2024-03-28 13:57:29 +00:00
Databases
#########
Canaille can read and save data in different databases.
This page presents the different database backends and their specificities:
.. contents ::
:local:
Memory
======
Canaille comes with a lightweight inmemory backend by default.
2023-12-18 17:06:03 +00:00
It is used when no other backend has been configured.
2024-03-28 13:57:29 +00:00
This backend is only for test purpose and should not be used in production environments.
SQL
===
Canaille can use any database supported by `SQLAlchemy <https://www.sqlalchemy.org/> `_ , such as
sqlite, postgresql or mariadb.
2023-12-18 17:06:03 +00:00
It is used when the `` CANAILLE_SQL `` configuration parameter is defined. For instance::
2024-03-28 13:57:29 +00:00
2023-12-18 17:06:03 +00:00
[CANAILLE_SQL]
2024-03-28 13:57:29 +00:00
SQL_DATABASE_URI = "postgresql://user:password@localhost/database"
2024-03-29 08:35:29 +00:00
You can find more details on the SQL configuration in the :class: `dedicated section <canaille.backends.sql.configuration.SQLSettings>` .
2023-12-18 17:06:03 +00:00
2024-03-28 13:57:29 +00:00
LDAP
====
Canaille can use OpenLDAP as its main database.
2023-12-18 17:06:03 +00:00
It is used when the `` CANAILLE_LDAP `` configuration parameter is defined. For instance::
2024-03-28 13:57:29 +00:00
2023-12-18 17:06:03 +00:00
[CANAILLE_LDAP]
2024-03-28 13:57:29 +00:00
URI = "ldap://ldap"
ROOT_DN = "dc=mydomain,dc=tld"
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
BIND_PW = "very-secret-password"
USER_BASE = "ou=users,dc=mydomain,dc=tld"
USER_CLASS = "inetOrgPerson"
USER_FILTER = "(|(uid={{ login }})(mail={{ login }}))"
GROUP_BASE = "ou=groups,dc=mydomain,dc=tld"
2024-03-29 08:35:29 +00:00
You can find more details on the LDAP configuration in the :class: `dedicated section <canaille.backends.ldap.configuration.LDAPSettings>` .
2023-12-18 17:06:03 +00:00
2024-03-28 13:57:29 +00:00
.. note ::
Currently, only the `` inetOrgPerson `` and `` groupOfNames `` schemas have been tested.
If you want to use different schemas or LDAP servers, adaptations may be needed.
Patches are welcome.
OpenLDAP overlays integration
-----------------------------
Canaille can integrate with several OpenLDAP overlays:
memberof / refint
~~~~~~~~~~~~~~~~~
2024-03-29 08:35:29 +00:00
`memberof <https://www.openldap.org/doc/admin26/overlays.html#Reverse%20Group%20Membership%20Maintenance> `_
and `refint <https://www.openldap.org/doc/admin26/overlays.html#Referential%20Integrity> `_
2024-03-28 13:57:29 +00:00
overlays are needed for the Canaille group membership to work correctly.
Here is a configuration example compatible with canaille:
.. literalinclude :: ../demo/ldif/memberof-config.ldif
:language: ldif
:caption: memberof-config.ldif
.. literalinclude :: ../demo/ldif/refint-config.ldif
:language: ldif
:caption: refint-config.ldif
You can adapt and load those configuration files with:
.. code-block :: bash
# Adapt those commands according to your setup
sudo ldapadd -Q -H ldapi:/// -Y EXTERNAL -f memberof-config.ldif
sudo ldapadd -Q -H ldapi:/// -Y EXTERNAL -f refint-config.ldif
ppolicy
~~~~~~~
2024-03-29 08:35:29 +00:00
If the `ppolicy <https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-11.html> `_ overlay is configured and the `` pwdEndTime `` attribute is available (since OpenLDAP 2.6), then account locking support will be enabled in canaille. To allow users to manage account expiration, they need to have a *write* permission on the :attr: `~canaille.core.models.User.lock_date` attribute.
2024-03-28 13:57:29 +00:00
Here is a configuration example compatible with canaille:
.. literalinclude :: ../demo/ldif/ppolicy-config.ldif
:language: ldif
:caption: ppolicy-config.ldif
.. literalinclude :: ../demo/ldif/ppolicy.ldif
:language: ldif
:caption: ppolicy.ldif
You can adapt and load those configuration files with:
.. code-block :: bash
# Adapt those commands according to your setup
sudo ldapadd -Q -H ldapi:/// -Y EXTERNAL -f ppolicy-config.ldif
sudo ldapadd -Q -H ldapi:/// -Y EXTERNAL -f ppolicy.ldif
