mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
66449eedb0
Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used.
178 lines
5.0 KiB
YAML
178 lines
5.0 KiB
YAML
###############################################################
|
||
# Authelia configuration #
|
||
###############################################################
|
||
|
||
# The port to listen on
|
||
port: 80
|
||
|
||
# Log level
|
||
#
|
||
# Level of verbosity for logs
|
||
logs_level: debug
|
||
|
||
# LDAP configuration
|
||
#
|
||
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
|
||
ldap:
|
||
# The url of the ldap server
|
||
url: ldap://openldap
|
||
|
||
# The base dn for every entries
|
||
base_dn: dc=example,dc=com
|
||
|
||
# An additional dn to define the scope to all users
|
||
additional_users_dn: ou=users
|
||
|
||
# The users filter.
|
||
# {0} is the matcher replaced by username.
|
||
# 'cn={0}' by default.
|
||
users_filter: cn={0}
|
||
|
||
# An additional dn to define the scope of groups
|
||
additional_groups_dn: ou=groups
|
||
|
||
# The groups filter used for retrieving groups of a given user.
|
||
# {0} is a matcher replaced by username.
|
||
# 'member=cn={0},<additional_users_dn>,<base_dn>' by default.
|
||
groups_filter: (&(member=cn={0},ou=users,dc=example,dc=com)(objectclass=groupOfNames))
|
||
|
||
# The attribute holding the name of the group
|
||
group_name_attribute: cn
|
||
|
||
# The attribute holding the mail address of the user
|
||
mail_attribute: mail
|
||
|
||
# The username and password of the admin user.
|
||
user: cn=admin,dc=example,dc=com
|
||
password: password
|
||
|
||
|
||
# Access Control
|
||
#
|
||
# Access control is a set of rules you can use to restrict the user access.
|
||
# Default (anyone), per-user or per-group rules can be defined.
|
||
#
|
||
# If 'access_control' is not defined, ACL rules are disabled and a default policy
|
||
# is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||
# the rules defined below.
|
||
# If no rule is provided, all domains are denied.
|
||
#
|
||
# One can use the wildcard * to match any subdomain.
|
||
# Note 1: It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||
# Note 2: You must put the pattern in simple quotes when using the wildcard.
|
||
access_control:
|
||
# Default policy can either be `allow` or `deny`.
|
||
# It is the policy applied to any resource if it has not been overriden
|
||
# in the `any`, `groups` or `users` category.
|
||
default_policy: deny
|
||
|
||
# The rules that apply to anyone.
|
||
# The value is a list of rules.
|
||
any:
|
||
- domain: public.test.local
|
||
policy: allow
|
||
|
||
# Group-based rules. The key is a group name and the value
|
||
# is a list of rules.
|
||
groups:
|
||
admin:
|
||
# All resources in all domains
|
||
- domain: '*.test.local'
|
||
policy: allow
|
||
# Except mx2.mail.test.local (it restricts the first rule)
|
||
- domain: 'mx2.mail.test.local'
|
||
policy: deny
|
||
dev:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/groups/dev/.*$'
|
||
|
||
# User-based rules. The key is a user name and the value
|
||
# is a list of rules.
|
||
users:
|
||
john:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/users/john/.*$'
|
||
harry:
|
||
- domain: dev.test.local
|
||
policy: allow
|
||
resources:
|
||
- '^/users/harry/.*$'
|
||
bob:
|
||
- domain: '*.mail.test.local'
|
||
policy: allow
|
||
- domain: 'dev.test.local'
|
||
policy: allow
|
||
resources:
|
||
- '^/users/bob/.*$'
|
||
|
||
# Configuration of session cookies
|
||
#
|
||
# The session cookies identify the user once logged in.
|
||
session:
|
||
# The secret to encrypt the session cookie.
|
||
secret: unsecure_secret
|
||
|
||
# The time before the cookie expires.
|
||
expiration: 3600000
|
||
|
||
# The domain to protect.
|
||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||
# is restricted to the subdomain of the issuer.
|
||
domain: test.local
|
||
|
||
# The redis connection details
|
||
redis:
|
||
host: redis
|
||
port: 6379
|
||
|
||
# Configuration of the authentication regulation mechanism.
|
||
#
|
||
# This mechanism prevents attackers from brute forcing the first factor.
|
||
# It bans the user if too many attempts are done in a short period of
|
||
# time.
|
||
regulation:
|
||
# The number of failed login attempts before user is banned.
|
||
# Set it to 0 for disabling regulation.
|
||
max_retries: 3
|
||
|
||
# The length of time between login attempts before user is banned.
|
||
find_time: 15
|
||
|
||
# The length of time before a banned user can login again.
|
||
ban_time: 4
|
||
|
||
# Configuration of the storage backend used to store data and secrets.
|
||
#
|
||
# You must use only an available configuration: local, mongo
|
||
storage:
|
||
# The directory where the DB files will be saved
|
||
# local: /var/lib/authelia/store
|
||
|
||
# Settings to connect to mongo server
|
||
mongo:
|
||
url: mongodb://mongo/authelia
|
||
|
||
# Configuration of the notification system.
|
||
#
|
||
# Notifications are sent to users when they require a password reset, a u2f
|
||
# registration or a TOTP registration.
|
||
# Use only an available configuration: filesystem, gmail
|
||
notifier:
|
||
# Use your gmail account to send the notifications. You can use an app password.
|
||
# gmail:
|
||
# username: user@example.com
|
||
# password: yourpassword
|
||
|
||
# Use a SMTP server for sending notifications
|
||
smtp:
|
||
username: test
|
||
password: test
|
||
secure: false
|
||
host: 'smtp'
|
||
port: 1025
|
||
|