~fkooman/vpn-user-portal

ref: 2.3.10 vpn-user-portal/config/config.php.example -rw-r--r-- 6.9 KiB
e0bd9cc0François Kooman prepare for release 1 year, 13 days ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?php

return [
    // override default branding style (templates/CSS) with custom style.
    // NOTE: the styling/branding MUST be installed for this to work!
    //'styleName' => 'eduVPN',
    //'styleName' => 'LC',

    'authMethod' => 'FormPdoAuthentication',        // PDO (database)
    //'authMethod' => 'FormLdapAuthentication',     // LDAP
    //'authMethod' => 'FormRadiusAuthentication',   // RADIUS
    //'authMethod' => 'SamlAuthentication',         // SAML (php-saml-sp)
    //'authMethod' => 'MellonAuthentication',       // SAML (mod_auth_mellon)
    //'authMethod' => 'ShibAuthentication',         // SAML (Shibboleth)

    // Default Session Expiry
    // The session expiry will be used to determine the "Not After" of the
    // issued X.509 certificates and the moment at which to start rejecting
    // the OAuth tokens.
    'sessionExpiry' => 'P90D',      // 90 days
    //'sessionExpiry' => 'PT12H',   // 12 hours
    //'sessionExpiry' => 'P1D',     // 1 day

    // LDAP
    'FormLdapAuthentication' => [
        // *** OpenLDAP / FreeIPA ***
        'ldapUri' => 'ldaps://ipa.example.org',
        'bindDnTemplate' => 'uid={{UID}},cn=users,cn=accounts,dc=example,dc=org',
        //'permissionAttribute' => 'eduPersonEntitlement',
        //'permissionAttribute' => 'memberOf',

        // *** Active Directory ***
        //'ldapUri' => 'ldap://ad.example.org',
        //'bindDnTemplate' => 'DOMAIN\{{UID}}',
        //'baseDn' => 'dc=example,dc=org',
        //'userFilterTemplate' => '(sAMAccountName={{UID}})',
        //'permissionAttribute' => 'memberOf',
    ],

    // RADIUS
    'FormRadiusAuthentication' => [
        'serverList' => [
            [
                'host' => 'radius.example.org',
                'secret' => 'testing123',
                //'port' => 1812,
            ],
        ],
        //'addRealm' => 'example.org',
        //'nasIdentifier' => 'vpn.example.org',
    ],

    // SAML (php-saml-sp)
    'SamlAuthentication' => [
        // 'OID for eduPersonTargetedID
        'userIdAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
        // OID for eduPersonPrincipalName
        //'userIdAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',

        // ** AUTHORIZATION | PERMISSIONS **
        // OID for eduPersonEntitlement
        //'permissionAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7',
        // OID for eduPersonAffiliation
        //'permissionAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1',

        // override the SP entityId, the default is:
        // https://vpn.example.org/vpn-user-portal/_saml/metadata
        //'spEntityId' => 'https://vpn.example.org/saml',

        // (Aggregate) SAML metadata file containing the IdP metadata of IdPs
        // that are allowed to access this service
        'idpMetadata' => '/path/to/idp/metadata.xml',

        // set a fixed IdP for use with this service, it MUST be available in
        // the IdP metadata file
        'idpEntityId' => 'https://idp.example.org/saml',

        // set a URL that performs IdP discovery, all IdPs listed in the
        // discovery service MUST also be available in the IdP metadata file,
        // NOTE: do NOT enable idpEntityId as it will take precedence over
        // using discovery...
        //'discoUrl' => 'http://vpn.example.org/php-saml-ds/index.php',

        // AuthnContext required for *all* users
        //'authnContext' => ['urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken'],

        // Users with certain permissions obtained through
        // "permissionAttribute" MUST also have ANY of the listed
        // AuthnContexts. If they currently don't, a new authentication is
        // triggered to obtain it
        //'permissionAuthnContext' => [
        //    'urn:example:LC-admin' => ['urn:oasis:names:tc:SAML:2.0:ac:classes:TimesyncToken'],
        //],

        // Allow for overriding global sessionExpiry based on SAML
        // "permissionAttribute" value(s)
        //'permissionSessionExpiry' => [
        //    'urn:example:LC-admin' => 'PT12H',
        //],
    ],

    // SAML (mod_auth_mellon)
    'MellonAuthentication' => [
        // OID for eduPersonTargetedId
        'userIdAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_10',
        // OID for eduPersonPrincipalName
        //'userIdAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_6',

        // ** AUTHORIZATION | PERMISSIONS **
        // OID for eduPersonEntitlement
        //'permissionAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_7',
        // OID for eduPersonAffiliation
        //'permissionAttribute' => 'MELLON_urn:oid:1_3_6_1_4_1_5923_1_1_1_1',
    ],

    // SAML (Shibboleth)
    'ShibAuthentication' => [
        'userIdAttribute' => 'persistent-id',
        //'userIdAttribute' => 'eppn',

        // ** AUTHORIZATION | PERMISSIONS **
        //'permissionAttribute' => 'entitlement',
        //'permissionAttribute' => 'affiliation',
    ],

    // the permission required to be able to access the "admin" portion of
    // the portal, see "permissionAttribute" in the authentication
    // configuration sections
    //'adminPermissionList' => ['urn:example:LC-admin'],

    // list of userIds that have access to the admin
    'adminUserIdList' => ['admin'],

    // Require Users to use 2FA
    'requireTwoFactor' => false,
    //'requireTwoFactor' => true,

    // Available 2FA methods
    //'twoFactorMethods' => ['totp'],         // TOTP
    'twoFactorMethods' => [],                 // 2FA disabled

    // supported languages in the UI, the first one mentioned is the default
    'supportedLanguages' => [
        'en_US' => 'English',
        //'nl_NL' => 'Nederlands',
        //'nb_NO' => 'norsk bokmål',
        //'da_DK' => 'Dansk',
        //'fr_FR' => 'Français',
    ],

    'Api' => [
        'consumerList' => [
            //'_CLIENT_ID_' => [
            //    'redirect_uri_list' => [
            //        '_REDIRECT_URI_1_',
            //        '_REDIRECT_URI_2_',
            //    ],
            //    'display_name' => '_DISPLAY_NAME_',
            //    'require_approval' => true,
            //    'client_secret' => '_SECRET_',
            //],
        ],

        // Enable Remote Access, i.e. users from other VPN servers listed in
        // the below remoteAccessList files to access this VPN server through
        // the OAuth API
        'remoteAccess' => false,
        'remoteAccessList' => [
            'production' => [
                'discovery_url' => 'https://static.eduvpn.nl/disco/secure_internet.json',
                'public_key' => 'E5On0JTtyUVZmcWd+I/FXRm32nSq8R2ioyW7dcu/U88=',
            ],
            //'development' => [
            //    'discovery_url' => 'https://static.eduvpn.nl/disco/secure_internet_dev.json',
            //    'public_key' => 'zzls4TZTXHEyV3yxaxag1DZw3tSpIdBoaaOjUGH/Rwg=',
            //],
        ],
    ],

    // Connection to vpn-server-api
    'apiUser' => 'vpn-user-portal',
    'apiPass' => 'XXX-vpn-user-portal/vpn-server-api-XXX',
    'apiUri' => 'http://localhost/vpn-server-api/api.php',
];