You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 lines
5.4 KiB
INI
160 lines
5.4 KiB
INI
; LIAM - Linux Account Manager - config file
|
|
[web]
|
|
enabled = 1
|
|
baseurl = https://liam.example.com
|
|
logo = /logo-header.png
|
|
; footer may contain HTML. Literal & " < and > should be escaped as &
|
|
; " < $gt;
|
|
footer = 'Linux Account Manager - <a href="https://code.michu-it.com/michael/liam-linux-account-manager">LIAM</a>.'
|
|
|
|
[general]
|
|
; Use timeout --version to find out the current version
|
|
; used on e.g. debian
|
|
timeout_util = GNU coreutils
|
|
; used on e.g. alpine
|
|
; timeout_util = BusyBox
|
|
|
|
[security]
|
|
; It is important that LIAM is able to verify that it has connected to the
|
|
; server that it expected to connect to (otherwise it could be tricked into
|
|
; syncing the wrong keys to a server). The simplest way to accomplish this is
|
|
; through SSH host key verification. Setting either of the 2 options below to
|
|
; '0' can weaken the protection that SSH host key verification provides.
|
|
|
|
; Determine who can reset a server's SSH host key in LIAM:
|
|
; 0: Allow server admins to reset the SSH host key for servers that they
|
|
; administer
|
|
; 1: Full LIAM admin access is required to reset a server's host key
|
|
host_key_reset_restriction = 1
|
|
|
|
; Determine what happens if multiple servers have the same SSH host key:
|
|
; 0: Allow sync to proceed
|
|
; 1: Abort sync of affected servers and report an error
|
|
; It is not recommended to leave this set to '0' indefinitely
|
|
host_key_collision_protection = 1
|
|
|
|
|
|
; Hostname verification is a supplement to SSH host key verification for
|
|
; making sure that the sync process has connected to the server that it
|
|
; expected to.
|
|
|
|
; Determine how hostname verification is performed:
|
|
; 0: Do not perform hostname verification
|
|
; 1: Compare with the result of `hostname -f`
|
|
; 2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
|
|
; if the file does not exist
|
|
; 3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
|
|
; does not exist
|
|
; The last option provides the most solid verification, as a server will only
|
|
; be synced to if it has been explicitly allowed on the server itself.
|
|
hostname_verification = 0
|
|
|
|
[defaults]
|
|
; This setting will cause new servers to always have a managed account called
|
|
; "root" and for that account to be automatically added into the
|
|
; "root-accounts" group:
|
|
;
|
|
; account_groups[root] = "root-accounts"
|
|
;
|
|
; Any number of these can be specified
|
|
account_groups[root] = "root-accounts"
|
|
|
|
[email]
|
|
enabled = 1
|
|
; The mail address that outgoing mails will be sent from
|
|
from_address = liam@example.com
|
|
from_name = "SSH Key Authority system"
|
|
; Where to mail security notifications to
|
|
report_address = reports@example.com
|
|
report_name = "SSH Key Authority reports"
|
|
; Where users should contact for help
|
|
admin_address = admin@example.com
|
|
admin_name = "SSH Key Authority administrators"
|
|
; You can use the reroute directive to redirect all outgoing mail to a single
|
|
; mail address - typically for temporary testing purposes
|
|
;reroute = test@example.com
|
|
|
|
[database]
|
|
; Connection details to the MySQL database
|
|
hostname = localhost
|
|
port = 3306
|
|
username = liam-user
|
|
password = password
|
|
database = liam-db
|
|
|
|
[ldap]
|
|
; Address to connect to LDAP server
|
|
host = ldaps://ldap.example.com:636
|
|
; Use StartTLS for connection security (recommended if using ldap:// instead
|
|
; of ldaps:// above)
|
|
starttls = 0
|
|
; LDAP subtree containing USER entries
|
|
dn_user = "ou=users,dc=example,dc=com"
|
|
; LDAP subtree containing GROUP entries
|
|
dn_group = "ou=groups,dc=example,dc=com"
|
|
; (Optional) filter for matching user objects
|
|
;user_filter = "(objectClass=inetOrgPerson)"
|
|
; (Optional) filter for matching group objects
|
|
;group_filter = "(objectClass=posixGroup)"
|
|
|
|
; Set to 1 if the LDAP library should process referrals. In most cases this
|
|
; is not needed, and for AD servers it can cause errors when querying the
|
|
; whole tree.
|
|
follow_referrals = 0
|
|
|
|
; Leave bind_dn empty if binding is not required
|
|
bind_dn =
|
|
bind_password =
|
|
|
|
; User attributes
|
|
user_id = uid
|
|
user_name = cn
|
|
user_email = mail
|
|
;user_superior = superioremployee
|
|
|
|
; If inactive users exist in your LDAP directory, filter with the following
|
|
; settings:
|
|
; Field to filter on:
|
|
;user_active = organizationalstatus
|
|
; Use *one* of user_active_true or user_active_false
|
|
; user_active_true means user is active if the user_active field equals its
|
|
; value
|
|
;user_active_true = 'current'
|
|
; user_active_false means user is active if the user_active field does not
|
|
; equal its value
|
|
;user_active_false = 'former'
|
|
|
|
; Group membership attributes. Examples below are for typical setups:
|
|
;
|
|
; POSIX groups
|
|
; group_member = memberUid
|
|
; group_member_value = uid
|
|
;
|
|
; Group-of-names groups
|
|
; group_member = member
|
|
; group_member_value = dn
|
|
;
|
|
; Attribute of group where members are stored
|
|
group_member = memberUid
|
|
; User attribute to compare with
|
|
group_member_value = uid
|
|
|
|
; Members of admin_group are given full admin access to SSH Key Authority web
|
|
; interface
|
|
admin_group_cn = liam-administrators
|
|
|
|
; Other LDAP groups that should have their memberships synced
|
|
;sync_groups[] = ldap_group_name
|
|
|
|
[inventory]
|
|
; SSH Key Authority will read the contents of the file /etc/uuid (if it
|
|
; exists) when syncing with a server. If a value is found, it can be used as a
|
|
; link to an inventory system.
|
|
; %s in the url directive will be replaced with the value found in /etc/uuid
|
|
;url = "https://inventory.example.com/device/%s"
|
|
|
|
[gpg]
|
|
; SSH Key Authority can GPG sign outgoing emails sent from the
|
|
; email.from_address. To do this it needs to know an appropriate key ID to use
|
|
;key_id = 0123456789ABCDEF0123456789ABCDEF01234567
|