############################################################### # Authelia configuration # ############################################################### # The port to listen on port: 80 # Log level # # Level of verbosity for logs logs_level: debug # LDAP configuration # # Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com ldap: # The url of the ldap server url: ldap://openldap # The base dn for every entries base_dn: dc=example,dc=com # An additional dn to define the scope to all users additional_users_dn: ou=users # The users filter. # {0} is the matcher replaced by username. # 'cn={0}' by default. users_filter: cn={0} # An additional dn to define the scope of groups additional_groups_dn: ou=groups # The groups filter. # {0} is the matcher replaced by user dn. # 'member={0}' by default. groups_filter: (&(member={0})(objectclass=groupOfNames)) # The attribute holding the name of the group group_name_attribute: cn # The attribute holding the mail address of the user mail_attribute: mail # The username and password of the admin user. user: cn=admin,dc=example,dc=com password: password # Access Control # # Access control is a set of rules you can use to restrict the user access. # Default (anyone), per-user or per-group rules can be defined. # # If 'access_control' is not defined, ACL rules are disabled and a default policy # is applied, i.e., access is allowed to anyone. Otherwise restrictions follow # the rules defined below. # If no rule is provided, all domains are denied. # # One can use the wildcard * to match any subdomain. # Note 1: It must stand at the beginning of the pattern. (example: *.mydomain.com) # Note 2: You must put the pattern in simple quotes when using the wildcard. access_control: # The default policy. Applies to any user default: - public.test.local # Group based policies. The key is a group name and the value # is the domain to allow access to. groups: admin: - '*.test.local' dev: - secret.test.local - secret2.test.local # Group based policies. The key is a group name and the value # is the domain to allow access to. users: harry: - secret1.test.local bob: - '*.mail.test.local' # Configuration of session cookies # # The session cookies identify the user once logged in. session: # The secret to encrypt the session cookie. secret: unsecure_secret # The time before the cookie expires. expiration: 3600000 # The domain to protect. # Note: the authenticator must also be in that domain. If empty, the cookie # is restricted to the subdomain of the issuer. domain: test.local # The redis connection details redis: host: redis port: 6379 # Configuration of the authentication regulation mechanism. # # This mechanism prevents attackers from brute forcing the first factor. # It bans the user if too many attempts are done in a short period of # time. regulation: # The number of failed login attempts before user is banned. # Set it to 0 for disabling regulation. max_retries: 3 # The length of time between login attempts before user is banned. find_time: 15 # The length of time before a banned user can login again. ban_time: 4 # Configuration of the storage backend used to store data and secrets. # # You must use only an available configuration: local, mongo storage: # The directory where the DB files will be saved # local: /var/lib/authelia/store # Settings to connect to mongo server mongo: url: mongodb://mongo/authelia # Configuration of the notification system. # # Notifications are sent to users when they require a password reset, a u2f # registration or a TOTP registration. # Use only an available configuration: filesystem, gmail notifier: # For testing purpose, notifications can be sent in a file filesystem: filename: /var/lib/authelia/notifications/notification.txt # Use your gmail account to send the notifications. You can use an app password. # gmail: # username: user@example.com # password: yourpassword