Commit e805c115 authored by ale's avatar ale
Browse files

Simplify structure of config, and add documentation

parent b31d53b1
......@@ -59,3 +59,52 @@ using its [dict proxy
TODO: explain the lookup protocol.
# Configuration
The *keystored* daemon loads its configuration from a YAML-encoded
file, */etc/keystore/config.yml* by default. It can contain the
following attributes:
* `sso_public_key_file`: path to the SSO Ed25519 public key
* `sso_service`: SSO service for this application
* `sso_domain`: SSO domain
* `ldap`: LDAP backend configuration
* `uri`: LDAP server URI
* `bind_dn`: bind DN (for simple bind, SASL is not supported)
* `bind_pw`: bind password
* `bind_pw_file`: bind password (load from this file), in
alternative to *bind_pw*
* `query`: Parameters for the LDAP search query
* `search_base`: base DN for the search
* `search_filter`: search filter. The filter string may contain a
literal `%s` token somewhere, that will be replaced with the
(escaped) username.
* `scope`: search scope, one of *sub* (default), *one* or *base*
* `public_key_attr`: attribute that contains the user's public key
* `private_key_attr`: attribute that contains the user's encrypted
* `http_server`: HTTP server configuration
* `tls`: contains the server-side TLS configuration:
* `cert`: path to the server certificate
* `key`: path to the server's private key
* `ca`: path to the CA used to validate clients
* `acl`: specifies TLS-based access controls, a list of entries
with the following attributes:
* `path`: regular expression to match the request URL path
* `cn`: regular expression that must match the CommonName part
of the subject of the client certificate
* `max_inflight_requests`: maximum number of in-flight requests to
allow before server-side throttling kicks in
The *dovecot-keylookupd* daemon uses a similar configuration, read by
default from */etc/keystore/dovecot.yml*:
* `ldap`: LDAP backend configuration, see above
* `keystore`: configures the connection to the keystore service
* `url`: URL for the keystore service
* `tls_config`: client TLS configuration
* `cert`: path to the client certificate
* `key`: path to the private key
* `ca`: path to the CA used to validate the server
......@@ -20,7 +20,7 @@ var (
configFile = flag.String("config", "/etc/keystore/dovecot.yml", "path of config file")
socketPath = flag.String("socket", "/run/dovecot-keystored/socket", "`path` to the UNIX socket to listen on")
systemdSocketActivation = flag.Bool("systemd-socket", false, "use SystemD socket activation")
requestTimeout = flag.Duration("timeout", 5*time.Second, "timeout for incoming requests")
requestTimeout = flag.Duration("timeout", 10*time.Second, "timeout for incoming requests")
// Read YAML config.
......@@ -23,11 +23,11 @@ var (
configFile = flag.String("config", "/etc/keystore/config.yml", "path of config file")
// Config wraps the keystore.Config together with the server setup in
// a single configuration object.
// Config wraps the keystore server.Config together with the HTTP
// server config in a single object for YAML deserialization.
type Config struct {
KeyStoreConfig *server.Config `yaml:"keystore"`
ServerConfig *serverutil.ServerConfig `yaml:"http_server"`
server.Config `yaml:",inline"`
ServerConfig *serverutil.ServerConfig `yaml:"http_server"`
func loadConfig() (*Config, error) {
......@@ -52,7 +52,7 @@ func main() {
ks, err := server.NewKeyStore(config.KeyStoreConfig)
ks, err := server.NewKeyStore(&config.Config)
if err != nil {
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment