702 lines
24 KiB
Plaintext
702 lines
24 KiB
Plaintext
|
<!-- c2s configuration -->
|
||
|
<c2s>
|
||
|
<!-- Our ID on the network (default: c2s) -->
|
||
|
<id>c2s</id>
|
||
|
|
||
|
<!-- The process ID file. Comment this out if you don't need to know
|
||
|
the process ID from outside the process (eg for control scripts) -->
|
||
|
<pidfile>/var/run/jabber/jabberd2-c2s.pid</pidfile>
|
||
|
|
||
|
<!-- Router connection configuration -->
|
||
|
<router>
|
||
|
<!-- IP/port the router is waiting for connections on -->
|
||
|
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||
|
<port>5347</port> <!-- default: 5347 -->
|
||
|
|
||
|
<!-- Username/password to authenticate as -->
|
||
|
<user>jabberd</user> <!-- default: jabberd -->
|
||
|
<pass>secret</pass> <!-- default: secret -->
|
||
|
|
||
|
<!-- File containing an SSL certificate and private key to use when
|
||
|
setting up an encrypted channel with the router. From
|
||
|
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||
|
in PEM format and must be sorted starting with the subject's
|
||
|
certificate (actual client or server certificate), followed
|
||
|
by intermediate CA certificates if applicable, and ending
|
||
|
at the highest level (root) CA" (the latter one being optional).
|
||
|
If this is commented out, or the file can't be read, no attempt
|
||
|
will be made to establish an encrypted channel with the router. -->
|
||
|
<!--
|
||
|
<pemfile>/etc/jabber/server.pem</pemfile>
|
||
|
-->
|
||
|
|
||
|
<!-- Router connection retry -->
|
||
|
<retry>
|
||
|
<!-- If the connection to the router can't be established at
|
||
|
startup, we should try again this many times before exiting.
|
||
|
Use -1 to retry indefinitely. [default: 3] -->
|
||
|
<init>3</init>
|
||
|
|
||
|
<!-- If we lost the connection to the router during normal
|
||
|
operation (ie we've successfully connected to the router in
|
||
|
the past), we should try to reconnect this many times before
|
||
|
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||
|
<lost>3</lost>
|
||
|
|
||
|
<!-- Sleep for this many seconds before trying attempting a
|
||
|
reconnect. [default: 2] -->
|
||
|
<sleep>2</sleep>
|
||
|
</retry>
|
||
|
</router>
|
||
|
|
||
|
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||
|
<log type='syslog'>
|
||
|
<!-- If logging to syslog, this is the log ident -->
|
||
|
<ident>jabberd/c2s</ident>
|
||
|
|
||
|
<!-- If logging to syslog, this is the log facility
|
||
|
(local0 - local7) [default: local3] -->
|
||
|
<facility>local3</facility>
|
||
|
|
||
|
<!-- If logging to file, this is the filename of the logfile -->
|
||
|
<!--
|
||
|
<file>/var/log/jabber/c2s.log</file>
|
||
|
-->
|
||
|
|
||
|
<!-- Filename of the debug logfile -->
|
||
|
<!--
|
||
|
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||
|
-->
|
||
|
</log>
|
||
|
|
||
|
<!-- Local network configuration -->
|
||
|
<local>
|
||
|
<!-- Who we identify ourselves as. This should correspond to the
|
||
|
ID (host) that the session manager thinks it is. You can
|
||
|
specify more than one to support virtual hosts, as long as you
|
||
|
have additional session manager instances on the network to
|
||
|
handle those hosts.
|
||
|
|
||
|
You may leave the content of the <id/> empty to setup default
|
||
|
virtual host setup, that will be used for all present but not
|
||
|
configured otherwise SM domains.
|
||
|
|
||
|
realm
|
||
|
attribute specifies the auth/reg or SASL authentication realm
|
||
|
for the host. If the attribute is not specified, the realm will
|
||
|
be selected by the SASL mechanism, or will be the same as the ID
|
||
|
itself. Be aware that users are assigned to a realm, not a host,
|
||
|
so two hosts in the same realm will have the same users. If no
|
||
|
realm is specified, it will be set to be the same as the ID.
|
||
|
If empty "" realm is specified, the PAM backend wil authenticate
|
||
|
using plain usernames, not JIDs.
|
||
|
|
||
|
pemfile
|
||
|
attribute specifies the file containing a SSL certificate and
|
||
|
private key for client connections. If this is non existant,
|
||
|
clients will not be offered the STARTTLS stream extension
|
||
|
From SSL_CTX_use_certificate_chain_file(3):
|
||
|
"The certificates must be in PEM format and must be sorted
|
||
|
starting with the subject's certificate (actual client or server
|
||
|
certificate), followed by intermediate CA certificates if
|
||
|
applicable, and ending at the highest level (root) CA"
|
||
|
(the latter one being optional).
|
||
|
|
||
|
verify-mode
|
||
|
SSL verify mode - see SSL_CTX_set_verify(3), mode parameter.
|
||
|
Sum of the following options:
|
||
|
SSL_VERIFY_NONE 0x00
|
||
|
SSL_VERIFY_PEER 0x01
|
||
|
SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
|
||
|
SSL_VERIFY_CLIENT_ONCE 0x04
|
||
|
Use 7 to require all clients to present _valid_ certificates.
|
||
|
|
||
|
|
||
|
cachain
|
||
|
SSL CA chain. Used to verify client certificates.
|
||
|
CA names published to client upon connection.
|
||
|
|
||
|
require-starttls
|
||
|
If this attribute is set to any value, clients must do STARTTLS
|
||
|
before they can authenticate. Until the stream is encrypted,
|
||
|
all packets will be dropped.
|
||
|
|
||
|
register-enable
|
||
|
Remove this attribute to disable account registrations.
|
||
|
|
||
|
instructions
|
||
|
Human-readable instructions to be returned to client when
|
||
|
registration is requested.
|
||
|
|
||
|
register-oob
|
||
|
URL to be attached as an alternative, out-of-band registration
|
||
|
method. Usually web-based http:// URL.
|
||
|
|
||
|
password-change
|
||
|
Password change only. When registration is disabled, it may
|
||
|
still be useful to allow clients to change their password. If
|
||
|
you want this, add this attribute with any value, when you need
|
||
|
registration disabled.
|
||
|
-->
|
||
|
<id register-enable='mu'>localhost.localdomain</id>
|
||
|
<!-- or
|
||
|
<id realm='company.int'
|
||
|
pemfile='/etc/jabber/server.pem'
|
||
|
verify-mode='7'
|
||
|
cachain='/etc/jabber/client_ca_certs.pem'
|
||
|
require-starttls='mu'
|
||
|
register-enable='mu'
|
||
|
instructions='Enter a username and password to register with this server.'
|
||
|
register-oob='http://example.org/register'
|
||
|
password-change='mu'
|
||
|
>example.net</id> -->
|
||
|
<!-- or the default host
|
||
|
<id password-change='mu' /> -->
|
||
|
|
||
|
<!-- IP address to bind to (default: 0.0.0.0) -->
|
||
|
<ip>0.0.0.0</ip>
|
||
|
|
||
|
<!-- Port to bind to, or 0 to disable unencrypted access to the
|
||
|
server (default: 5222) -->
|
||
|
<port>5222</port>
|
||
|
|
||
|
<!-- Older versions of jabberd support encrypted client connections
|
||
|
via an additional listening socket on port 5223. If you want
|
||
|
this (required to allow pre-STARTTLS clients to do SSL),
|
||
|
uncomment this -->
|
||
|
<!--
|
||
|
<ssl-port>5223</ssl-port>
|
||
|
-->
|
||
|
|
||
|
<!-- File containing an SSL certificate and private key for client
|
||
|
connections. From SSL_CTX_use_certificate_chain_file(3):
|
||
|
"The certificates must be in PEM format and must be sorted
|
||
|
starting with the subject's certificate (actual client or server
|
||
|
certificate), followed by intermediate CA certificates if
|
||
|
applicable, and ending at the highest level (root) CA"
|
||
|
(the latter one being optional).
|
||
|
|
||
|
Note: This certificate is ONLY used for old style SSL
|
||
|
connections on port 5223 (pre-STARTTLS). If you want to
|
||
|
use STARTTLS over the standard XMPP port 5222 then you
|
||
|
MUST specify the pemfile in the 'id' tag above. -->
|
||
|
<!--
|
||
|
<pemfile>/etc/jabber/server.pem</pemfile>
|
||
|
-->
|
||
|
|
||
|
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
|
||
|
<!--
|
||
|
<verify-mode>7</verify-mode>
|
||
|
-->
|
||
|
|
||
|
<!-- SSL CA chain. Used to verify client certificates. CA names published to client upon connection -->
|
||
|
<!--
|
||
|
<cachain>/etc/jabber/client_ca_certs.pem</cachain>
|
||
|
-->
|
||
|
|
||
|
<!-- Forward incoming HTTP clients to a real HTTP server -->
|
||
|
<!--
|
||
|
<httpforward>http://www.jabber.org/</httpforward>
|
||
|
-->
|
||
|
</local>
|
||
|
|
||
|
<!-- Input/output settings -->
|
||
|
<io>
|
||
|
<!-- Maximum number of file descriptors. This value sets an upper
|
||
|
limit on the number of users who may be logged in to this
|
||
|
server at a given time. Each user consumers one file
|
||
|
descriptor.
|
||
|
|
||
|
Note that the number of possible connections will be slightly
|
||
|
less than this, because c2s itself can use up five on its own,
|
||
|
and auth/reg modules may need a few also. If the supply of
|
||
|
file descriptors is exhausted, new incoming connections will
|
||
|
be denied.
|
||
|
|
||
|
Also note that this value only affects how many file descriptors
|
||
|
jabberd is able to handle internally. You may also need to
|
||
|
tell your operating system to allow jabberd to use more file
|
||
|
descriptors. On Linux this can be done using ulimit -n or by
|
||
|
changing the value of /proc/sys/fd/file-max.
|
||
|
|
||
|
(default: 1024) -->
|
||
|
<max_fds>1024</max_fds>
|
||
|
|
||
|
<!-- Rate limiting -->
|
||
|
<limits>
|
||
|
<!-- Maximum bytes per second - if more than X bytes are sent in Y
|
||
|
seconds, connection is throttled for Z seconds. The format
|
||
|
is:
|
||
|
|
||
|
<bytes seconds='Y' throttle='Z'>X</bytes>
|
||
|
|
||
|
Default Y is 1, default Z is 5. set X to 0 to disable. -->
|
||
|
<bytes>0</bytes>
|
||
|
|
||
|
<!-- Maximum number of stanzas per second - if more than X stanzas
|
||
|
are sent in Y seconds, connection is throttled for Z seconds.
|
||
|
The format is:
|
||
|
|
||
|
<stanzas seconds='Y' throttle='Z'>X</stanzas>
|
||
|
|
||
|
Default Y 1, default Z is 5. Set X to 0 to disable -->
|
||
|
<stanzas>1000</stanzas>
|
||
|
|
||
|
<!-- Maximum connects per second - if more than X connects are
|
||
|
attempted from a single IP in Y seconds, that IP is throttled
|
||
|
for Z seconds. The format is:
|
||
|
|
||
|
<connects seconds='Y' throttle='Z'>X</connects>
|
||
|
|
||
|
Default Y is 5, default Z is 5. set X to 0 to disable. -->
|
||
|
<connects>0</connects>
|
||
|
|
||
|
<!-- Maximum stanza size - if more than given number of bytes
|
||
|
are read in one incoming stanza, the stream is closed
|
||
|
with policy-violation error.
|
||
|
|
||
|
Set to 0 to disable.
|
||
|
Values less than 16384 might not work. -->
|
||
|
<stanzasize>65535</stanzasize>
|
||
|
</limits>
|
||
|
|
||
|
<!-- Enable XEP-0138: Stream Compression -->
|
||
|
<!--
|
||
|
<compression/>
|
||
|
-->
|
||
|
|
||
|
<!-- IP-based access controls. If a connection IP matches an allow
|
||
|
rule, the connection will be accepted. If a connecting IP
|
||
|
matches a deny rule, the connection will be refused. If the
|
||
|
connecting IP does not match any rules, or it matches both an
|
||
|
allow and a deny rule, the contents of the <order/> option
|
||
|
determines what happens. -->
|
||
|
<access>
|
||
|
<!-- Rule check order (default: allow,deny)
|
||
|
|
||
|
allow,deny - Check allow rules, then check deny rules.
|
||
|
Allow by default.
|
||
|
deny,allow - Check deny rules, then check allow rules.
|
||
|
Deny by default. -->
|
||
|
<order>allow,deny</order>
|
||
|
|
||
|
<!-- Allow a network. If the mask isn't specified, it defaults to
|
||
|
255.255.255.255 (ie allow onle the specified IP) -->
|
||
|
<!--
|
||
|
<allow ip='127.0.0.0' mask='255.0.0.0'/>
|
||
|
-->
|
||
|
|
||
|
<!-- Allow a single host -->
|
||
|
<!--
|
||
|
<allow ip='12.34.56.78'/>
|
||
|
-->
|
||
|
|
||
|
<!-- Deny a network or a host -->
|
||
|
<!--
|
||
|
<deny ip='127.0.0.1' mask='255.0.0.0'/>
|
||
|
<deny ip='87.65.43.21'/>
|
||
|
-->
|
||
|
</access>
|
||
|
|
||
|
<!-- Timed checks -->
|
||
|
<check>
|
||
|
<!-- Interval between checks.
|
||
|
|
||
|
Open client connections will be checked every n seconds, and
|
||
|
the following checks applied.
|
||
|
|
||
|
0 disables all checks. (default: 0) -->
|
||
|
<interval>0</interval>
|
||
|
|
||
|
<!-- Idle connection checks.
|
||
|
|
||
|
Connections that have not sent data for longer than this many
|
||
|
seconds will be dropped.
|
||
|
|
||
|
0 disables idle timeouts. (default: 0) -->
|
||
|
<idle>0</idle>
|
||
|
|
||
|
<!-- Keepalives.
|
||
|
|
||
|
Connections that have not sent data for longer than this many
|
||
|
seconds will have a single whitespace character sent to them.
|
||
|
This will force the TCP connection to be closed if they have
|
||
|
disconnected without us knowing about it.
|
||
|
|
||
|
0 disables keepalives. (default: 0) -->
|
||
|
<keepalive>0</keepalive>
|
||
|
|
||
|
</check>
|
||
|
|
||
|
</io>
|
||
|
|
||
|
<!-- Statistics -->
|
||
|
<stats>
|
||
|
<!-- file containing count of packets that went through -->
|
||
|
<!--
|
||
|
<packet>/var/spool/jabber/stats/c2s.packets</packet>
|
||
|
-->
|
||
|
</stats>
|
||
|
|
||
|
<!-- PBX integration -->
|
||
|
<pbx>
|
||
|
<!-- Commands named pipe path. Allows creating "fake" sessions
|
||
|
with given resource and status -->
|
||
|
<!--
|
||
|
<pipe>/var/run/jabber/pbx</pipe>
|
||
|
-->
|
||
|
<!-- Available commands:
|
||
|
START jid/resource [[priority ]status] [description]
|
||
|
STOP jid/resource [description]
|
||
|
where priority is integer between -128 and +127
|
||
|
and status is one of: CHAT, ONLINE, DND, AWAY, XA
|
||
|
-->
|
||
|
</pbx>
|
||
|
|
||
|
<!-- see-other-host error stream redirection support
|
||
|
This will redirect connections to specified domains to other host:port
|
||
|
Usefull when migrating service and DNS change did not propagate yet.
|
||
|
Note that to_address should be RFC 3986 compliant. -->
|
||
|
<stream_redirect>
|
||
|
<!--
|
||
|
<redirect requested_domain="some.domain" to_address="other.hostname" to_port="5269" />
|
||
|
<redirect requested_domain="other.domain" to_address="other.host" to_port="1234" />
|
||
|
-->
|
||
|
</stream_redirect>
|
||
|
|
||
|
<!-- Authentication/registration database configuration -->
|
||
|
<authreg>
|
||
|
<!-- Dynamic authreg modules path -->
|
||
|
<path>/usr/lib64/jabberd</path>
|
||
|
|
||
|
<!-- Backend module to use -->
|
||
|
<module>db</module>
|
||
|
|
||
|
<!-- Available authentication mechanisms -->
|
||
|
<mechanisms>
|
||
|
|
||
|
<!-- These are the traditional Jabber authentication mechanisms.
|
||
|
Comment out any that you don't want to be offered to clients.
|
||
|
Note that if the auth/reg module does not support one of
|
||
|
these mechanisms, then it will not be offered regardless of
|
||
|
whether or not it is enabled here. -->
|
||
|
<traditional>
|
||
|
<plain/>
|
||
|
<digest/>
|
||
|
</traditional>
|
||
|
|
||
|
<!-- SASL authentication mechanisms. Comment out any that you
|
||
|
don't want to be offered to clients. Again, if the auth/reg
|
||
|
module does not support one of these mechanisms, then it will
|
||
|
not be offered. -->
|
||
|
<sasl>
|
||
|
<plain/>
|
||
|
<digest-md5/>
|
||
|
<!--
|
||
|
<anonymous/>
|
||
|
<gssapi/>
|
||
|
-->
|
||
|
</sasl>
|
||
|
|
||
|
</mechanisms>
|
||
|
|
||
|
<!-- Additional mechanisms that are also available when the
|
||
|
connection is encrypted. Ie. when START-TLS had been
|
||
|
negotiated, or user connected on SSL-wrapped port. -->
|
||
|
<ssl-mechanisms>
|
||
|
|
||
|
<!-- it's advisable that you disable plain in the above
|
||
|
<mechanisms/> section -->
|
||
|
<traditional>
|
||
|
<plain/>
|
||
|
</traditional>
|
||
|
|
||
|
<sasl>
|
||
|
<plain/>
|
||
|
<external/>
|
||
|
</sasl>
|
||
|
|
||
|
</ssl-mechanisms>
|
||
|
|
||
|
<!-- SQLite driver configuration -->
|
||
|
<sqlite>
|
||
|
<!-- Database name -->
|
||
|
<dbname>/var/spool/jabber/db/sqlite.db</dbname>
|
||
|
|
||
|
<!-- Transacation support. If this is commented out, transactions
|
||
|
will be disabled. This might make database accesses faster,
|
||
|
but data may be lost if jabberd crashes. -->
|
||
|
<transactions/>
|
||
|
|
||
|
<!-- SQLite busy-timeout in milliseconds. -->
|
||
|
<busy-timeout>2000</busy-timeout>
|
||
|
|
||
|
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||
|
<!-- NOTE: If you are using hashed passwords, the only auth
|
||
|
method that will work is PLAIN.
|
||
|
Make sure that you disabled others in 'mechanisms'
|
||
|
sections of the config file. -->
|
||
|
<password_type>
|
||
|
<!-- only one may be enabled here -->
|
||
|
<plaintext/>
|
||
|
<!-- use crypt(3)ed passwords
|
||
|
<crypt/>
|
||
|
-->
|
||
|
<!-- use A1HASH passwords
|
||
|
This stores the MD5 digest of user:realm:password in the database
|
||
|
<a1hash/>
|
||
|
-->
|
||
|
</password_type>
|
||
|
</sqlite>
|
||
|
|
||
|
<!-- MySQL module configuration -->
|
||
|
<mysql>
|
||
|
<!-- Database server host and port -->
|
||
|
<host>localhost</host>
|
||
|
<port>3306</port>
|
||
|
|
||
|
<!-- Database name -->
|
||
|
<dbname>jabberd2</dbname>
|
||
|
|
||
|
<!-- Database username and password -->
|
||
|
<user>jabberd2</user>
|
||
|
<pass>secret</pass>
|
||
|
|
||
|
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||
|
<!-- NOTE: If you are using hashed passwords, the only auth
|
||
|
method that will work is PLAIN.
|
||
|
Make sure that you disabled others in 'mechanisms'
|
||
|
sections of the config file. -->
|
||
|
<password_type>
|
||
|
<!-- only one may be enabled here -->
|
||
|
<plaintext/>
|
||
|
<!-- use crypt(3)ed passwords
|
||
|
<crypt/>
|
||
|
-->
|
||
|
<!-- use A1HASH passwords
|
||
|
This stores the MD5 digest of user:realm:password in the database
|
||
|
<a1hash/>
|
||
|
-->
|
||
|
</password_type>
|
||
|
</mysql>
|
||
|
|
||
|
<!-- PostgreSQL module configuration -->
|
||
|
<pgsql>
|
||
|
<!-- PostgreSQL connection info.
|
||
|
For the rest of the options see
|
||
|
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
|
||
|
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
|
||
|
|
||
|
<!-- Alternatively you may set connection settings separately.
|
||
|
These are used only in absence of 'conninfo' -->
|
||
|
|
||
|
<!-- Database server host and port -->
|
||
|
<host>localhost</host>
|
||
|
<port>5432</port>
|
||
|
|
||
|
<!-- Database name -->
|
||
|
<dbname>jabberd2</dbname>
|
||
|
|
||
|
<!-- Database schema -->
|
||
|
<schema>public</schema>
|
||
|
|
||
|
<!-- Database username and password -->
|
||
|
<user>jabberd2</user>
|
||
|
<pass>secret</pass>
|
||
|
|
||
|
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||
|
<!-- NOTE: If you are using hashed passwords, the only auth
|
||
|
method that will work is PLAIN.
|
||
|
Make sure that you disabled others in 'mechanisms'
|
||
|
sections of the config file. -->
|
||
|
<password_type>
|
||
|
<!-- only one may be enabled here -->
|
||
|
<plaintext/>
|
||
|
<!-- use crypt(3)ed passwords
|
||
|
<crypt/>
|
||
|
-->
|
||
|
<!-- use A1HASH passwords
|
||
|
This stores the MD5 digest of user:realm:password in the database
|
||
|
<a1hash/>
|
||
|
-->
|
||
|
</password_type>
|
||
|
</pgsql>
|
||
|
|
||
|
<!-- Oracle driver configuration -->
|
||
|
<oracle>
|
||
|
<!-- Database server host and port. -->
|
||
|
<host>localhost</host>
|
||
|
<port>1521</port>
|
||
|
|
||
|
<!-- Database name -->
|
||
|
<dbname>jabberd2</dbname>
|
||
|
|
||
|
<!-- Database username and password -->
|
||
|
<user>jabberd2</user>
|
||
|
<pass>secret</pass>
|
||
|
</oracle>
|
||
|
|
||
|
<!-- Berkeley DB module configuration -->
|
||
|
<db>
|
||
|
<!-- Directory to store database files under -->
|
||
|
<path>/var/spool/jabber/db</path>
|
||
|
|
||
|
<!-- Synchronize the database to disk after each write. If you
|
||
|
disable this, database accesses may be faster, but data may
|
||
|
be lost if jabberd crashes. -->
|
||
|
<sync/>
|
||
|
</db>
|
||
|
|
||
|
<!-- LDAPFULL module configuration -->
|
||
|
<ldapfull>
|
||
|
<!-- LDAP server host and port (default: 389) -->
|
||
|
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
|
||
|
|
||
|
<!-- DN to bind as for searches. If unspecified, the searches
|
||
|
will be done anonymously. -->
|
||
|
<!--
|
||
|
<binddn>cn=Directory Manager</binddn>
|
||
|
<bindpw>secret</bindpw>
|
||
|
-->
|
||
|
|
||
|
<!-- Type of LDAP server. Currently "ad" for active directory and "ldap"
|
||
|
for other ldap servers. If not specified, then it is ldap. -->
|
||
|
<!--
|
||
|
<type>ad</type>
|
||
|
-->
|
||
|
|
||
|
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||
|
<uidattr>uid</uidattr>
|
||
|
<objectclass>posixAccount</objectclass>
|
||
|
<!-- LDAP attribute that holds the cleartext or hashed password
|
||
|
(not needed when pwscheme is set to 'bind') -->
|
||
|
<pwattr>userPassword</pwattr>
|
||
|
<!-- if you use included jabberd.schema use this:
|
||
|
<uidattr>jid</uidattr>
|
||
|
<objectclass>jabberUser</objectclass>
|
||
|
<pwattr>jabberPassword</pwattr>
|
||
|
-->
|
||
|
|
||
|
<!-- Attribute that holds jabber account status. Must be TRUE for AD,
|
||
|
and 1 for other LDAP server.
|
||
|
If not specified, then it will not be used. -->
|
||
|
<!--
|
||
|
<validattr>valid</validattr>
|
||
|
-->
|
||
|
|
||
|
<!-- Group that users must be members of
|
||
|
If this is set, only user that are members of the specified LDAP
|
||
|
group can log in. The group must be specified with its full
|
||
|
distinguished name -->
|
||
|
<!--
|
||
|
<group_dn>cn=jabberdusers,ou=servicegroups,dc=example,dc=com</group_dn>
|
||
|
-->
|
||
|
|
||
|
<fulluid/>
|
||
|
<!-- If pwscheme is not defined, then passwords are stored in clear
|
||
|
text and digest authentication may be done.
|
||
|
If passwords are hashed, then you cannot use digest authentication
|
||
|
and should use plain text authentication.
|
||
|
Any of sha, ssha, crypt, bind and clear may be specified.
|
||
|
'sha' specifies that the attribute in pwattr holds a base-64
|
||
|
encoded SHA-1 hashed password beginning with the string {SHA}.
|
||
|
'ssha' specifies that the attribute in pwattr holds a base-64
|
||
|
SHA-1 hashed password appended with 32 bits of salt and beginning
|
||
|
with the string {SSHA}.
|
||
|
'crypt' specifies that the attribute in pwattr holds a UNIX-style
|
||
|
crypt(3) hashed password.
|
||
|
'bind' specifies that the password is not stored in an attribute
|
||
|
but is authenticated directly by the LDAP server by binding
|
||
|
using the user's DN. This should be compatible with the
|
||
|
widest variety of LDAP servers.
|
||
|
-->
|
||
|
<!-- <pwscheme>bind</pwscheme> -->
|
||
|
|
||
|
<!-- base DN of the tree. You should specify a DN for each
|
||
|
authentication realm declared in the <local/> section above,
|
||
|
by using the realm attribute. -->
|
||
|
<basedn realm='company'>o=Company.com</basedn>
|
||
|
<basedn>o=Example Corp.</basedn>
|
||
|
</ldapfull>
|
||
|
|
||
|
<!-- LDAP module configuration -->
|
||
|
<!-- Remember that you need to use PLAIN auth with LDAP backend -->
|
||
|
<ldap>
|
||
|
<!-- LDAP server host and port (default: 389) -->
|
||
|
<host>ldap.example.com</host>
|
||
|
<port>389</port>
|
||
|
|
||
|
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
|
||
|
Encryption options are only available if v3 is enabled. -->
|
||
|
<!--
|
||
|
<v3/>
|
||
|
-->
|
||
|
|
||
|
<!-- Encryption. If enabled, this will create an encrypted channel
|
||
|
to the LDAP server using the LDAP STARTTLS mechanism. -->
|
||
|
<!--
|
||
|
<starttls/>
|
||
|
-->
|
||
|
|
||
|
<!-- Encryption. If enabled, this will create an encrypted channel
|
||
|
to the server using the old-style "ldaps://" mechanism. It is
|
||
|
recommended that you use <starttls/> instead of this. -->
|
||
|
<!--
|
||
|
<ssl/>
|
||
|
-->
|
||
|
|
||
|
<!-- DN to bind as for searches. If unspecified, the searches
|
||
|
will be done anonymously. -->
|
||
|
<!--
|
||
|
<binddn>cn=Directory Manager</binddn>
|
||
|
<bindpw>secret</bindpw>
|
||
|
-->
|
||
|
|
||
|
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||
|
<uidattr>uid</uidattr>
|
||
|
|
||
|
<!-- Enable the append-realm element if you want to append
|
||
|
realm value (usernam@realm) to the uidattr value
|
||
|
<append-realm/>
|
||
|
-->
|
||
|
|
||
|
<!-- Alternatively to <uidattr/> and <append-realm/> you may
|
||
|
specify full LDAP search <query/> that will be used to
|
||
|
get user objects from directory.
|
||
|
|
||
|
The following replacements take place:
|
||
|
%u is replaced by user login name
|
||
|
%r is replaced by user login realm
|
||
|
|
||
|
When <query/> is specified, <uidattr/> and <append-realm/>
|
||
|
are unused and take no effect. -->
|
||
|
<!--
|
||
|
<query>(&(mail=%u@%r)(objectClass=inetOrgPerson))</query>
|
||
|
-->
|
||
|
|
||
|
<!-- base DN of the tree. You should specify a DN for each
|
||
|
authentication realm declared in the <local/> section above,
|
||
|
by using the realm attribute. -->
|
||
|
<basedn realm='company'>o=Company.com</basedn>
|
||
|
<basedn>o=Example Corp.</basedn>
|
||
|
</ldap>
|
||
|
<!-- if you want to configure more than one LDAP server
|
||
|
create ldap1, ldap2 etc. sections
|
||
|
<ldap1>
|
||
|
|
||
|
</ldap1>
|
||
|
-->
|
||
|
|
||
|
<!-- Pipe module configuration -->
|
||
|
<pipe>
|
||
|
<!-- Program to execute -->
|
||
|
<exec>/usr/bin/pipe-auth.pl</exec>
|
||
|
</pipe>
|
||
|
|
||
|
</authreg>
|
||
|
|
||
|
</c2s>
|
||
|
<!--
|
||
|
vim: syntax=xml
|
||
|
-->
|