.. _linotp.ini: The linotp.ini file =================== The linotp.ini file contains basic configuration of LinOTP. The linotp.ini file can only be changed by the user root of your operating system but not by the token administrator! So the linotp.ini file contains configuration settings that are not to be changed by a token administrator. Each time you made any changes to the linotp.ini you need to restart the server. Auditing ~~~~~~~~ linotpAudit.type ---------------- Set this to a module that takes care of doing the audit:: linotpAudit.type = linotp.lib.audit.SQLAudit linotpAudit.key.private ----------------------- The private RSA key used to sign the audit log:: linotpAudit.key.private = %(here)s/private.pem linotpAudit.key.public ---------------------- The public RSA key used to verify the audit log:: linotpAudit.key.public = %(here)s/public.pem linotpAudit.sql.url ------------------- The SQLalchemy connect string to the database where the audit is written:: linotpAudit.sql.url = mysql://linotp2:test123!@localhost/LinOTP2 linotpAudit.sql.table_prefix ---------------------------- The audit table gets the name "audit". This name can lead to problems with certain databases. On Oracle "audit" is a reserved word. So you can define a prefix for the table name:: linotpAudit.sql.table_prefix = linotp linotpAudit.sql.highwatermark ----------------------------- You can define at which number of audit entries old audit entries should be deleted:: linotpAudit.sql.highwatermark = 10000 linotpAudit.sql.lowwatermark ---------------------------- When highwaremark is reached and old audit entries are deleted only lowwatermark audit entries are kept in the audit log:: linotpAudit.sql.lowwatermark = 5000 Misc ~~~~ linotpHelp.url -------------- The Management Web UI contains a help button to a help system. Using the entry ``linotpHelp.url`` you can specify where LinOTP should look for the help. profile ------- Setting this to "true" LinOTP will create a bunch of performance profiling. linotpGetotp.active ------------------- If set to true you can retrieve OTP values from LinOTP. See :ref:`retrievingotpvalues` for more information:: linotpGetotp.active = False linotpNoSessionCheck -------------------- You can define, which clients do not need to pass the session to the admin interface:: linotpNoSessionCheck = 127.0.0.1 For more information see :ref:`disable_session_protection`. linotpSecretFile ---------------- This is the encryption key. Usually it is located at:: linotpSecretFile = %(here)s/encKey Instead of using the encryption key, you can use the PKCS11 Security Provider. See :ref:`defining_security_modules`. linotpSQL.implicit_returning ---------------------------- An SQL setting that needs to be set to "True" under certain conditions like MS SQL replication. For more information see the SQLAlchemy homepage: "**implicit_returning** use RETURNING or equivalent during INSERT execution in order to load newly generated primary keys and other column defaults in one execution, which are then available via inserted_primary_key. If an insert statement has returning() specified explicitly, the “implicit” functionality is not used and inserted_primary_key will not be available." linotpPolicy.pin_c, linotpPolicy.pin_n, linotpPolicy.pin_s ---------------------------------------------------------- You can use these entries to define the sets of characters for PIN generation or PIN reset. C is the list or characters, N the list of digits and S the list of special characters. The default setting is:: linotpPolicy.pin_c = [a-zA-Z] linotpPolicy.pin_n = [0-9] linotpPolicy.pin_s = [.:,;-_<>+*!/()=?$§%&#~\^] openid_sql ---------- This is the SQL connect string for the OpenID database. linotpOpenID.CookieExpire ------------------------- This is the expiry time for OpenID cookies. linotp.imprint_directory ------------------------ The imprint directory can hold the imprint which is displayed in the Selfservice Portal. The imprint is just the contents of the file .imprint in this directory. For more information see :ref:`selfservice_imprint`. linotpTokenModules ------------------ This is a list of Python token modules, which provide the tokentypes available to LinOTP. For more information see :ref:`token_development`. RADIUS settings ~~~~~~~~~~~~~~~ These are special settings for the RADIUS token type. radius.dictfile --------------- is the location of the RADIUS dictionary file:: radius.dictfile= %(here)s/dictionary radius.nas_identifier --------------------- This is the NAS Identifier the LinOTP server would send as a RADIUS client when contacting another RADIUS server:: radius.nas_identifier = LinOTP Default Values ~~~~~~~~~~~~~~ There are several values that are read as default token values:: linotp.DefaultSyncWindow = 1000 linotp.DefaultOtpLen = 6 linotp.DefaultCountWindow = 50 linotp.DefaultMaxFailCount = 15 linotp.FailCounterIncOnFalsePin = True linotp.PrependPin = True linotp.DefaultResetFailCount = True linotp.splitAtSign = True .. note:: All entries starting with "linotp." are read from the linotp.ini file and written to the Config Table in the LinOTP database. So changing these values afterwards will have no effect, since after once written to the database these values always are read from the database.