authelia/internal/suites/LDAP/configuration.yml

79 lines
1.9 KiB
YAML
Raw Normal View History

---
###############################################################
# Authelia minimal configuration #
###############################################################
theme: dark
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug
authentication_backend:
ldap:
address: 'ldaps://openldap'
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
tls:
skip_verify: true
base_dn: dc=example,dc=com
additional_users_dn: ou=users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
user: cn=pwmanager,dc=example,dc=com
password: password
attributes:
distinguished_name: ''
username: 'uid'
display_name: 'displayName'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
local:
path: /config/db.sqlite3
totp:
issuer: example.com
access_control:
default_policy: deny
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
regulation:
max_retries: 3
find_time: 300
ban_time: 900
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
...