michael
/
liam-linux-account-manager
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '30b5d7c51b'
${ noResults }
liam-linux-account-manager/config/config-sample.ini

160 lines
5.4 KiB
INI
Raw Blame History

; LIAM - Linux Account Manager - config file
[web]
enabled = 1
baseurl = https://liam.example.com
logo = /logo-header.png
; footer may contain HTML. Literal & " < and > should be escaped as &amp;
; &quot; &lt; $gt;
footer = 'Linux Account Manager - <a href="https://code.michu-it.com/michael/liam-linux-account-manager">LIAM</a>.'
[general]
; Use timeout --version to find out the current version
; used on e.g. debian
timeout_util = GNU coreutils
; used on e.g. alpine
; timeout_util = BusyBox
[security]
; It is important that LIAM is able to verify that it has connected to the
; server that it expected to connect to (otherwise it could be tricked into
; syncing the wrong keys to a server). The simplest way to accomplish this is
; through SSH host key verification. Setting either of the 2 options below to
; '0' can weaken the protection that SSH host key verification provides.
; Determine who can reset a server's SSH host key in LIAM:
; 0: Allow server admins to reset the SSH host key for servers that they
; administer
; 1: Full LIAM admin access is required to reset a server's host key
host_key_reset_restriction = 1
; Determine what happens if multiple servers have the same SSH host key:
; 0: Allow sync to proceed
; 1: Abort sync of affected servers and report an error
; It is not recommended to leave this set to '0' indefinitely
host_key_collision_protection = 1
; Hostname verification is a supplement to SSH host key verification for
; making sure that the sync process has connected to the server that it
; expected to.
; Determine how hostname verification is performed:
; 0: Do not perform hostname verification
; 1: Compare with the result of `hostname -f`
; 2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
; if the file does not exist
; 3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
; does not exist
; The last option provides the most solid verification, as a server will only
; be synced to if it has been explicitly allowed on the server itself.
hostname_verification = 0
[defaults]
; This setting will cause new servers to always have a managed account called
; "root" and for that account to be automatically added into the
; "root-accounts" group:
;
; account_groups[root] = "root-accounts"
;
; Any number of these can be specified
account_groups[root] = "root-accounts"
[email]
enabled = 1
; The mail address that outgoing mails will be sent from
from_address = liam@example.com
from_name = "SSH Key Authority system"
; Where to mail security notifications to
report_address = reports@example.com
report_name = "SSH Key Authority reports"
; Where users should contact for help
admin_address = admin@example.com
admin_name = "SSH Key Authority administrators"
; You can use the reroute directive to redirect all outgoing mail to a single
; mail address - typically for temporary testing purposes
;reroute = test@example.com
[database]
; Connection details to the MySQL database
hostname = localhost
port = 3306
username = liam-user
password = password
database = liam-db
[ldap]
; Address to connect to LDAP server
host = ldaps://ldap.example.com:636
; Use StartTLS for connection security (recommended if using ldap:// instead
; of ldaps:// above)
starttls = 0
; LDAP subtree containing USER entries
dn_user = "ou=users,dc=example,dc=com"
; LDAP subtree containing GROUP entries
dn_group = "ou=groups,dc=example,dc=com"
; (Optional) filter for matching user objects
;user_filter = "(objectClass=inetOrgPerson)"
; (Optional) filter for matching group objects
;group_filter = "(objectClass=posixGroup)"
; Set to 1 if the LDAP library should process referrals. In most cases this
; is not needed, and for AD servers it can cause errors when querying the
; whole tree.
follow_referrals = 0
; Leave bind_dn empty if binding is not required
bind_dn =
bind_password =
; User attributes
user_id = uid
user_name = cn
user_email = mail
;user_superior = superioremployee
; If inactive users exist in your LDAP directory, filter with the following
; settings:
; Field to filter on:
;user_active = organizationalstatus
; Use *one* of user_active_true or user_active_false
; user_active_true means user is active if the user_active field equals its
; value
;user_active_true = 'current'
; user_active_false means user is active if the user_active field does not
; equal its value
;user_active_false = 'former'
; Group membership attributes. Examples below are for typical setups:
;
; POSIX groups
; group_member = memberUid
; group_member_value = uid
;
; Group-of-names groups
; group_member = member
; group_member_value = dn
;
; Attribute of group where members are stored
group_member = memberUid
; User attribute to compare with
group_member_value = uid
; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = liam-administrators
; Other LDAP groups that should have their memberships synced
;sync_groups[] = ldap_group_name
[inventory]
; SSH Key Authority will read the contents of the file /etc/uuid (if it
; exists) when syncing with a server. If a value is found, it can be used as a
; link to an inventory system.
; %s in the url directive will be replaced with the value found in /etc/uuid
;url = "https://inventory.example.com/device/%s"
[gpg]
; SSH Key Authority can GPG sign outgoing emails sent from the
; email.from_address. To do this it needs to know an appropriate key ID to use
;key_id = 0123456789ABCDEF0123456789ABCDEF01234567
Reference in New Issue View Git Blame Copy Permalink