%set %%boolean = {'oui': 1, 'non': 0} ;============================================================================== ; LemonLDAP::NG local configuration parameters ; ; This file is dedicated to configuration parameters override ; You can set here configuration parameters that will be used only by ; local LemonLDAP::NG elements ; ; Section "all" is always read first before "portal", "handler" ; and "manager" ; ; Section "configuration" is used to load global configuration and set cache ; (replace old storage.conf file) ; ; Other section are only read by the specific LemonLDAP::NG component ;============================================================================== [all] ; CUSTOM FUNCTION ; If you want to create customFunctions in rules, declare them here: ;customFunctions = function1 function2 ;customFunctions = Package::func1 Package::func2 ; CROSS-DOMAIN ; If you have some handlers that are not registered on the main domain, ; uncomment this ;cda = 1 ; SAFE JAIL ; Uncomment this to disable Safe jail. ; Warning: this can allow malicious code in custom functions or rules ;useSafeJail = 0 ; LOGGING ; ; 1 - Defined logging level ; Set here one of error, warn, notice, info or debug logLevel = %%lm_loglevel ; Note that this has no effect for Apache2 logging: Apache LogLevel is used ; instead ; ; 2 - Change logger ; ; By default, logging is set to: ; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers ; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx) ; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager, ; portal,...) when they are not ; launched by FastCGI server ; Other loggers availables: ; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl ; ; "Std" is redirected to the web server logs for Apache. For Nginx, only if ; request failed ; ; You can overload this in this section (for all) or in another section if ; you want to change logger for a specified app. ; ; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions ; (userLogger). "userLogger" uses the same class as "logger" if not set. ;logger = Lemonldap::NG::Common::Logger::Syslog ;userLogger = Lemonldap::NG::Common::Logger::Std ; ; 2.1 - Using Syslog ; ; For Syslog logging, you can also overwrite facilities. Default values: logger = Lemonldap::NG::Common::Logger::Syslog syslogFacility = daemon userSyslogFacility = auth ; ; 2.2 - Using Log4perl ; ; If you want to use Log4perl, you can set these parameters. Here are default ; values: ;logger = Lemonldap::NG::Common::Logger::Log4perl ;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf ;log4perlLogger = LLNG ;log4perlUserLogger = LLNG.user ; ; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG" ; value points to the logger class. Example: ; log4perl.logger.LLNG = WARN, File1 ; log4perl.logger.LLNG.user = INFO, File2 ; ... ; CONFIGURATION CHECK ; ; LLNG verify configuration at server start. If you use "reload" mechanism, ; local cache will be updated. Configuration is checked locally every ; 10 minutes by each LLNG component. You can change this value using ; `checkTime` (time in seconds). ; To increase performances, you should comment this parameter and rely on cache. checkTime = 1 [configuration] ; confTimeout: maximum time to get configuration (default 10) ;confTimeout = 5 ; GLOBAL CONFIGURATION ACCESS TYPE ; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile) ; Set here the parameters needed to access to LemonLDAP::NG configuration. ; You have to set "type" to one of the followings : ; ; * File/YAMLFile: you have to set 'dirName' parameter. Example: ; ; type = File ; or type = YAMLFile ; dirName = /var/lib/lemonldap-ng/conf ; ; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword' ; if needed. Example: ; ; type = RDBI ; ;type = CDBI ; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4 ; dbiUser = lemonldap ; dbiPassword = password ; ; * REST: REST configuration access is a sort of proxy: the portal is ; configured to use the real session storage type (DBI or File for ; example). ; You have to set 'baseUrl' parameter. Example: ; ; type = REST ; baseUrl = https://auth.example.com/config ; proxyOptions = { timeout => 5 } ; User = lemonldap ; Password = mypassword ; ; * SOAP: SOAP configuration access is a sort of proxy: the portal is ; configured to use the real session storage type (DBI or File for ; example). ; You have to set 'proxy' parameter. Example: ; ; type = SOAP ; proxy = https://auth.example.com/config ; proxyOptions = { timeout => 5 } ; User = lemonldap ; Password = mypassword ; ; * LDAP: you have to set ldapServer, ldapConfBase, ldapBindDN and ldapBindPassword. ; ; type = LDAP ; ldapServer = ldap://localhost ; ldapConfBase = ou=conf,ou=applications,dc=example,dc=com ; ldapBindDN = cn=manager,dc=example,dc=com ; ldapBindPassword = secret ; ldapObjectClass = applicationProcess ; ldapAttributeId = cn ; ldapAttributeContent = description type=File dirName = /var/lib/lemonldap-ng/conf ; LOCAL CACHE CONFIGURATION ; ; To increase performances, use a local cache for the configuration. You have ; to choose a Cache::Cache module and set its parameters. Example: ; ; localStorage = Cache::FileCache ; localStorageOptions={ \ ; 'namespace' => 'lemonldap-ng-config',\ ; 'default_expires_in' => 600, \ ; 'directory_umask' => '007', \ ; 'cache_root' => '/tmp', \ ; 'cache_depth' => 3, \ ; } localStorage=Cache::FileCache localStorageOptions={ \ 'namespace' => 'lemonldap-ng-config',\ 'default_expires_in' => 600, \ 'directory_umask' => '007', \ 'cache_root' => '/tmp', \ 'cache_depth' => 3, \ } [portal] ; PORTAL CUSTOMIZATION ; I - Required parameters ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static ; location of HTML templates directory templateDir = /usr/share/lemonldap-ng/portal/templates ; languages: available languages for portal interface languages = fr, en, vi, it, ar, de, fi, tr ; II - Optional parameters (overwrite configuration) ; Name of the skin portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 portalDisplayResetPassword = %%boolean[%%llResetPassword] ;portalDisplayChangePassword = 1 ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 ; Require the old password when changing password ;portalRequireOldPassword = 1 ; Attribute displayed as connected user ;portalUserAttr = mail ; Old menu HTML code ; Enable it if you use old templates ;useOldMenuItems=1 ; Override error codes ;error_0 = You are well authenticated! ; Custom template parameters ; For example to use ;tpl_myparam = test ; COMBINATION FORMS ; If you want to fix forms to display, you can use this; ;combinationForms = standardform, yubikeyform ;syslog = auth ; SOAP FUNCTIONS ; Remove comment to activate SOAP Functions getCookies(user,pwd) and ; error(language, code) ;Soap = 1 ; Note that getAttibutes() will be activated but on a different URI ; (http://auth.example.com/sessions) ; You can also restrict attributes and macros exported by getAttributes ;exportedAttr = uid mail ; PASSWORD POLICY ; Remove comment to use LDAP Password Policy ;ldapPpolicyControl = 1 ; Remove comment to store password in session (use with caution) ;storePassword = 1 ; Remove comment to use LDAP modify password extension ; (beware of compatibility with LDAP Password Policy) ;ldapSetPassword = 1 ; RESET PASSWORD BY MAIL ; SMTP server (default to localhost), set to '' to use default mail service ;SMTPServer = localhost ; SMTP auth user ;SMTPAuthUser = toto ; SMTP auth password ;SMTPAuthPass = secret ; Mail From address ;mailFrom = noreply@example.com ; Reply To ;mailReplyTo = noreply@example.com ; Mail confirmation URL ;mailUrl = http://reset.example.com ; Mail subject for confirmation message ;mailConfirmSubject = [LemonLDAP::NG] Password reset confirmation ; Mail body for confiramtion (can use $url for confirmation URL, and other session ; infos, like $cn). Keep comment to use HTML templates ;mailConfirmBody = Hello $cn,\n\nClick here to receive your new password: $url ; Mail subject for new password message ;mailSubject = [LemonLDAP::NG] Your new password ; Mail body for new password (can use $password for generated password, and other session ; infos, like $cn). Keep comment to use HTML templates ;mailBody = Hello $cn,\n\nYour new password is $password ; LDAP filter to use ;mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))' ; Random regexp for password generation ;randomPasswordRegexp = [A-Z]{3}[a-z]{5}.\d{2} ; LDAP GROUPS ; Set the base DN of your groups branch ;ldapGroupBase = ou=groups,dc=example,dc=com ; Objectclass used by groups ;ldapGroupObjectClass = groupOfUniqueNames ; Attribute used by groups to store member ;ldapGroupAttributeName = uniqueMember ; Attribute used by user to link to groups ;ldapGroupAttributeNameUser = dn ; Attribute used to identify a group. The group will be displayed as ; cn|mail|status, where cn, mail and status will be replaced by their ; values. ;ldapGroupAttributeNameSearch = cn mail ; NOTIFICATIONS SERVICE ; Use it to be able to notify messages during authentication ;notification = 1 ; Note that the SOAP function newNotification will be activated on ; http://auth.example.com/notification ; If you want to hide this, just protect "/index.fcgi/notification" in ; your Apache configuration file ; XSS protection bypass ; By default, the portal refuse redirections that comes from sites not ; registered in the configuration (manager) except for those coming ; from trusted domains. By default, trustedDomains contains the domain ; declared in the manager. You can set trustedDomains to empty value so ; that, undeclared sites will be rejected. You can also set here a list ; of trusted domains or hosts separated by spaces. This is usefull if ; your website use LemonLDAP::NG without handler with SOAP functions. ;trustedDomains = my.trusted.host example2.com ; Check XSS ; Set to 0 to disable error on XSS attack detection ;checkXSS = 0 ; pdata cookie domain ; pdata cookie could not be sent with cross domains AJAX request ; Null is default value ;pdataDomain = example.com ; CUSTOM PLUGINS ; If you want to add custom plugins, set list here (comma separated) ; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page. ;customPlugins = ::My::Package1, ::My::Package2 ; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers ; you can override OTT configuration to store Upgrade or Issuer OTT into global storage ;forceGlobalStorageUpgradeOTT = 1 ;forceGlobalStorageIssuerOTT = 1 [handler] ; Handler cache configuration ; You can overwrite here local session cache settings in manager: ; localSessionStorage=Cache::FileCache ; localSessionStorageOptions={ \ ; 'namespace' => 'lemonldap-ng-sessions', \ ; 'default_expires_in' => 600, \ ; 'directory_umask' => '007', \ ; 'cache_root' => '/tmp', \ ; 'cache_depth' => 3, \ ; } ; Set https to 1 if your handler protect a https website (used only for ; redirections to the portal) https = 1 ; Set port if your your hanlder protect a website on a non standard port ; - 80 for http, 443 for https (used only for redirections to the portal) ;port = 8080 ; Set status to 1 if you want to have the report of activity (used for ; example to inform MRTG) status = 0 ; Set useRedirectOnForbidden to 1 if you want to use REDIRECT and not FORBIDDEN ; when a user is not allowed by Handler ;useRedirectOnForbidden = 1 ; Hide LemonLDAP::NG Handler in Apache Server Signature ;hideSignature = 1 ; Set ServiceToken timeout ;handlerServiceTokenTTL = 30 ; Set Impersonation/ContextSwitching prefix ; impersonationPrefix = real_ useRedirectOnError = 1 ; Zimbra Handler parameters ;zimbraPreAuthKey = XXXX ;zimbraAccountKey = uid ;zimbraBy =id ;zimbraUrl = /service/preauth ;zimbraSsoUrl = ^/zimbrasso$ [manager] ; Manager protection: by default, the manager is protected by a demo account. ; You can protect it : ; * by Apache itself, ; * by the parameter 'protection' which can take one of the following ; values : ; * authenticate : all authenticated users can access ; * manager : manager is protected like other virtual hosts: you ; have to set rules in the corresponding virtual host ; * : you can set here directly the rule to apply ; * none : no protection protection = manager ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static ; ; location of HTML templates directory templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates ; languages: available languages for manager interface languages = fr, en, it, vi, ar, tr ; Manager modules enabled ; Set here the list of modules you want to see in manager interface ; The first will be used as default module displayed ;enabledModules = conf, sessions, notifications, 2ndFA, viewer enabledModules = conf, sessions, notifications, 2ndFA ; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf' ; 'conf' is set by default ;defaultModule = viewer ; Viewer module allows us to edit configuration in read-only mode ; Options can be set with specific rules like this : ;viewerAllowBrowser = $uid eq 'dwho' ;viewerAllowDiff = $uid ne 'dwho' ; ; Viewer options - Default values ;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions ;viewerAllowBrowser = 0 ;viewerAllowDiff = 0 ;[node-handler] ; ;This section is for node-lemonldap-ng-handler ;nodeVhosts = test3.example.com, test4.example.com