Rev 1041 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
261 | daniel-mar | 1 | |
2 | OVERVIEW OF ALL CONFIG.INC.PHP SETTINGS |
||
3 | ======================================= |
||
4 | |||
294 | daniel-mar | 5 | The file userdata/baseconfig/config.inc.php contains various settings |
261 | daniel-mar | 6 | which are essential to connect to your database and other |
7 | things that should be known before the database connection |
||
8 | is opened. |
||
294 | daniel-mar | 9 | Other settings are stored in the database (table "config") |
261 | daniel-mar | 10 | and can be accessed using the admin login area. |
11 | |||
294 | daniel-mar | 12 | The setup assistant (/setup/) will lead you through |
13 | the creation of the most important settings of config.inc.php. |
||
261 | daniel-mar | 14 | |
294 | daniel-mar | 15 | Below you will find a list of all possible config settings |
16 | of the default OIDplus installation/plugins. |
||
17 | Please note that a plugin can define any key. |
||
18 | |||
19 | |||
261 | daniel-mar | 20 | ------------------------------------- |
21 | (1) CONFIG SETTINGS PROVIDED BY SETUP |
||
22 | ------------------------------------- |
||
23 | |||
24 | OIDplus::baseConfig()->setValue('CONFIG_VERSION', 2.1); |
||
25 | |||
471 | daniel-mar | 26 | OIDplus::baseConfig()->setValue('ADMIN_PASSWORD', '<BCrypt hash, or base64 encoded SHA3-512 hash>'); |
609 | daniel-mar | 27 | If you want to have multiple valid administrator passwords |
28 | (e.g. if you want multiple users), then this value can |
||
29 | also be an array containing hashes. |
||
261 | daniel-mar | 30 | |
31 | OIDplus::baseConfig()->setValue('DATABASE_PLUGIN', ''); |
||
786 | daniel-mar | 32 | Valid values: see plugins (setup/) |
261 | daniel-mar | 33 | |
786 | daniel-mar | 34 | OIDplus::baseConfig()->setValue('OCI_CONN_STR', 'localhost/orcl'); |
35 | Can be a Oracle connection string/TNS or a hostname like |
||
36 | |||
37 | OIDplus::baseConfig()->setValue('OCI_USERNAME', 'hr'); |
||
38 | |||
39 | OIDplus::baseConfig()->setValue('OCI_PASSWORD', 'oracle'); |
||
40 | |||
261 | daniel-mar | 41 | OIDplus::baseConfig()->setValue('ODBC_DSN', 'DRIVER={SQL Server};SERVER=localhost;DATABASE=oidplus;CHARSET=UTF8'); |
42 | |||
43 | OIDplus::baseConfig()->setValue('ODBC_USERNAME', 'sa'); |
||
44 | |||
45 | OIDplus::baseConfig()->setValue('ODBC_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
844 | daniel-mar | 46 | The base64 encoding protects your password from being read if someone |
47 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
48 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
261 | daniel-mar | 49 | |
50 | OIDplus::baseConfig()->setValue('PDO_DSN', 'pgsql:host=localhost;dbname=oidplus'); |
||
51 | |||
52 | OIDplus::baseConfig()->setValue('PDO_USERNAME', 'postgres'); |
||
53 | |||
54 | OIDplus::baseConfig()->setValue('PDO_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
844 | daniel-mar | 55 | The base64 encoding protects your password from being read if someone |
56 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
57 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
261 | daniel-mar | 58 | |
59 | OIDplus::baseConfig()->setValue('MYSQL_HOST', 'localhost:3306'); |
||
814 | daniel-mar | 60 | The hostname to connect to. Port (:3306) is optional. |
261 | daniel-mar | 61 | |
813 | daniel-mar | 62 | OIDplus::baseConfig()->setValue('MYSQL_SOCKET', ''); |
63 | In case you connect via MySQL through a socket, use this setting. |
||
64 | (It is currently not included in setup/ and needs to be set manually). |
||
65 | |||
261 | daniel-mar | 66 | OIDplus::baseConfig()->setValue('MYSQL_USERNAME', 'root'); |
67 | |||
68 | OIDplus::baseConfig()->setValue('MYSQL_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
844 | daniel-mar | 69 | The base64 encoding protects your password from being read if someone |
70 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
71 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
261 | daniel-mar | 72 | |
73 | OIDplus::baseConfig()->setValue('MYSQL_DATABASE', 'oidplus'); |
||
74 | |||
75 | OIDplus::baseConfig()->setValue('PGSQL_HOST', 'localhost:5432'); |
||
814 | daniel-mar | 76 | The hostname to connect to. Port (:5432) is optional. |
261 | daniel-mar | 77 | |
814 | daniel-mar | 78 | OIDplus::baseConfig()->setValue('PGSQL_SOCKET', ''); |
79 | In case you connect via PostgreSQL through a socket, use this setting. |
||
80 | (It is currently not included in setup/ and needs to be set manually). |
||
81 | |||
261 | daniel-mar | 82 | OIDplus::baseConfig()->setValue('PGSQL_USERNAME', 'postgres'); |
83 | |||
84 | OIDplus::baseConfig()->setValue('PGSQL_PASSWORD', base64_decode('<base64_encoded_password>')); // alternatively as plaintext |
||
844 | daniel-mar | 85 | The base64 encoding protects your password from being read if someone |
86 | "looks over your shoulder" at your display while you have the configuration file opened. |
||
87 | (Obviously, it doesn't protect you if they can make a photo or screenshot) |
||
261 | daniel-mar | 88 | |
89 | OIDplus::baseConfig()->setValue('PGSQL_DATABASE', 'oidplus'); |
||
90 | |||
264 | daniel-mar | 91 | |
713 | daniel-mar | 92 | OIDplus::baseConfig()->setValue('SQLITE3_FILE', 'userdata/database/oidplus.db'); |
93 | Attention: This file must be located in a location that is not world-readable/downloadable! |
||
264 | daniel-mar | 94 | |
713 | daniel-mar | 95 | OIDplus::baseConfig()->setValue('SQLITE3_ENCRYPTION', ''); |
96 | Optional encryption |
||
264 | daniel-mar | 97 | |
261 | daniel-mar | 98 | OIDplus::baseConfig()->setValue('TABLENAME_PREFIX', 'oidplus_'); |
99 | |||
100 | OIDplus::baseConfig()->setValue('SERVER_SECRET', 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'); |
||
713 | daniel-mar | 101 | It is very very important that you choose a long sequence of |
261 | daniel-mar | 102 | random characters. OIDplus uses this secret for various |
103 | security related purposes. If someone accidently received this secret, |
||
104 | please change the sequence. |
||
105 | |||
713 | daniel-mar | 106 | OIDplus::baseConfig()->setValue('CAPTCHA_PLUGIN', 'None'); |
1027 | daniel-mar | 107 | Alternative Values (installed plugins) |
108 | - reCAPTCHA |
||
109 | - hCaptcha |
||
110 | - ViaThinkSoft Client Challenge |
||
713 | daniel-mar | 111 | |
1050 | daniel-mar | 112 | OIDplus::baseConfig()->setValue('RECAPTCHA_VERSION', \ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_CHECKBOX); |
1016 | daniel-mar | 113 | Possible values: |
1050 | daniel-mar | 114 | \ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_CHECKBOX |
115 | \ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V2_INVISIBLE |
||
116 | \ViaThinkSoft\OIDplus\OIDplusCaptchaPluginRecaptcha::RECAPTCHA_V3 |
||
1016 | daniel-mar | 117 | |
261 | daniel-mar | 118 | OIDplus::baseConfig()->setValue('RECAPTCHA_ENABLED', true); |
702 | daniel-mar | 119 | Deprecated! |
1027 | daniel-mar | 120 | RECAPTCHA_ENABLED=true becomes CAPTCHA_PLUGIN=reCAPTCHA |
702 | daniel-mar | 121 | RECAPTCHA_ENABLED=false becomes CAPTCHA_PLUGIN=None |
261 | daniel-mar | 122 | |
123 | OIDplus::baseConfig()->setValue('RECAPTCHA_PUBLIC', ''); |
||
713 | daniel-mar | 124 | Only used if CAPTCHA_PLUGIN=ReCAPTCHA |
261 | daniel-mar | 125 | |
126 | OIDplus::baseConfig()->setValue('RECAPTCHA_PRIVATE', ''); |
||
713 | daniel-mar | 127 | Only used if CAPTCHA_PLUGIN=ReCAPTCHA |
261 | daniel-mar | 128 | |
1001 | daniel-mar | 129 | OIDplus::baseConfig()->setValue('HCAPTCHA_SITEKEY', ''); |
130 | Only used if CAPTCHA_PLUGIN=hCaptcha |
||
131 | |||
132 | OIDplus::baseConfig()->setValue('HCAPTCHA_SECRET', ''); |
||
133 | Only used if CAPTCHA_PLUGIN=hCaptcha |
||
134 | |||
974 | daniel-mar | 135 | OIDplus::baseConfig()->setValue('ENFORCE_SSL', OIDplus::ENFORCE_SSL_AUTO); |
136 | Values OIDplus::ENFORCE_SSL_NO (0) = (off) |
||
137 | OIDplus::ENFORCE_SSL_YES (1) = (on) |
||
138 | OIDplus::ENFORCE_SSL_AUTO (2) = (auto detect SSL) |
||
261 | daniel-mar | 139 | |
1036 | daniel-mar | 140 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_COMPLEXITY', 50000); |
141 | Only used if CAPTCHA_PLUGIN=ViaThinkSoft Client Challenge |
||
261 | daniel-mar | 142 | |
1036 | daniel-mar | 143 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_AUTOSOLVE', true); |
144 | Only used if CAPTCHA_PLUGIN=ViaThinkSoft Client Challenge |
||
145 | |||
146 | OIDplus::baseConfig()->setValue('VTS_CAPTCHA_MAXTIME', 10*60/*10 minutes*/); |
||
147 | Only used if CAPTCHA_PLUGIN=ViaThinkSoft Client Challenge |
||
148 | |||
261 | daniel-mar | 149 | ---------------------- |
374 | daniel-mar | 150 | (2) SYSTEM LIMITATIONS (defined and documented in includes/oidplus_limits.inc.php , can be overwritten by config.inc.php) |
261 | daniel-mar | 151 | ---------------------- |
152 | |||
153 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_DEPTH', 30); |
||
713 | daniel-mar | 154 | Please read the documentation in the file includes/oidplus_limits.inc.php |
261 | daniel-mar | 155 | |
156 | OIDplus::baseConfig()->setValue('LIMITS_MAX_ID_LENGTH', 255); |
||
713 | daniel-mar | 157 | Please read the documentation in the file includes/oidplus_limits.inc.php |
261 | daniel-mar | 158 | |
159 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_ARC_SIZE', 50); |
||
713 | daniel-mar | 160 | Please read the documentation in the file includes/oidplus_limits.inc.php |
261 | daniel-mar | 161 | |
162 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_ASN1_ID_LEN', 255); |
||
713 | daniel-mar | 163 | Please read the documentation in the file includes/oidplus_limits.inc.php |
261 | daniel-mar | 164 | |
165 | OIDplus::baseConfig()->setValue('LIMITS_MAX_OID_UNICODE_LABEL_LEN', 255); |
||
713 | daniel-mar | 166 | Please read the documentation in the file includes/oidplus_limits.inc.php |
261 | daniel-mar | 167 | |
168 | |||
169 | ----------------------------------------- |
||
170 | (3) "HIDDEN"/UNDOCUMENTED CONFIG SETTINGS |
||
171 | ----------------------------------------- |
||
172 | |||
173 | OIDplus::baseConfig()->setValue('OIDINFO_API_URL', '<url>'); |
||
713 | daniel-mar | 174 | Currently only internal use for development utilities (dev/). |
502 | daniel-mar | 175 | The API to oid-info.com is currently not public. |
261 | daniel-mar | 176 | |
177 | OIDplus::baseConfig()->setValue('REGISTRATION_HIDE_SYSTEM', true); |
||
713 | daniel-mar | 178 | Set this if you have a clone of a productive system and you want |
261 | daniel-mar | 179 | to avoid that the clone registers at the ViaThinkSoft directory |
180 | (which would overwrite the URL of the productive system and reveal |
||
181 | the URL of your testing system) |
||
182 | |||
183 | OIDplus::baseConfig()->setValue('MYSQL_FORCE_MYSQLND_SUPPLEMENT', false); |
||
713 | daniel-mar | 184 | The MySQLi plugin contains a supplement code to handle |
261 | daniel-mar | 185 | prepared statements on servers which do not have the MySQLnd extension |
186 | installed. Set this flag to force the supplement to be used, |
||
187 | even if MySQLnd is available. (For testing purposes only) |
||
188 | |||
189 | OIDplus::baseConfig()->setValue('QUERY_LOGFILE', ''); |
||
713 | daniel-mar | 190 | Set this setting to a filename where all queries including timestamps would be written. |
261 | daniel-mar | 191 | This is used for performance analysis. |
192 | Please choose a directory that cannot be accessed by world-wide. |
||
193 | |||
194 | OIDplus::baseConfig()->setValue('SESSION_LIFETIME', 30*60); |
||
713 | daniel-mar | 195 | Session lifetime in seconds. |
261 | daniel-mar | 196 | |
197 | OIDplus::baseConfig()->setValue('OBJECT_CACHING', true); |
||
198 | |||
199 | OIDplus::baseConfig()->setValue('FORCE_DBMS_SLANG', ''); |
||
1036 | daniel-mar | 200 | Currently valid values: access, mssql, mysql, oracle, pgsql, sqlite |
261 | daniel-mar | 201 | |
502 | daniel-mar | 202 | OIDplus::baseConfig()->setValue('PREPARED_STATEMENTS_EMULATION', 'auto'); |
713 | daniel-mar | 203 | Currently only for ODBC database plugin. |
502 | daniel-mar | 204 | 'auto' = Auto detect if prepared statements should be emulated |
205 | 'on' = Always emulate prepared statements |
||
206 | 'off' = Never emulate prepared statements |
||
207 | |||
261 | daniel-mar | 208 | OIDplus::baseConfig()->setValue('MINIFY_CSS', true); |
417 | daniel-mar | 209 | This enables the compression of CSS definitions. |
210 | Compressed approx: 220 KB |
||
211 | Uncompressed approx: 224 KB |
||
261 | daniel-mar | 212 | |
213 | OIDplus::baseConfig()->setValue('MINIFY_JS', true); |
||
417 | daniel-mar | 214 | This enables the compression of JavaScript code. |
215 | Please only disable this, if you want to debug |
||
216 | the code! You should not disable it on a productive |
||
217 | system, because otherwise the JavaScript code |
||
218 | would be several Megabytes large. |
||
219 | Compressed approx: 1133 KB |
||
220 | Unompressed approx: 2761 KB |
||
261 | daniel-mar | 221 | |
297 | daniel-mar | 222 | OIDplus::baseConfig()->setValue('DISABLE_PLUGIN_...', true); |
713 | daniel-mar | 223 | This gives you the possibility to disable a plugin without |
297 | daniel-mar | 224 | requiring it to be removed from the file system. |
225 | (Removing a plugin from the file system can result in various |
||
226 | problems, e.g. they can be re-added during a SVN/software update.) |
||
1050 | daniel-mar | 227 | Replace "..." with the main PHP class of the plugin you want to disable. |
228 | The namespace must be included. |
||
297 | daniel-mar | 229 | Example: |
1050 | daniel-mar | 230 | "DISABLE_PLUGIN_ViaThinkSoft\OIDplus\OIDplusLoggerPluginUserdataLogfile" |
297 | daniel-mar | 231 | disables the plugin "logger/300_userdata_logfile". |
316 | daniel-mar | 232 | |
233 | OIDplus::baseConfig()->setValue('DISABLE_AJAX_TRANSACTIONS', false); |
||
234 | This will disable the usage of database transactions in ajax.php |
||
235 | Do only use this if you have severe problems with the system running. |
||
236 | It might result in inconsistent data e.g. if you update an OID |
||
237 | and an error occurs in the middle of that process. |
||
326 | daniel-mar | 238 | |
806 | daniel-mar | 239 | OIDplus::baseConfig()->setValue('CANONICAL_SYSTEM_URL', ''); |
240 | Setting this value to a system URL will override the absolute system URL detection. |
||
241 | It has the following effects: |
||
242 | 1. The "canonical" metatag will use this explicit system URL |
||
243 | instead of the one the PHP script is detecting. |
||
244 | (This is important to avoid duplicate content at search indexes) |
||
245 | 2. CLI WHOIS and other CLI (Command-line-interface) tools |
||
246 | will use this address when they need to output an URL. |
||
247 | Otherwise, the CLI tools would need to use the last known |
||
248 | URL that was detected when a webpage visitor has last visited the |
||
249 | page. |
||
250 | 3. While most resources (images, CSS files, scripts, etc.) are loaded |
||
251 | via relative URLs, sometimes an absolute URL is required |
||
252 | (e.g., if an email is sent with an activation link). |
||
253 | The explicit absolute system URL will then be used rather |
||
254 | than the automatically detected one. |
||
255 | Note that setting an absolute system URL can be very useful if |
||
256 | OIDplus runs on a system (which detects itself as "X"), |
||
807 | daniel-mar | 257 | while the canonical URL "Y" is a reverse-proxy. |
778 | daniel-mar | 258 | |
456 | daniel-mar | 259 | OIDplus::baseConfig()->setValue('DEBUG', false); |
260 | Enables some special checks for plugins (e.g. a self-test for auth plugins). |
||
261 | It is highly recommended that you enable DEBUG if you are developing |
||
262 | plugins! |
||
470 | daniel-mar | 263 | It is recommended to disable this switch in productive systems, |
264 | because the self-tests decrease the performance. |
||
265 | However, after installing a new plugin, you might want to enable |
||
266 | it for a few minutes, to make sure the plugin is working correctly. |
||
430 | daniel-mar | 267 | |
557 | daniel-mar | 268 | OIDplus::baseConfig()->setValue('COOKIE_SAMESITE_POLICY', 'Strict'); |
269 | Defined which "SameSite" policy should be used for the cookies OIDplus uses. |
||
270 | Can be "None", "Lax" or "Strict". |
||
271 | "Strict" is the most secure setting. |
||
272 | "Lax" allows that people stay logged in if they follow a link pointing |
||
273 | to your OIDplus installation. |
||
274 | "None" is not recommended and is deprecated by modern web browsers. |
||
275 | However, OIDplus itself provides an Anti-CSRF mechanism, so you should be |
||
276 | still safe. |
||
456 | daniel-mar | 277 | |
812 | daniel-mar | 278 | OIDplus::baseConfig()->setValue('COOKIE_DOMAIN', ''); |
279 | Can be used to increase security by setting an explicit domain-name in the cookies. |
||
280 | Set to '' (empty string) to allow all (sub)domains. |
||
281 | Set to '(auto)' to automatically detect the domain based on the absolute canonical path. |
||
282 | |||
283 | OIDplus::baseConfig()->setValue('COOKIE_PATH', '/'); |
||
284 | Can be used to increase security by setting an explicit pathname in the cookies. |
||
285 | Set to '/' to allow all paths. |
||
286 | Set to '(auto)' to automatically detect the path based on the absolute canonical path. |
||
287 | Note: If supported, you can use Apache's "ProxyPassReverseCookiePath" to translate |
||
288 | the cookie path in a reverse-proxy setting. |
||
289 | |||
713 | daniel-mar | 290 | OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER', ''); |
617 | daniel-mar | 291 | The pepper is stored inside the base configuration file |
292 | It prevents that an attacker with SQL write rights can |
||
293 | create accounts. |
||
294 | ATTENTION!!! If a pepper is used, then the |
||
295 | hashes are bound to that pepper. If you change the pepper, |
||
296 | then ALL passwords of RAs become INVALID! |
||
557 | daniel-mar | 297 | |
713 | daniel-mar | 298 | OIDplus::baseConfig()->getValue('RA_PASSWORD_PEPPER_ALGO', 'sha512'); |
711 | daniel-mar | 299 | The pepper is stored inside the base configuration file |
300 | It prevents that an attacker with SQL write rights can |
||
301 | create accounts. |
||
302 | ATTENTION!!! If a pepper is used, then the |
||
303 | hashes are bound to that pepper. If you change the pepper, |
||
304 | then ALL passwords of RAs become INVALID! |
||
617 | daniel-mar | 305 | |
1041 | daniel-mar | 306 | OIDplus::baseConfig()->setValue('DEFAULT_LANGUAGE', 'enus'); |
307 | Default language of the system. This is the language |
||
308 | a new visitor will see if no "lang=" parameter is used |
||
309 | and no cookie is set. |
||
310 | Must be a valid language in the plugins directory. |
||
311 | Currently available: |
||
312 | enus = English USA (default) |
||
313 | dede = German Germany |
||
711 | daniel-mar | 314 | |
430 | daniel-mar | 315 | ---------------------------------------------------- |
316 | (4) LDAP FIELDS (see document ldap_installation.txt) |
||
317 | ---------------------------------------------------- |
||
318 | |||
620 | daniel-mar | 319 | OIDplus::baseConfig()->setValue('LDAP_ENABLED', true); |
320 | Set to true if you want to enable that users can log-in using LDAP / ActiveDirectory. |
||
432 | daniel-mar | 321 | |
625 | daniel-mar | 322 | OIDplus::baseConfig()->setValue('LDAP_NUM_DOMAINS', 1); |
323 | Contains the number of domains/servers which are used. |
||
324 | For 2nd, 3rd, 4th, ... domain use the fields LDAP_xxx__2, LDAP_xxx__3, ... |
||
325 | e.g. LDAP_SERVER__2 |
||
326 | LDAP_PORT__2 |
||
327 | LDAP_BASE_DN__2 |
||
328 | ... |
||
329 | |||
620 | daniel-mar | 330 | OIDplus::baseConfig()->setValue('LDAP_SERVER', 'ldap://server1.contoso.local'); |
331 | The LDAP server of your company. |
||
432 | daniel-mar | 332 | |
620 | daniel-mar | 333 | OIDplus::baseConfig()->setValue('LDAP_PORT', 389); |
334 | The port of the LDAP server |
||
335 | |||
336 | OIDplus::baseConfig()->setValue('LDAP_BASE_DN', 'DC=CONTOSO,DC=local'); |
||
337 | The base Distinguished Name (DN) of your directory. |
||
338 | |||
625 | daniel-mar | 339 | OIDplus::baseConfig()->setValue('LDAP_UPN_SUFFIX', '@contoso.local'); |
340 | The UPN suffix of this domain. |
||
341 | |||
342 | OIDplus::baseConfig()->setValue('LDAP_AUTHENTICATE_UPN', true); |
||
620 | daniel-mar | 343 | In the login mask, the users will log in using the UPN ("principal name") e.g. username@contoso.local, |
344 | and in OIDplus, a RA account with an email equal to the UPN will be created. |
||
345 | |||
346 | OIDplus::baseConfig()->setValue('LDAP_AUTHENTICATE_EMAIL', false); |
||
347 | In the login mask, the users will log in using the UPN ("principal name") e.g. username@contoso.local, |
||
348 | and in OIDplus, a RA account with an email equal to the "E-Mail-Address" field of the user in the directory will be created. |
||
349 | Note: If you did not set an email address to the user in the LDAP/ActiveDirectory, then the login will not be possible, |
||
350 | except if LDAP_AUTHENTICATE_UPN is additionally enabled. |
||
351 | Attention: Depending on your domain configuration, users might be able to change their own data, |
||
352 | e.g. email address. If this is the case, you must not enable this setting, otherwise, |
||
353 | users could authenticate with any address! |
||
354 | |||
623 | daniel-mar | 355 | OIDplus::baseConfig()->setValue('LDAP_ADMIN_GROUP', ''); |
356 | If set to an empty string, the OIDplus administrator account cannot be accessed using LDAP authentication. |
||
357 | Otherwise, the user will be authenticated as administrator, if the LDAP user is a |
||
624 | daniel-mar | 358 | member of the group specified in this setting. |
623 | daniel-mar | 359 | Example values: CN=Administrators,CN=Builtin,DC=CONTOSO,DC=local |
360 | makes every domain administrator also an OIDplus administrator |
||
361 | CN=OIDplus Administrators,CN=Users,DC=CONTOSO,DC=local |
||
362 | makes every user of the group (OIDplus Administrators) to OIDplus administrators |
||
363 | |||
364 | OIDplus::baseConfig()->setValue('LDAP_RA_GROUP', ''); |
||
365 | If set to an empty string, every LDAP user can authenticate as RA, depending |
||
366 | on whether LDAP_AUTHENTICATE_UPN and/or LDAP_AUTHENTICATE_EMAIL is set. |
||
624 | daniel-mar | 367 | Otherwise, the LDAP users must be a member of the group specified in this setting. |
620 | daniel-mar | 368 | |
369 | |||
432 | daniel-mar | 370 | ---------------------------------------------------------------------- |
371 | (5) GOOGLE OAUTH2 FIELDS (see document google_oauth2_installation.txt) |
||
372 | ---------------------------------------------------------------------- |
||
373 | |||
374 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_ENABLED', true); |
||
375 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_CLIENT_ID', '..............apps.googleusercontent.com'); |
||
376 | OIDplus::baseConfig()->setValue('GOOGLE_OAUTH2_CLIENT_SECRET', '.............'); |
||
436 | daniel-mar | 377 | |
378 | |||
1036 | daniel-mar | 379 | -------------------------------------------------------------------------- |
436 | daniel-mar | 380 | (6) FACEBOOK OAUTH2 FIELDS (see document facebook_oauth2_installation.txt) |
1036 | daniel-mar | 381 | -------------------------------------------------------------------------- |
436 | daniel-mar | 382 | |
383 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_ENABLED', true); |
||
384 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_CLIENT_ID', '.............'); // Your App ID |
||
385 | OIDplus::baseConfig()->setValue('FACEBOOK_OAUTH2_CLIENT_SECRET', '.............'); // Your App Secret |
||
572 | daniel-mar | 386 | |
387 | |||
388 | ---------------------------------------------------- |
||
389 | (7) JWT AUTHENTICATION FIELDS |
||
390 | ---------------------------------------------------- |
||
391 | |||
392 | If a web request contains the field "OIDPLUS_AUTH_JWT" containing a signed JWT token, |
||
393 | an automatic one-time login is performed in order to execute commands. |
||
394 | This feature is used in the plugins "Automated AJAX calls" for admins and RAs. |
||
395 | With these switches you can disable this feature. |
||
396 | |||
397 | OIDplus::baseConfig()->setValue('JWT_ALLOW_AJAX_ADMIN', true); |
||
398 | Allow JWT tokens that were created using the admin-plugin |
||
399 | "Automated AJAX calls". |
||
400 | |||
401 | OIDplus::baseConfig()->setValue('JWT_ALLOW_AJAX_USER', true); |
||
402 | Allow JWT tokens that were created using the RA-plugin |
||
403 | "Automated AJAX calls". |
||
404 | |||
405 | OIDplus::baseConfig()->setValue('JWT_ALLOW_LOGIN_ADMIN', true); |
||
579 | daniel-mar | 406 | Allow "Remember me" logins for the administrator account. |
572 | daniel-mar | 407 | |
408 | OIDplus::baseConfig()->setValue('JWT_ALLOW_LOGIN_USER', true); |
||
579 | daniel-mar | 409 | Allow "Remember me" logins for a RA. |
572 | daniel-mar | 410 | |
585 | daniel-mar | 411 | OIDplus::baseConfig()->setValue('JWT_ALLOW_MANUAL', false); |
572 | daniel-mar | 412 | Allow JWT tokens which were manually created "by hand". |
413 | These can have any content you like, but they must |
||
414 | contain the claim "oidplus_generator" with value "2". |
||
583 | daniel-mar | 415 | |
416 | OIDplus::baseConfig()->setValue('JWT_TTL_LOGIN_USER', 10*365*24*60*60); |
||
417 | How many seconds will a "remember me" login JWT token be valid? |
||
418 | (RA login) |
||
419 | |||
420 | OIDplus::baseConfig()->setValue('JWT_TTL_LOGIN_ADMIN', 10*365*24*60*60); |
||
421 | How many seconds will a "remember me" login JWT token be valid? |
||
422 | (Administrator login) |
||
1036 | daniel-mar | 423 | |
424 | |||
425 | ---------------------------------------------------- |
||
426 | (8) THIRD-PARTY PLUGINS |
||
427 | ---------------------------------------------------- |
||
428 | |||
429 | OIDplus::baseConfig()->setValue('RDAP_CACHE_ENABLED', false ); |
||
430 | OIDplus::baseConfig()->setValue('RDAP_CACHE_DIRECTORY', OIDplus::localpath().'userdata/cache/' ); |
||
431 | OIDplus::baseConfig()->setValue('RDAP_BASE_URI', OIDplus::webpath() ); |
||
432 | OIDplus::baseConfig()->setValue('RDAP_CACHE_EXPIRES', 60 * 3 ); |