23. The linotp.ini file

The linotp.ini file contains basic configuration of LinOTP.

The linotp.ini file can only be changed by the user root of your operating system but not by the token administrator! So the linotp.ini file contains configuration settings that are not to be changed by a token administrator.

Each time you made any changes to the linotp.ini you need to restart the server.

23.1. Auditing

23.1.1. linotpAudit.type

Set this to a module that takes care of doing the audit:

linotpAudit.type = linotp.lib.audit.SQLAudit

23.1.2. linotpAudit.key.private

The private RSA key used to sign the audit log:

linotpAudit.key.private = %(here)s/private.pem

23.1.3. linotpAudit.key.public

The public RSA key used to verify the audit log:

linotpAudit.key.public = %(here)s/public.pem

23.1.4. linotpAudit.sql.url

The SQLalchemy connect string to the database where the audit is written:

linotpAudit.sql.url = mysql://linotp2:test123!@localhost/LinOTP2

23.1.5. linotpAudit.sql.table_prefix

The audit table gets the name “audit”. This name can lead to problems with certain databases. On Oracle “audit” is a reserved word. So you can define a prefix for the table name:

linotpAudit.sql.table_prefix = linotp

23.1.6. linotpAudit.sql.highwatermark

You can define at which number of audit entries old audit entries should be deleted:

linotpAudit.sql.highwatermark = 10000

23.1.7. linotpAudit.sql.lowwatermark

When highwaremark is reached and old audit entries are deleted only lowwatermark audit entries are kept in the audit log:

linotpAudit.sql.lowwatermark = 5000

23.2. Misc

23.2.1. linotpHelp.url

The Management Web UI contains a help button to a help system. Using the entry linotpHelp.url you can specify where LinOTP should look for the help.

23.2.2. profile

Setting this to “true” LinOTP will create a bunch of performance profiling.

23.2.3. linotpGetotp.active

If set to true you can retrieve OTP values from LinOTP. See Retrieving OTP values for more information:

linotpGetotp.active = False

23.2.4. linotpNoSessionCheck

You can define, which clients do not need to pass the session to the admin interface:

linotpNoSessionCheck =

For more information see Disabling the session parameter.

23.2.5. linotpSecretFile

This is the encryption key. Usually it is located at:

linotpSecretFile = %(here)s/encKey

Instead of using the encryption key, you can use the PKCS11 Security Provider. See Defining Security Modules.

23.2.6. linotpSQL.implicit_returning

An SQL setting that needs to be set to “True” under certain conditions like MS SQL replication. For more information see the SQLAlchemy homepage:


use RETURNING or equivalent during INSERT execution in order to load newly generated primary keys and other column defaults in one execution, which are then available via inserted_primary_key. If an insert statement has returning() specified explicitly, the “implicit” functionality is not used and inserted_primary_key will not be available.”

23.2.7. linotpPolicy.pin_c, linotpPolicy.pin_n, linotpPolicy.pin_s

You can use these entries to define the sets of characters for PIN generation or PIN reset.

C is the list or characters, N the list of digits and S the list of special characters.

The default setting is:

linotpPolicy.pin_c = [a-zA-Z]
linotpPolicy.pin_n = [0-9]
linotpPolicy.pin_s = [.:,;-_<>+*!/()=?$§%&#~\^]

23.2.8. openid_sql

This is the SQL connect string for the OpenID database.

23.2.9. linotpOpenID.CookieExpire

This is the expiry time for OpenID cookies.

23.2.10. linotp.imprint_directory

The imprint directory can hold the imprint which is displayed in the Selfservice Portal. The imprint is just the contents of the file <realm>.imprint in this directory. For more information see Selfservice Portal Imprint.

23.2.11. linotpTokenModules

This is a list of Python token modules, which provide the tokentypes available to LinOTP. For more information see Tokens.

23.3. RADIUS settings

These are special settings for the RADIUS token type.

23.3.1. radius.dictfile

is the location of the RADIUS dictionary file:

radius.dictfile= %(here)s/dictionary

23.3.2. radius.nas_identifier

This is the NAS Identifier the LinOTP server would send as a RADIUS client when contacting another RADIUS server:

radius.nas_identifier = LinOTP

23.4. Default Values

There are several values that are read as default token values:

linotp.DefaultSyncWindow = 1000
linotp.DefaultOtpLen = 6
linotp.DefaultCountWindow = 50
linotp.DefaultMaxFailCount = 15
linotp.FailCounterIncOnFalsePin = True
linotp.PrependPin = True
linotp.DefaultResetFailCount = True
linotp.splitAtSign = True


All entries starting with “linotp.” are read from the linotp.ini file and written to the Config Table in the LinOTP database. So changing these values afterwards will have no effect, since after once written to the database these values always are read from the database.