24. The linotp.ini file¶
The linotp.ini file contains basic configuration of LinOTP.
The linotp.ini file can only be changed by the user root of your operating system but not by the token administrator! So the linotp.ini file contains configuration settings that are not to be changed by a token administrator.
Each time you made any changes to the linotp.ini you need to restart the server.
24.1. Auditing¶
24.1.1. linotpAudit.type¶
Set this to a module that takes care of doing the audit:
linotpAudit.type = linotp.lib.audit.SQLAudit
24.1.2. linotpAudit.key.private¶
The private RSA key used to sign the audit log:
linotpAudit.key.private = %(here)s/private.pem
24.1.3. linotpAudit.key.public¶
The public RSA key used to verify the audit log:
linotpAudit.key.public = %(here)s/public.pem
24.1.4. linotpAudit.sql.url¶
The SQLalchemy connect string to the database where the audit is written:
linotpAudit.sql.url = mysql://linotp2:test123!@localhost/LinOTP2
24.1.5. linotpAudit.sql.table_prefix¶
The audit table gets the name “audit”. This name can lead to problems with certain databases. On Oracle “audit” is a reserved word. So you can define a prefix for the table name:
linotpAudit.sql.table_prefix = linotp
24.1.6. linotpAudit.sql.highwatermark¶
You can define at which number of audit entries old audit entries should be deleted:
linotpAudit.sql.highwatermark = 10000
24.1.7. linotpAudit.sql.lowwatermark¶
When highwaremark is reached and old audit entries are deleted only lowwatermark audit entries are kept in the audit log:
linotpAudit.sql.lowwatermark = 5000
24.2. Misc¶
24.2.1. linotpHelp.url¶
The Management Web UI contains a help button to a help system. Using the entry linotpHelp.url you can specify where
LinOTP should look for the help.
24.2.2. profile¶
Setting this to “true” LinOTP will create a bunch of performance profiling.
24.2.3. linotpGetotp.active¶
If set to true you can retrieve OTP values from LinOTP. See Retrieving OTP values for more information:
linotpGetotp.active = False
24.2.4. linotpNoSessionCheck¶
You can define, which clients do not need to pass the session to the admin interface:
linotpNoSessionCheck = 127.0.0.1
For more information see Disabling the session parameter.
24.2.5. linotpSecretFile¶
This is the encryption key. Usually it is located at:
linotpSecretFile = %(here)s/encKey
Instead of using the encryption key, you can use the PKCS11 Security Provider. See Defining Security Modules.
24.2.6. linotpSQL.implicit_returning¶
An SQL setting that needs to be set to “True” under certain conditions like MS SQL replication. For more information see the SQLAlchemy homepage:
“implicit_returning
use RETURNING or equivalent during INSERT execution in order to load newly generated primary keys and other column defaults in one execution, which are then available via inserted_primary_key. If an insert statement has returning() specified explicitly, the “implicit” functionality is not used and inserted_primary_key will not be available.”
24.2.7. linotpPolicy.pin_c, linotpPolicy.pin_n, linotpPolicy.pin_s¶
You can use these entries to define the sets of characters for PIN generation or PIN reset.
C is the list or characters, N the list of digits and S the list of special characters.
The default setting is:
linotpPolicy.pin_c = [a-zA-Z]
linotpPolicy.pin_n = [0-9]
linotpPolicy.pin_s = [.:,;-_<>+*!/()=?$§%&#~\^]
24.2.8. openid_sql¶
This is the SQL connect string for the OpenID database.
24.2.9. linotpOpenID.CookieExpire¶
This is the expiry time for OpenID cookies.
24.2.10. linotp.imprint_directory¶
The imprint directory can hold the imprint which is displayed in the Selfservice Portal. The imprint is just the contents of the file <realm>.imprint in this directory. For more information see Selfservice Portal Imprint.
24.3. RADIUS settings¶
These are special settings for the RADIUS token type.
24.3.1. radius.dictfile¶
is the location of the RADIUS dictionary file:
radius.dictfile= %(here)s/dictionary
24.3.2. radius.nas_identifier¶
This is the NAS Identifier the LinOTP server would send as a RADIUS client when contacting another RADIUS server:
radius.nas_identifier = LinOTP
24.4. Default Values¶
There are several values that are read as default token values:
linotp.DefaultSyncWindow = 1000
linotp.DefaultOtpLen = 6
linotp.DefaultCountWindow = 50
linotp.DefaultMaxFailCount = 15
linotp.FailCounterIncOnFalsePin = True
linotp.PrependPin = True
linotp.DefaultResetFailCount = True
linotp.splitAtSign = True
Note
All entries starting with “linotp.” are read from the linotp.ini file and written to the Config Table in the LinOTP database. So changing these values afterwards will have no effect, since after once written to the database these values always are read from the database.