 +00:00			`PICTURE = "jpegPhoto"`
Minor fixes 2020-10-29 12:43:53 +00:00			`ADDRESS = "postalAddress"`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00
			`[SMTP]`
			`HOST = "localhost"`
			`PORT = 25`
			`TLS = false`
Password initialization mail button. Fixes #51 2021-01-06 16:19:44 +00:00			`LOGIN = ""`
			`PASSWORD = ""`
Password mechanism recovery. Fixes #3 2020-10-22 15:37:01 +00:00			`FROM_ADDR = "admin@mydomain.tld"`