| | 110 | You change the default logo with your own |
| | 111 | |
| | 112 | {{{$logo = "images/ltb-logo.png";}}} |
| | 113 | |
| | 114 | You change the background image with your own |
| | 115 | |
| | 116 | {{{$background_image = "images/unsplash-space.jpeg";}}} |
| | 117 | |
| | 118 | To easily customize CSS |
| | 119 | |
| | 120 | {{{$custom_css = "css/custom.css";}}} |
| | 121 | |
| | 122 | You can hide the footer bar |
| | 123 | |
| | 124 | {{{$display_footer = false;}}} |
| | 125 | |
| | 126 | '''Debug''' |
| | 127 | |
| | 128 | {{{$debug = true;}}} |
| | 129 | |
| | 130 | {{{$smarty_debug = true;}}} |
| | 131 | |
| | 132 | '''Security''' |
| | 133 | |
| | 134 | You need a key phrase if you use ciphered tokens |
| | 135 | |
| | 136 | {{{$keyphrase = "secret";}}} |
| | 137 | |
| | 138 | There is also a protection on login to avoid LDAP injections. Some characters are forbidden, you can change the list of forbidden characters in login |
| | 139 | |
| | 140 | {{{$login_forbidden_chars = "*()&|";}}} |
| | 141 | |
| | 142 | For the reset process via mail token and send sms token, errors are hidden by default, to avoid account disclosure |
| | 143 | |
| | 144 | {{{ |
| | 145 | $obscure_usernotfound_sendtoken = true; |
| | 146 | $obscure_notfound_sendsms = true; |
| | 147 | }}} |
| | 148 | |
| | 149 | '''LDAP Connection''' |
| | 150 | |
| | 151 | Server address |
| | 152 | |
| | 153 | Use an LDAP URI to configure the location of your LDAP server |
| | 154 | |
| | 155 | {{{$ldap_url = "ldap://localhost:389";}}} |
| | 156 | |
| | 157 | To use SSL |
| | 158 | |
| | 159 | {{{$ldap_url = "ldaps://localhost";}}} |
| | 160 | |
| | 161 | To use StartTLS, set true in $ldap_starttls |
| | 162 | |
| | 163 | {{{$ldap_starttls = true;}}} |
| | 164 | |
| | 165 | //Note:// |
| | 166 | //LDAP certificate management in PHP relies on LDAP system libraries. Under Linux, you can configure /etc/ldap.conf (or /etc/ldap/ldap.conf on Debian or Ubuntu, or C:\OpenLDAP\sysconf\ldap.conf for Windows).// |
| | 167 | |
| | 168 | - Provide the certificate from the certificate authority that issued your LDAP server’s certificate |
| | 169 | {{{TLS_CACERT /etc/ssl/ca.crt}}} |
| | 170 | |
| | 171 | Or, disable server certificate checking: |
| | 172 | |
| | 173 | {{{TLS_REQCERT allow}}} |
| | 174 | |
| | 175 | If you face issues with non matching TLS versions between SSP and your LDAP server, you should try to modify TLS_CIPHER_SUITE to match the requirements of your server. For example: |
| | 176 | |
| | 177 | {{{TLS_CIPHER_SUITE TLSv1+RSA}}} |
| | 178 | |
| | 179 | You can also define the ldap connection timeout: |
| | 180 | |
| | 181 | {{{$ldap_network_timeout = true;}}} |
| | 182 | |
| | 183 | '''Credentials''' |
| | 184 | |
| | 185 | Configure DN and password in $ldap_bindn and $ldap_bindpw, for example a service account |
| | 186 | |
| | 187 | {{{ |
| | 188 | $ldap_binddn = "cn=ssp,ou=dsa,dc=example,dc=com"; |
| | 189 | |
| | 190 | $ldap_bindpw = "secret"; |
| | 191 | }}} |
| | 192 | |
| | 193 | To instead use user’s credentials when writing in LDAP directory, replace manager with user in $who_change_password |
| | 194 | |
| | 195 | {{{ |
| | 196 | $who_change_password = "user"; |
| | 197 | }}} |
