Backends
Canaille can read and save data in different databases:
Memory
Canaille comes with a lightweight inmemory backend by default. This backend is only for test purpose and should not be used in production environments.
It is used when the BACKENDS
configuration parameter is unset or empty.
SQL
Canaille can use any database supported by SQLAlchemy, such as sqlite, postgresql or mariadb.
It is used when the BACKENDS.SQL
configuration parameter is defined.
LDAP
Canaille can use OpenLDAP as its main database.
It is used when the BACKENDS.SQL
configuration parameter is defined.
Note
Currently, only the inetOrgPerson
and groupOfNames
schemas have been tested.
If you want to use different schemas or LDAP servers, adaptations may be needed.
Patches are welcome.
Canaille can integrate with several OpenLDAP overlays:
memberof / refint
memberof and refint overlays are needed for the Canaille group membership to work correctly.
Here is a configuration example compatible with canaille:
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: refint
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof
olcRefintAttribute: member
olcRefintAttribute: manager
olcRefintAttribute: owner
ppolicy
If ppolicy is configured and the pwdEndTime
attribute is available (since OpenLDAP 2.6), then account locking support will be enabled in canaille. To allow users to manage account expiration, they need to have a write permission on the lock_date
attribute.
Here is a configuration example compatible with canaille:
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: ppolicy
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,dc=mydomain,dc=tld
olcPPolicyUseLockout: TRUE
dn: cn=passwordDefault,dc=mydomain,dc=tld
objectClass: person
objectClass: top
objectClass: pwdPolicy
sn: passwordDefault
cn: passwordDefault
pwdAttribute: userPassword
pwdMustChange: TRUE
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdGraceAuthNLimit: 1