authelia/config.template.yml

###############################################################
#                   Authelia configuration                    #
###############################################################

# The port to listen on
port: 80

# Log level
#
# Level of verbosity for logs
logs_level: debug

# LDAP configuration
#
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
ldap:
  # The url of the ldap server
  url: ldap://openldap

  # The base dn for every entries
  base_dn: dc=example,dc=com

  # An additional dn to define the scope to all users
  additional_users_dn: ou=users

  # The users filter used to find the user DN
  # {0} is a matcher replaced by username.
  # 'cn={0}' by default.
  users_filter: cn={0}

  # An additional dn to define the scope of groups
  additional_groups_dn: ou=groups

  # The groups filter used for retrieving groups of a given user.
  # {0} is a matcher replaced by username.
  # {dn} is a matcher replaced by user DN.
  # 'member={dn}' by default.
  groups_filter: (&(member={dn})(objectclass=groupOfNames))

  # The attribute holding the name of the group
  group_name_attribute: cn

  # The attribute holding the mail address of the user
  mail_attribute: mail

  # The username and password of the admin user.
  user: cn=admin,dc=example,dc=com
  password: password


# Authentication methods
#
# Authentication methods can be defined per subdomain.
# There are currently two available methods: "basic_auth" and "two_factor"
#
# Note: by default a domain uses "two_factor" method.
#
# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
# values must be one of the two possible methods.
#
# Note: 'per_subdomain_methods' is optional.
authentication_methods:
  default_method: two_factor
  per_subdomain_methods:
    basicauth.test.local: basic_auth

# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain 
# resources.
# Any (apply to anyone), per-user or per-group rules can be defined.
#
# If 'access_control' is not defined, ACL rules are disabled and the `allow` default 
# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow 
# the rules defined.
# 
# Note: One can use the wildcard * to match any subdomain. 
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
# 
# Note: You must put the pattern in simple quotes when using the wildcard for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `policy` 
# and `resources`.
# - `domain` defines which domain or set of domains the rule applies to.
# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`.
# - `resources` is a list of regular expressions that matches a set of resources to 
# apply the policy to.
#
# Note: Rules follow an order of priority defined as follows:
# In each category (`any`, `groups`, `users`), the latest rules have the highest 
# priority. In other words, it means that if a given resource matches two rules in the
# same category, the latest one overrides the first one.
# Each category has also its own priority. That is, `users` has the highest priority, then
# `groups` and `any` has the lowest priority. It means if two rules in different categories
# match a given resource, the one in the category with the highest priority overrides the
# other one.
#
access_control:
  # Default policy can either be `allow` or `deny`.
  # It is the policy applied to any resource if it has not been overriden
  # in the `any`, `groups` or `users` category.
  default_policy: deny

  # The rules that apply to anyone.
  # The value is a list of rules.
  any:
    - domain: public.test.local
      policy: allow
  
  # Group-based rules. The key is a group name and the value
  # is a list of rules.
  groups:
    admin:
      # All resources in all domains
      - domain: '*.test.local'
        policy: allow
      # Except mx2.mail.test.local (it restricts the first rule)
      - domain: 'mx2.mail.test.local'
        policy: deny
    dev:
      - domain: dev.test.local
        policy: allow
        resources:
          - '^/groups/dev/.*$'
  
  # User-based rules. The key is a user name and the value
  # is a list of rules.
  users:
    john:
      - domain: dev.test.local
        policy: allow
        resources:
          - '^/users/john/.*$' 
    harry:
      - domain: dev.test.local
        policy: allow
        resources:
          - '^/users/harry/.*$'
    bob:
      - domain: '*.mail.test.local'
        policy: allow
      - domain: 'dev.test.local'
        policy: allow
        resources:
          - '^/users/bob/.*$'


# Configuration of session cookies
# 
# The session cookies identify the user once logged in.
session:
  # The secret to encrypt the session cookie.
  secret: unsecure_session_secret
  
  # The time before the cookie expires.
  expiration: 3600000

  # The domain to protect.
  # Note: the authenticator must also be in that domain. If empty, the cookie
  # is restricted to the subdomain of the issuer. 
  domain: test.local
  
  # The redis connection details
  redis:
    host: redis
    port: 6379

# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
  # The number of failed login attempts before user is banned. 
  # Set it to 0 for disabling regulation.
  max_retries: 3

  # The length of time between login attempts before user is banned.
  find_time: 120

  # The length of time before a banned user can login again.
  ban_time: 300

# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, mongo
storage:
  # The directory where the DB files will be saved
  # local: /var/lib/authelia/store
  
  # Settings to connect to mongo server
  mongo:
    url: mongodb://mongo/authelia

# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail
notifier:
  # For testing purpose, notifications can be sent in a file
  # filesystem:
  #   filename: /tmp/authelia/notification.txt

  # Use your email account to send the notifications. You can use an app password.
  # List of valid services can be found here: https://nodemailer.com/smtp/well-known/  
  # email:
  #   username: user@example.com
  #   password: yourpassword
  #   sender: admin@example.com
  #   service: gmail
  
  # Use a SMTP server for sending notifications
  smtp:
    username: test
    password: password
    secure: false
    host: 'smtp'
    port: 1025
    sender: admin@example.com