############################################################## # Kopano Konnect SETTINGS # OpenID Connect Issuer Identifier. # This setting defines the OpenID Connect Issuer Identifier to be provided by # this Konnect server. Setting this is mandatory and the setting must be a # https URL which can be accessed by all applications and users which are to # use this Konnect for sign-in or validation. Defaults to "https://localhost" to # allow unconfigured startup. #oidc_issuer_identifier=https://localhost # Address:port specifier for where konnectd should listen for # incoming connections. Defaults to `127.0.0.1:8777`. #listen = 127.0.0.1:8777 # Disable TLS validation for all client request. # When set to yes, TLS certificate validation is turned off. This is insecure # and should not be used in production setups. Defaults to `no`. #insecure = no # Identity manager which provides the user backend Konnect should use. This is # one of `kc` or `ldap`. Defaults to `kc`, which means Konnect will use a # Kopano Groupware Storage server as backend. #identity_manager = kc # Full file path to a PEM encoded PKCS#1 or PKCS#5 private key which is used to # sign tokens. This file must exist and be valid to be able to start the # service. A suitable key can be generated with: # `openssl genpkey -algorithm RSA \ # -out konnectd-signing-private-key.pem.pem \ # -pkeyopt rsa_keygen_bits:4096` # If this is not set, Konnect will try to load # /etc/kopano/konnectd-signing-private-key.pem # and if not found, fall back to a random key on every startup. Not set by # default. If set, the file must be there. #signing_private_key = /etc/kopano/konnectd-signing-private-key.pem # Key ID to use in created JWT. This setting is useful once private keys need # to be changed because they expire. It should be a unique value identiying # the signing_private_key. Example: `k20180912-1`. Not set by default, which # means that Konnect uses the file name of the key file (dereferencing symlinks) # without extension. #signing_kid = # JWT signing method. This must match the private key type as defined in # signing_private_key and defaults to `PS256`. #signing_method = PS256 # Full path to a directory containing pem encoded keys for validation. Konnect # loads all `*.pem` files in that directory and adds the public key parts (if # found) to the validator for received tokens using the file name without # extension as key ID. #validation_keys_path = # Full file path to a encryption secret key file containing random bytes. This # file must exist to be able to start the service. A suitable file can be # generated with: # `openssl rand -out konnectd-encryption-secret.key 32` # If this is not set, Konnect will try to load # /etc/kopano/konnectd-encryption-secret.key # and if not found, fall back to a random key on every startup. Not set by # default. If set, the file must be there. #encryption_secret_key = /etc/kopano/konnectd-encryption-secret.key # Full file path to the identifier registration configuration file. This file # must exist to be able to start the service. An example file is shipped with # the documentation / sources. If not set, Konnect will try to load # /etc/kopano/konnectd-identifier-registration.yaml # without failing when the file is not there. If set, the file must be there. #identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml # Full file path to the identifier scopes configuration file. An example file is # shipped with the documentation / sources. If not set, Konnect will try to # load /etc/kopano/konnectd-identifier-scopes.yaml without failing if the file # is not there. If set, the file must be there. #identifier_scopes_conf = /etc/kopano/konnectd-identifier-scopes.yaml # Path to the location of konnectd web resources. This is a mandatory setting # since Konnect needs to find its web resources to start. #web_resources_path = /usr/share/kopano-konnect # Custom base path for URI endpoints for Konnect API and the identifier web # application. This needs to be changed when Konnect is served from a path # instead of the root of the domain. #uri_base_path = / # Space separated list of scopes to be accepted by this Konnect server. By # default this is not set, which means that all scopes which are known by the # Konnect server and its configured identifier backend are allowed. #allowed_scopes = # Space separated list of IP address or CIDR network ranges of remote addresses # which are to be trusted. This is used to allow special behavior if Konnect # runs behind a trusted proxy which injects authentication credentials into # HTTP requests. Not set by default. #trusted_proxies = # Flag to enable client controlled guest support. When set to `yes`, a registered # client can send authorize guests, by sending signed requests. Defaults to `no`. #allow_client_guests = no # Flag to enable dynamic client registration API. When set to `yes`, clients # can register themselves and make authorized calls to the token endpoint. # Defaults to `no`. #allow_dynamic_client_registration = no # Additional arguments to be passed to the identity manager. #identity_manager_args = ############################################################### # Log settings # Log level controls the verbosity of the output log. It can be one of # `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`. #log_level = info ############################################################### # Kopano Groupware Storage Server Identity Manager (kc) # URI for connecting to the Kopano Groupware Storage server. This can either be # a http(s):// URL for remote systems or a file:// URI to a socket for local # connection. Defaults to `file:///run/kopano/server.sock` and is only used # when the identity_manager is `kc`. #kc_server_uri = file:///run/kopano/server.sock # Session timeout for sessions of the Kopano Groupware Storage server in # seconds. Access token valid duration is limited to this value and Konnect # will expire sessions if they are inactive for the timeout duration. This value # needs to be lower or same as the corresponding value used in the Kopano # Groupware Storage server's configuration to avoid constant session expiration # and recreation. #kc_session_timeout = 300 ############################################################### # LDAP Identity Manager (ldap) # Below are the settings for the LDAP identity manager. They are only used when # the identity_manager is `ldap`. #ldap_uri = #ldap_binddn = #ldap_bindpw = #ldap_basedn = #ldap_scope = sub #ldap_login_attribute = uid #ldap_uuid_attribute = uidNumber #ldap_filter = (objectClass=inetOrgPerson)