diff --git a/master.html b/master.html index 36b5d2b6..842021d4 100644 --- a/master.html +++ b/master.html @@ -373,6 +373,7 @@ file.

without supporting SHA-256 or SHA-512 (e.g. Ubuntu LTS 22), in this case use '-B' for "bcrypt" hash method or stay with insecure MD5 (default) or SHA-1 ('-s').

+

Note that support of SHA-256 or SHA-512 was introduced with 3.1.9

# Create a new htpasswd file with the user "user1" using SHA-512 as hash method
 $ htpasswd -5 -c /path/to/users user1
 New password:
@@ -900,10 +901,11 @@ can be used to secure TCP traffic between Radicale and a reverse proxy.
 If you want to authenticate users with client-side certificates, you
 also have to write an authentication plugin that extracts the username
 from the certificate.

-
Default:

+
Default: (unset)

 
 

 
protocol 

+
(>= 3.3.1)

 
Accepted SSL protocol (maybe not all supported by underlying OpenSSL
 version) Example for secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1
 Format: Apache SSLProtocol list (from "mod_ssl")

@@ -911,6 +913,7 @@ Format: Apache SSLProtocol list (from "mod_ssl")

 

 

 
ciphersuite 

+
(>= 3.3.1)

 
Accepted SSL ciphersuite (maybe not all supported by underlying
 OpenSSL version) Example for secure configuration: DHE:ECDHE:-NULL:-SHA
 Format: OpenSSL cipher list (see also "man openssl-ciphers")

@@ -918,6 +921,7 @@ Format: OpenSSL cipher list (see also "man openssl-ciphers")

 

 

 
script_name 

+
(>= 3.5.0)

 
Strip script name from URI if called by reverse proxy

 
Default: (taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME)

 

@@ -942,6 +946,8 @@ Format: OpenSSL cipher list (see also "man openssl-ciphers")

 
The method to verify usernames and passwords.

 
Available backends:

 
none : Just allows all usernames and passwords.

+
denyall (>= 3.2.2) : Just denies all
+usernames and passwords.

 
htpasswd : Use an Apache
 htpasswd file to store usernames and passwords.

 
remote_user : Takes the username from the
@@ -951,28 +957,35 @@ server.

 
http_x_remote_user : Takes the username from the
 X-Remote-User HTTP header and disables HTTP authentication.
 This can be used to provide the username from a reverse proxy.

-
ldap : Use a LDAP or AD server to authenticate
-users.

-
dovecot : Use a Dovecot server to authenticate
-users.

-
imap : Use an IMAP server to authenticate users.

-
oauth2 : Use an OAuth2 server to authenticate users.

-
pam : Use local PAM to authenticate users.

-
Default: none

+
ldap (>= 3.3.0) : Use a LDAP or AD server to
+authenticate users.

+
dovecot (>= 3.3.1) : Use a Dovecot server to
+authenticate users.

+
imap (>= 3.4.1) : Use an IMAP server to
+authenticate users.

+
oauth2 (>= 3.5.0) : Use an OAuth2 server to
+authenticate users.

+
pam (>= 3.5.0) : Use local PAM to
+authenticate users.

+
Default: none (< 3.5.0) denyall
+(>= 3.5.0)

 
 

 
cache_logins 

+
(>= 3.4.0)

 
Cache successful/failed logins until expiration time. Enable this to
 avoid overload of authentication backends.

 
Default: false

 

 

 
cache_successful_logins_expiry 

+
(>= 3.4.0)

 
Expiration time of caching successful logins in seconds

 
Default: 15

 

 

 
cache_failed_logins_expiry 

+
(>= 3.4.0)

 
Expiration time of caching failed logins in seconds

 
Default: 90

 

@@ -996,16 +1009,18 @@ stream cipher. It's very secure. The installation of
 bcrypt is required for this.

 
md5 : This uses an iterated MD5 digest of the password
 with a salt (nowadays insecure).

-
sha256 : This uses an iterated SHA-256 digest of the
-password with a salt.

-
sha512 : This uses an iterated SHA-512 digest of the
-password with a salt.

-
autodetect : This selects autodetection of method per
-entry.

-
Default: autodetect

+
sha256 (>= 3.1.9) : This uses an iterated
+SHA-256 digest of the password with a salt.

+
sha512 (>= 3.1.9) : This uses an iterated
+SHA-512 digest of the password with a salt.

+
autodetect (>= 3.1.9) : This selects
+autodetection of method per entry.

+
Default: md5 (< 3.3.0)
+autodetect (>= 3.3.0)

 
 

 
htpasswd_cache 

+
(>= 3.4.0)

 
Enable caching of htpasswd file based on size and mtime_ns

 
Default: False

 

@@ -1021,29 +1036,34 @@ entry.

 
 

 
ldap_uri 

+
(>= 3.3.0)

 
The URI to the ldap server

 
Default: ldap://localhost

 

 

 
ldap_base 

+
(>= 3.3.0)

 
LDAP base DN of the ldap server. This parameter must be provided if
 auth type is ldap.

 
Default:

 

 

 
ldap_reader_dn 

+
(>= 3.3.0)

 
The DN of a ldap user with read access to get the user accounts. This
 parameter must be provided if auth type is ldap.

 
Default:

 

 

 
ldap_secret 

+
(>= 3.3.0)

 
The password of the ldap_reader_dn. Either this parameter or
 ldap_secret_file must be provided if auth type is ldap.

 
Default:

 

 

 
ldap_secret_file 

+
(>= 3.3.0)

 
Path of the file containing the password of the ldap_reader_dn.
 Either this parameter or ldap_secret must be provided if
 auth type is ldap.

@@ -1051,18 +1071,21 @@ auth type is ldap.

 

 

 
ldap_filter 

+
(>= 3.3.0)

 
The search filter to find the user DN to authenticate by the
 username. User '{0}' as placeholder for the user name.

 
Default: (cn={0})

 

 

 
ldap_user_attribute 

+
(>= 3.4.0)

 
The LDAP attribute whose value shall be used as the user name after
 successful authentication

 
Default: not set, i.e. the login name given is used directly.

 

 

 
ldap_groups_attribute 

+
(>= 3.4.0)

 
The LDAP attribute to read the group memberships from in the
 authenticated user's LDAP entry.

 
If set, load the LDAP group memberships from the attribute given
@@ -1080,26 +1103,30 @@ calendar.
 
 
Use 'memberOf' if you want to load groups on Active Directory and
 alikes, 'groupMembership' on Novell eDirectory, ...

-
Default: unset

+
Default: (unset)

 

 

 
ldap_use_ssl 

+
(>= 3.3.0)

 
Use ssl on the ldap connection

 
Default: False

 

 

 
ldap_ssl_verify_mode 

+
(>= 3.3.0)

 
The certificate verification mode. NONE, OPTIONAL or REQUIRED

 
Default: REQUIRED

 

 

 
ldap_ssl_ca_file 

+
(>= 3.3.0)

 
The path to the CA file in pem format which is used to certificate
 the server certificate

 
Default:

 

 

 
dovecot_connection_type = AF_UNIX 

+
(>= 3.4.1)

 
Connection type for dovecot authentication
 (AF_UNIX|AF_INET|AF_INET6)

 
Note: credentials are transmitted in cleartext

@@ -1107,6 +1134,7 @@ the server certificate

 

 

 
dovecot_socket 

+
(>= 3.3.1)

 
The path to the Dovecot client authentication socket (eg.
 /run/dovecot/auth-client on Fedora). Radicale must have read / write
 access to the socket.

@@ -1114,37 +1142,44 @@ access to the socket.

 

 

 
dovecot_host 

+
(>= 3.4.1)

 
Host of via network exposed dovecot socket

 
Default: localhost

 

 

 
dovecot_port 

+
(>= 3.4.1)

 
Port of via network exposed dovecot socket

 
Default: 12345

 

 

 
imap_host 

+
(>= 3.4.1)

 
IMAP server hostname: address | address:port | [address]:port |
 imap.server.tld

 
Default: localhost

 

 

 
imap_security 

+
(>= 3.4.1)

 
Secure the IMAP connection: tls | starttls | none

 
Default: tls

 

 

 
oauth2_token_endpoint 

+
(>= 3.5.0)

 
OAuth2 token endpoint URL

 
Default:

 

 

 
pam_service 

+
(>= 3.5.0)

 
PAM service

 
Default: radicale

 

 

 
pam_group_membership 

+
(>= 3.5.0)

 
PAM group user should be member of

 
Default:

 

@@ -1157,6 +1192,7 @@ providers like ldap, kerberos

 
 

 
uc_username 

+
(>= 3.3.2)

 
Сonvert username to uppercase, must be true for case-insensitive auth
 providers like ldap, kerberos

 
Default: False

@@ -1164,6 +1200,7 @@ providers like ldap, kerberos

 

 

 
strip_domain 

+
(>= 3.2.3)

 
Strip domain from username

 
Default: False

 

@@ -1196,7 +1233,7 @@ and write their own collections under the path /USERNAME/.

 
 

 
permit_delete_collection 

-
(New since 3.1.9)

+
(>= 3.1.9)

 
Global control of permission to delete complete collection (default:
 True)

 
If False it can be permitted by permissions per section with: D If
@@ -1204,7 +1241,7 @@ True it can be forbidden by permissions per section with: d

 

 

 
permit_overwrite_collection 

-
(New since 3.3.0)

+
(>= 3.3.0)

 
Global control of permission to overwrite complete collection
 (default: True)

 
If False it can be permitted by permissions per section with: O If
@@ -1230,6 +1267,7 @@ only be used with a single process.

 

 

 
filesystem_cache_folder 

+
(>= 3.3.2)

 
Folder for storing cache of local collections, created if not
 present

 
Default: (filesystem_folder)

@@ -1240,6 +1278,7 @@ node (see below)

 

 

 
use_cache_subfolder_for_item 

+
(>= 3.3.2)

 
Use subfolder collection-cache for cache file structure
 of 'item' instead of inside collection folders, created if not
 present

@@ -1249,6 +1288,7 @@ node

 

 

 
use_cache_subfolder_for_history 

+
(>= 3.3.2)

 
Use subfolder collection-cache for cache file structure
 of 'history' instead of inside collection folders, created if not
 present

@@ -1258,6 +1298,7 @@ client in multi-instance setup

 

 

 
use_cache_subfolder_for_synctoken 

+
(>= 3.3.2)

 
Use subfolder collection-cache for cache file structure
 of 'sync-token' instead of inside collection folders, created if not
 present

@@ -1267,6 +1308,7 @@ client in multi-instance setup

 

 

 
use_mtime_and_size_for_item_cache 

+
(>= 3.3.2)

 
Use last modifiction time (nanoseconds) and size (bytes) for 'item'
 cache instead of SHA256 (improves speed)

 
Default: False

@@ -1277,6 +1319,7 @@ offline using storage verification option
 

 

 
folder_umask 

+
(>= 3.3.2)

 
Use configured umask for folder creation (not applicable for OS
 Windows)

 
Default: (system-default, usual 0022)

@@ -1293,6 +1336,7 @@ other:r)

 

 

 
skip_broken_item 

+
(>= 3.2.2)

 
Skip broken item instead of triggering an exception

 
Default: True

 

@@ -1346,7 +1390,8 @@ books and calendars.

 
Available levels: debug, info,
 warning, error,
 critical

-
Default: warning

+
Default: warning (< 3.2.0) info
+(>= 3.2.0)

 
 

 
mask_passwords 

@@ -1355,26 +1400,31 @@ books and calendars.

 

 

 
bad_put_request_content 

+
(>= 3.2.1)

 
Log bad PUT request content (for further diagnostics)

 
Default: False

 

 

 
backtrace_on_debug 

+
(>= 3.2.2)

 
Log backtrace on level=debug

 
Default: False

 

 

 
request_header_on_debug 

+
(>= 3.2.2)

 
Log request on level=debug

 
Default: False

 

 

 
request_content_on_debug 

+
(>= 3.2.2)

 
Log request on level=debug

 
Default: False

 

 

 
response_content_on_debug 

+
(>= 3.2.2)

 
Log response on level=debug

 
Default: False

 

@@ -1385,6 +1435,7 @@ books and calendars.

 
 

 
storage_cache_actions_on_debug 

+
(>= 3.3.2)

 
Log storage cache actions on level=debug

 
Default: False

 

@@ -1403,22 +1454,26 @@ be specified.

 
Hook binding for event changes and deletion notifications.

 
Available types:

 
none : Disabled. Nothing will be notified.

-
rabbitmq : Push the message to the rabbitmq server.

+
rabbitmq (>= 3.2.0) : Push the message to
+the rabbitmq server.

 
Default: none

 
 

 
rabbitmq_endpoint 

+
(>= 3.2.0)

 
End-point address for rabbitmq server. Ex:
 amqp://user:password@localhost:5672/

 
Default:

 

 

 
rabbitmq_topic 

+
(>= 3.2.0)

 
RabbitMQ topic to publish message.

 
Default:

 

 

 
rabbitmq_queue_type 

+
(>= 3.2.0)

 
RabbitMQ queue type for the topic.

 
Default: classic

 

@@ -1427,6 +1482,7 @@ amqp://user:password@localhost:5672/

 
reporting 

 

 
max_freebusy_occurrence 

+
(>= 3.2.3)

 
When returning a free-busy report, a list of busy time occurrences
 are generated based on a given time frame. Large time frames could
 generate a lot of occurrences based on the time frame supplied. This
@@ -1631,9 +1687,9 @@ expensive search requests)
 calendars)
 
  • w: write address book and calendar collections
    • 
 
  • D: permit delete of collection in case
-permit_delete_collection=False
    • 
+permit_delete_collection=False (>= 3.3.0)
 
  • d: forbid delete of collection in case
-permit_delete_collection=True
    • 
+permit_delete_collection=True (>= 3.3.0)
 
  • O: permit overwrite of collection in case
 permit_overwrite_collection=False
    • 
 
  • o: forbid overwrite of collection in case