forked from Github-Mirrors/canaille
103 lines
3 KiB
TOML
103 lines
3 KiB
TOML
# All the Flask configuration values can be used:
|
|
# https://flask.palletsprojects.com/en/1.1.x/config/#builtin-configuration-values
|
|
|
|
# The flask secret key for cookies. You MUST change this.
|
|
SECRET_KEY = "change me before you go in production"
|
|
|
|
# Your organization name.
|
|
NAME = "Canaille"
|
|
|
|
# The interface on which canaille will be served
|
|
# SERVER_NAME = "auth.mydomain.tld"
|
|
# PREFERRED_URL_SCHEME = "https"
|
|
|
|
# You can display a logo to be recognized on login screens
|
|
LOGO = "/static/img/canaille-head.png"
|
|
|
|
# Your favicon. If unset the LOGO will be used.
|
|
FAVICON = "/static/img/canaille-c.png"
|
|
|
|
# If unset, language is detected
|
|
# LANGUAGE = "en"
|
|
|
|
# Path to the RFC8414 metadata file. You should update those files
|
|
# with your production URLs.
|
|
OAUTH2_METADATA_FILE = "canaille/conf/oauth-authorization-server.json"
|
|
OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"
|
|
|
|
# If you have a sentry instance, you can set its dsn here:
|
|
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
|
|
|
|
[LDAP]
|
|
URI = "ldap://ldap"
|
|
ROOT_DN = "dc=mydomain,dc=tld"
|
|
BIND_DN = "cn=admin,dc=mydomain,dc=tld"
|
|
BIND_PW = "admin"
|
|
|
|
# Where to search for users?
|
|
USER_BASE = "ou=users,dc=mydomain,dc=tld"
|
|
|
|
# Filter to match users on sign in. Supports a variable
|
|
# {login}. For sigin against either uid or mail use:
|
|
# USER_FILTER = "(|(uid={login})(mail={login}))"
|
|
USER_FILTER = "(|(uid={login})(cn={login}))"
|
|
|
|
# A class to use for creating new users
|
|
USER_CLASS = "inetOrgPerson"
|
|
|
|
# Filter to match super admin users. Super admins can manage
|
|
# OAuth clients, tokens and authorizations. If your LDAP server has
|
|
# the 'memberof' overlay, you can filter against group membership.
|
|
# ADMIN_FILTER = "uid=admin"
|
|
ADMIN_FILTER = "memberof=cn=admins,ou=groups,dc=mydomain,dc=tld"
|
|
|
|
# Filter to match super admin users. User admins can edit, create
|
|
# and delete user accounts. If your LDAP server has the 'memberof'
|
|
# overlay, you can filter against group membership.
|
|
# USER_ADMIN_FILTER = "uid=moderator"
|
|
USER_ADMIN_FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
|
|
|
|
# The list of ldap fields you want to be editable by the
|
|
# users.
|
|
FIELDS = [
|
|
"uid",
|
|
"mail",
|
|
"givenName",
|
|
"sn",
|
|
"userPassword",
|
|
"telephoneNumber",
|
|
"employeeNumber",
|
|
# "jpegPhoto",
|
|
]
|
|
|
|
# The jwt configuration. You can generate a RSA keypair with:
|
|
# ssh-keygen -t rsa -b 4096 -m PEM -f private.pem
|
|
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
|
|
[JWT]
|
|
PUBLIC_KEY = "canaille/conf/public.pem"
|
|
PRIVATE_KEY = "canaille/conf/private.pem"
|
|
KTY = "RSA"
|
|
ALG = "RS256"
|
|
EXP = 3600
|
|
|
|
[JWT.MAPPING]
|
|
# Mapping between JWT fields and LDAP attributes from your
|
|
# User objectClass. Default values fits inetOrgPerson.
|
|
SUB = "uid"
|
|
NAME = "cn"
|
|
PHONE_NUMBER = "telephoneNumber"
|
|
EMAIL = "mail"
|
|
GIVEN_NAME = "givenName"
|
|
FAMILY_NAME = "sn"
|
|
PREFERRED_USERNAME = "displayName"
|
|
LOCALE = "preferredLanguage"
|
|
PICTURE = "jpegPhoto"
|
|
ADDRESS = "postalAddress"
|
|
|
|
[SMTP]
|
|
HOST = "localhost"
|
|
PORT = 25
|
|
TLS = false
|
|
LOGIN = "smtp_user"
|
|
PASSWORD = "smtp_password"
|
|
FROM_ADDR = "admin@mydomain.tld"
|