# # WebADM Server Configuration # # Administrator Portal's authentication method. # - PKI: Requires client certificate and login password. # - UID: Requires domain name, login name and password. # - DN: Requires login DN and password. # - OTP: Like UID with an OTP challenge. # - U2F: Like UID with a FIDO-U2F challenge. # - MFA: Like UID with both OTP and FIDO-U2F challenge. # Using certificates is the most secure login method. To use certificate login, # you must log in WebADM and create a login certificate for your administrators. # The UID mode requires a WebADM domain to exist and have its User Search Base # set to the subtree where are located the administrator users. When using UID # and if there is no domain existing in WebADM, the login mode is automatically # forced to DN. You will also need to log in with the full user DN and set up # a WebADM domain to be able to use the UID login mode.admin_auth UID admin_auth UID #admin_clients "192.168.0.10","192.168.0.11" # Show the registered domain list when admin_auth is set to UID, OTP or U2F. # And set a default admin login domain when auth_mode is set to these methods. list_domains Yes #default_domain "Default" # Manager API's authentication method. Only UID, PKI and DN are supported here. # If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must # either use manager_auth PKI or UID with a list of allowed client IPs. #manager_auth UID #manager_clients "192.168.0.10","192.168.0.11" # User level changes the level of feature and configuration for all applications. # WebADM proposes three levels: Beginner, Intermediate and Expert. The default # level (Expert) is recommended as it provides access to all the RCDevs features. #user_level Expert # If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD), # you can optionally set the base_treebase suffix and omit the suffix in other # LDAP configurartions like proxy_user, super_admins and containers. ldap_treebase "dc=ad,dc=supdeco,dc=local" # The proxy user is used by WebADM for accessing LDAP objects over which the # admin user does not have read permissions or out of an admin session. # The proxy user should have read permissions on the whole LDAP tree, # and write permissions on the users/groups used by the WebApps and WebSrvs. # The use of a proxy user is required for WebApps and WebSrvs. # With ActiveDirectory, you can use any Domain Administrator DN as a proxy user, # which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com. proxy_user "cn=support,cn=users" proxy_password "Prince@2024" # Super administrators have extended WebADM privileges such as setup permissions, # additional operations and unlimited access to any LDAP encrypted data. Access # restriction configured in the WebADM OptionSets do not apply to super admins. # You can set a list of individual LDAP users or LDAP groups here. # With ActiveDirectory, your administrator account should be is something like # cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample # super_admins group on the second line with an existing security group. super_admins "cn=groupe_support,cn=users", \ "cn=Domain Admins,cn=Users" # LDAP objectclasses container_oclasses "container", "organizationalUnit", "organization", "domain", "locality", "country", \ "openldaprootdse", "treeroot" # user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode. # If your super admin user user does not have one of the following objectclasses, # add one of its objectclasses to the list. user_oclasses "user", "person", "inetOrgPerson", "account", "posixAccount" group_oclasses "group", "groupOfNames", "groupOfUniqueNames", "dynamicGroup", "posixGroup" # With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the # webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses. webadm_account_oclasses "webadmAccount" webadm_group_oclasses "webadmGroup" webadm_config_oclasses "webadmConfig" # LDAP attributes certificate_attrs "userCertificate" password_attrs "userPassword", "unicodePwd", "sambaNTPassword" uid_attrs "uid", "samAccountName", "userPrincipalName" member_attrs "member", "uniqueMember" memberof_attrs "memberOf", "groupMembership" memberuid_attrs "memberUid" language_attrs "preferredLanguage" mobile_attrs "mobile" mail_attrs "mail" webadm_data_attrs "webadmData" webadm_settings_attrs "webadmSettings" webadm_type_attrs "webadmType" webadm_voice_attrs "webadmVoice" # Set the LDAP container required by WebADM to store its configuration objects. config_container "ou=webadms" # You can alternatively configure each configuration container independently. #domains_container "cn=Domains,cn=WebADM" #clients_container "cn=Clients,cn=WebADM" #devices_container "cn=Devices,cn=WebADM" #webapps_container "cn=WebApps,cn=WebADM" #websrvs_container "cn=WebSrvs,cn=WebADM" #adminroles_container "cn=AdminRoles,cn=WebADM" #optionsets_container "cn=OptionSets,cn=WebADM" #mountpoints_container "cn=MountPoints,cn=WebADM" # You can set here the timeout (in seconds) of a WebADM session. # Web sessions will be closed after this period of inactivity. # The Manager Interface cookie-based sessions are disabled by default. # admin_session and manager_session can be set in the form 'shared:900' # in order to force sessions to be stored in the Session Servers instead of SHM. admin_session 900 manager_session 0 webapps_session 600 # You can set here the WebADM internal cache timeout. A normal value is one hour. cache_timeout 3600 # Application languages languages "EN","FR","DE","ES","IT","FI" # WebADM encrypts LDAP user data, sensitive configurations and user sessions with # AES-256. The encryption key(s) must be 256bit base64-encoded random binary data. # Use the command 'openssl rand -base64 32' to generate a new encryption key. # Warning: If you change the encryption key, any encrypted data will become invalid! # You can set several encryption keys for key rollout. All the defined keys are used # for decrypting data. And the first defined key is used to (re-)encrypt data. # Two encryption modes are supported: # Standard: AES-256-CBC (default) # Advanced: AES-256-CBC with per-object encryption (stronger) encrypt_data Yes encrypt_mode Standard encrypt_hsm No encrypt_key "CaGU87M7L8v6WUxAICU2c5kkArQwit+CYWTt6tZoSyA=" # Hardware Cryptographic Module #hsm_driver "/usr/local/lib/libsofthsm2.so" #hsm_slot 274906134 #hsm_key "TestKey" #hsm_pin 12345678 # The data store defines which back-end is used for storing user data and settings. # By default WebADM stores any user and group metadata in the LDAP objects. By setting # the data_store to SQL, these metadata are stored in a dedicated SQL table. # LDAP remains the preferred option because it maximizes the system consistency. # SQL should be used only if you need read-only LDAP access for the proxy_user. data_store LDAP # The record store defines which back-end is used to store SpanKey records. # Choose SQL to store records in the database and NAS to store on a shared NAS folder. # With NAS, the store_path must be configured and accessible from all cluster nodes. record_store SQL # Directory where WebADM can store record files and tenant data files permanently. # With WebADM SP Edition, this is required to store tenant data files such as DKIM # private keys and organization logos. In a clustered environment, prefer a NAS mount. storage_path "/var/tmp" # The group mode defines how WebADM will handle LDAP groups. # - Direct mode: WebADM finds user groups using the memberof_attrs defined above. # In this case, the group membership is defined in the LDAP user objects. # - Indirect mode: WebADM finds user groups by searching group objects which contain # the user DN as part of the member_attrs. # - Auto: Both direct and indirect groups are used. # - Disabled: All LDAP group features are disabled in WebADM. # By default (when group_mode is not specified) WebADM handles both group modes. group_mode Auto # LDAP cache increases a lot of performances under high server loads. The cache limits # the number of LDAP requests by storing resolved user DN and group settings. When # enabled, results are cached for 300 secs. ldap_cache Yes # LDAP routing enables LDAP request load-balancing when multiple LDAP servers are # configured in servers.xml. You should enable this feature only if the LDAP server # load becomes a bottleneck due to a big amount of users (ex. more than 10000 users). #ldap_routing No # You can optionally disable some features if you run multiple WebADM servers with # different purposes. For example, if you don't want to provide admin portal on an # Internet-exposed WebApps and WebSrvs server. # By default, all the functionalities are enabled. enable_admin Yes enable_manager Yes enable_webapps Yes enable_websrvs Yes # Enable syslog reporting (disabled by default). When enable, system logs are sent # to both the WebADM log files and syslog. #log_debug No #log_mixsql No #log_syslog No #syslog_facility LOG_USER #syslog_format CEF # Alerts are always recorded to the SQL Alert log. Additionally, when alert_email # or alert_mobile is defined, the alerts are also sent by email/SMS. #alert_email "me@mydomain.com" #alert_mobile "+33 12345678" # Protect WebADM against bruteforce attacks on the WebApps by blacklisting source IPs # for 20 seconds after 5 failed login attempts. #ip_blacklist Yes # You can publish WebADM applications and OpenOTP mobile endpoint over Internet using # a reverse proxy (WAF) or RCDevs WebADM Publishing Server (WAProxy). # Set the IP address(es) of your reverse-proxy or WAProxy server(s). WebADM expects # the HTTP_X_FORWARDED_FOR and HTTP_X_FORWARDED_HOST headers from reverse proxies! # Use 'waproxy_proxies' ONLY if you are using RCDevs WAProxy as reverse-proxy! #reverse_proxies "192.168.0.100", "192.168.0.101" #waproxy_proxies "192.168.0.102" # The 'public_hostname' is mandatory to let WebADM know your public endpoints' URLs. # Use the public DNS name of your reverse proxy or WAProxy server without a scheme. # The setting used to be named 'waproxy_pubaddr' in WebADM versions before v2.3.12. #public_hostname "www.myproxy.com" # Check for new product versions and license updates on RCDevs' website. # These features require outbound Internet access from the server. cloud_services Yes # WebApps theme (default or flat) # Comment the following line to disable the default theme. webapps_theme "default" # End-user message templates # The following variables are available: %USERNAME%, %USERDN%, %USERID%, %DOMAIN%, %APPNAME% # Additional variables are available depending on the context: %APPNAME%, %APPID%, %TIMEOUT%, %EXPIRES% app_unlock_subject "Unlocked access to %APPNAME%" app_unlock_message "Hello %USERNAME%,\n\nYou have temporary access to the %APPNAME%.\nYour access will automatically expire %EXPIRES%." ldap_expire_subject "Login password near expiration" ldap_expire_message "Hello %USERNAME%,\n\nYour login password will expire %EXPIRES%.\nPlease reset your password before expiration!\n\nRegards" cert_expire_subject "Login certificate near expiration" cert_expire_message "Hello %USERNAME%,\n\nYour login certificate will expire %EXPIRES%.\nPlease renew your certificate before expiration!\n\nRegards" access_sign_subject "Agreement signature required for %CLIENT%" access_sign_message "Hello %USERNAME%,\n\nPlease sign the agreement in order to access %CLIENT%.\nThe signature request expire %EXPIRES%." no_badgeout_subject "Forgot badge-out %EXPIRES%" no_badgeout_message "Hello %USERNAME%,\n\nYou did not badge-out since %EXPIRES%.\nPlease do not forget to badge out today!\n\nRegards" no_badgein_subject "Badging required for %CLIENT%" no_badgein_message "Hello %USERNAME%,\n\nYou tried to login to %CLIENT% without badging.\nPlease badge-in and retry!\n\nRegards" # Personalization options # You can customize your organization name, logo file and website URL. # The logo file must be PNG image with size 100x50 pixels. #org_name "My Company" #org_logo "mycompany.png" #org_from "noreply@mycompany.com" #org_site "http://www.mycompany.com/" # Misc options #treeview_width 300 #treeview_items 1500 #default_portal Admin #log_retention 365 #ldap_uidcase No #ntp_server "myserver.local" #custom_css "style.css"