saving uncommitted changes in /etc prior to emerge run
This commit is contained in:
parent
972fad2017
commit
202d0eef70
97
init.d/jabberd
Executable file
97
init.d/jabberd
Executable file
@ -0,0 +1,97 @@
|
||||
#!/sbin/runscript
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Header: /var/cvsroot/gentoo-x86/net-im/jabberd2/files/jabberd2-2.3.2.init,v 1.1 2014/06/01 20:09:54 hasufell Exp $
|
||||
|
||||
extra_commands="reload"
|
||||
|
||||
depend() {
|
||||
need net
|
||||
use mysql postgresql slapd
|
||||
provide jabber-server
|
||||
}
|
||||
|
||||
stopJabberServices() {
|
||||
|
||||
eindent
|
||||
for pidfile in /var/run/jabber/*.pid; do
|
||||
if [ -f "${pidfile}" ]; then
|
||||
service=$(basename ${pidfile} .pid)
|
||||
ebegin "Stopping ${service}"
|
||||
start-stop-daemon \
|
||||
--stop \
|
||||
--pidfile ${pidfile}
|
||||
eend $?
|
||||
fi
|
||||
done
|
||||
eoutdent
|
||||
|
||||
}
|
||||
|
||||
start_pre() {
|
||||
checkpath -d -o jabber /var/run/jabber
|
||||
}
|
||||
|
||||
start() {
|
||||
|
||||
einfo "Starting Jabber Server ..."
|
||||
local services executable cfgfile pidfile
|
||||
services=$(grep -v ^# /etc/jabber/jabberd.cfg | grep '..*' | awk '{print $1 ":" $2}')
|
||||
eindent
|
||||
for service in ${services}; do
|
||||
|
||||
cfgfile=$(echo ${service} | cut -d ':' -f 2)
|
||||
service=$(echo ${service} | cut -d ':' -f 1)
|
||||
if [ ! -f "${cfgfile}" ]; then
|
||||
if [ -f "/etc/jabber/${service}.xml" ]; then
|
||||
cfgfile="/etc/jabber/${service}.xml"
|
||||
else
|
||||
eerror "Can't find: ${cfgfile} or default /etc/jabber/${service}.xml"
|
||||
stopJabberServices
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
executable=/usr/bin/${service}
|
||||
|
||||
if [ ! -f "${executable}" ]; then
|
||||
eerror "Can't find executable: ${executable}"
|
||||
stopJabberServices
|
||||
return 1
|
||||
fi
|
||||
|
||||
ebegin "Starting ${service} (${cfgfile})"
|
||||
pidfile="$(grep -v ^# ${cfgfile} | grep '<pidfile>' | sed 's#<.\?pidfile>##g')"
|
||||
start-stop-daemon \
|
||||
--background \
|
||||
--start \
|
||||
--user jabber:jabber \
|
||||
--exec /usr/bin/${service} \
|
||||
--pid ${pidfile} \
|
||||
-- -c ${cfgfile}
|
||||
eend $?
|
||||
|
||||
done
|
||||
eoutdent
|
||||
|
||||
}
|
||||
|
||||
reload() {
|
||||
eindent
|
||||
for pidfile in /var/run/jabber/*.pid; do
|
||||
if [ -f "${pidfile}" ]; then
|
||||
service=$(basename ${pidfile} .pid)
|
||||
ebegin "Reloading ${service}"
|
||||
kill -HUP $(cat ${pidfile})
|
||||
eend $?
|
||||
fi
|
||||
done
|
||||
eoutdent
|
||||
}
|
||||
|
||||
stop() {
|
||||
|
||||
einfo "Stopping Jabber Server"
|
||||
stopJabberServices
|
||||
|
||||
}
|
701
jabber/c2s.xml
Normal file
701
jabber/c2s.xml
Normal file
@ -0,0 +1,701 @@
|
||||
<!-- c2s configuration -->
|
||||
<c2s>
|
||||
<!-- Our ID on the network (default: c2s) -->
|
||||
<id>c2s</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-c2s.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/c2s</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/c2s.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- Who we identify ourselves as. This should correspond to the
|
||||
ID (host) that the session manager thinks it is. You can
|
||||
specify more than one to support virtual hosts, as long as you
|
||||
have additional session manager instances on the network to
|
||||
handle those hosts.
|
||||
|
||||
You may leave the content of the <id/> empty to setup default
|
||||
virtual host setup, that will be used for all present but not
|
||||
configured otherwise SM domains.
|
||||
|
||||
realm
|
||||
attribute specifies the auth/reg or SASL authentication realm
|
||||
for the host. If the attribute is not specified, the realm will
|
||||
be selected by the SASL mechanism, or will be the same as the ID
|
||||
itself. Be aware that users are assigned to a realm, not a host,
|
||||
so two hosts in the same realm will have the same users. If no
|
||||
realm is specified, it will be set to be the same as the ID.
|
||||
If empty "" realm is specified, the PAM backend wil authenticate
|
||||
using plain usernames, not JIDs.
|
||||
|
||||
pemfile
|
||||
attribute specifies the file containing a SSL certificate and
|
||||
private key for client connections. If this is non existant,
|
||||
clients will not be offered the STARTTLS stream extension
|
||||
From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or server
|
||||
certificate), followed by intermediate CA certificates if
|
||||
applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
|
||||
verify-mode
|
||||
SSL verify mode - see SSL_CTX_set_verify(3), mode parameter.
|
||||
Sum of the following options:
|
||||
SSL_VERIFY_NONE 0x00
|
||||
SSL_VERIFY_PEER 0x01
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
|
||||
SSL_VERIFY_CLIENT_ONCE 0x04
|
||||
Use 7 to require all clients to present _valid_ certificates.
|
||||
|
||||
|
||||
cachain
|
||||
SSL CA chain. Used to verify client certificates.
|
||||
CA names published to client upon connection.
|
||||
|
||||
require-starttls
|
||||
If this attribute is set to any value, clients must do STARTTLS
|
||||
before they can authenticate. Until the stream is encrypted,
|
||||
all packets will be dropped.
|
||||
|
||||
register-enable
|
||||
Remove this attribute to disable account registrations.
|
||||
|
||||
instructions
|
||||
Human-readable instructions to be returned to client when
|
||||
registration is requested.
|
||||
|
||||
register-oob
|
||||
URL to be attached as an alternative, out-of-band registration
|
||||
method. Usually web-based http:// URL.
|
||||
|
||||
password-change
|
||||
Password change only. When registration is disabled, it may
|
||||
still be useful to allow clients to change their password. If
|
||||
you want this, add this attribute with any value, when you need
|
||||
registration disabled.
|
||||
-->
|
||||
<id register-enable='mu'>localhost.localdomain</id>
|
||||
<!-- or
|
||||
<id realm='company.int'
|
||||
pemfile='/etc/jabber/server.pem'
|
||||
verify-mode='7'
|
||||
cachain='/etc/jabber/client_ca_certs.pem'
|
||||
require-starttls='mu'
|
||||
register-enable='mu'
|
||||
instructions='Enter a username and password to register with this server.'
|
||||
register-oob='http://example.org/register'
|
||||
password-change='mu'
|
||||
>example.net</id> -->
|
||||
<!-- or the default host
|
||||
<id password-change='mu' /> -->
|
||||
|
||||
<!-- IP address to bind to (default: 0.0.0.0) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
|
||||
<!-- Port to bind to, or 0 to disable unencrypted access to the
|
||||
server (default: 5222) -->
|
||||
<port>5222</port>
|
||||
|
||||
<!-- Older versions of jabberd support encrypted client connections
|
||||
via an additional listening socket on port 5223. If you want
|
||||
this (required to allow pre-STARTTLS clients to do SSL),
|
||||
uncomment this -->
|
||||
<!--
|
||||
<ssl-port>5223</ssl-port>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key for client
|
||||
connections. From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or server
|
||||
certificate), followed by intermediate CA certificates if
|
||||
applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
|
||||
Note: This certificate is ONLY used for old style SSL
|
||||
connections on port 5223 (pre-STARTTLS). If you want to
|
||||
use STARTTLS over the standard XMPP port 5222 then you
|
||||
MUST specify the pemfile in the 'id' tag above. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
|
||||
<!--
|
||||
<verify-mode>7</verify-mode>
|
||||
-->
|
||||
|
||||
<!-- SSL CA chain. Used to verify client certificates. CA names published to client upon connection -->
|
||||
<!--
|
||||
<cachain>/etc/jabber/client_ca_certs.pem</cachain>
|
||||
-->
|
||||
|
||||
<!-- Forward incoming HTTP clients to a real HTTP server -->
|
||||
<!--
|
||||
<httpforward>http://www.jabber.org/</httpforward>
|
||||
-->
|
||||
</local>
|
||||
|
||||
<!-- Input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. This value sets an upper
|
||||
limit on the number of users who may be logged in to this
|
||||
server at a given time. Each user consumers one file
|
||||
descriptor.
|
||||
|
||||
Note that the number of possible connections will be slightly
|
||||
less than this, because c2s itself can use up five on its own,
|
||||
and auth/reg modules may need a few also. If the supply of
|
||||
file descriptors is exhausted, new incoming connections will
|
||||
be denied.
|
||||
|
||||
Also note that this value only affects how many file descriptors
|
||||
jabberd is able to handle internally. You may also need to
|
||||
tell your operating system to allow jabberd to use more file
|
||||
descriptors. On Linux this can be done using ulimit -n or by
|
||||
changing the value of /proc/sys/fd/file-max.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum bytes per second - if more than X bytes are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<bytes seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 1, default Z is 5. set X to 0 to disable. -->
|
||||
<bytes>0</bytes>
|
||||
|
||||
<!-- Maximum number of stanzas per second - if more than X stanzas
|
||||
are sent in Y seconds, connection is throttled for Z seconds.
|
||||
The format is:
|
||||
|
||||
<stanzas seconds='Y' throttle='Z'>X</stanzas>
|
||||
|
||||
Default Y 1, default Z is 5. Set X to 0 to disable -->
|
||||
<stanzas>1000</stanzas>
|
||||
|
||||
<!-- Maximum connects per second - if more than X connects are
|
||||
attempted from a single IP in Y seconds, that IP is throttled
|
||||
for Z seconds. The format is:
|
||||
|
||||
<connects seconds='Y' throttle='Z'>X</connects>
|
||||
|
||||
Default Y is 5, default Z is 5. set X to 0 to disable. -->
|
||||
<connects>0</connects>
|
||||
|
||||
<!-- Maximum stanza size - if more than given number of bytes
|
||||
are read in one incoming stanza, the stream is closed
|
||||
with policy-violation error.
|
||||
|
||||
Set to 0 to disable.
|
||||
Values less than 16384 might not work. -->
|
||||
<stanzasize>65535</stanzasize>
|
||||
</limits>
|
||||
|
||||
<!-- Enable XEP-0138: Stream Compression -->
|
||||
<!--
|
||||
<compression/>
|
||||
-->
|
||||
|
||||
<!-- IP-based access controls. If a connection IP matches an allow
|
||||
rule, the connection will be accepted. If a connecting IP
|
||||
matches a deny rule, the connection will be refused. If the
|
||||
connecting IP does not match any rules, or it matches both an
|
||||
allow and a deny rule, the contents of the <order/> option
|
||||
determines what happens. -->
|
||||
<access>
|
||||
<!-- Rule check order (default: allow,deny)
|
||||
|
||||
allow,deny - Check allow rules, then check deny rules.
|
||||
Allow by default.
|
||||
deny,allow - Check deny rules, then check allow rules.
|
||||
Deny by default. -->
|
||||
<order>allow,deny</order>
|
||||
|
||||
<!-- Allow a network. If the mask isn't specified, it defaults to
|
||||
255.255.255.255 (ie allow onle the specified IP) -->
|
||||
<!--
|
||||
<allow ip='127.0.0.0' mask='255.0.0.0'/>
|
||||
-->
|
||||
|
||||
<!-- Allow a single host -->
|
||||
<!--
|
||||
<allow ip='12.34.56.78'/>
|
||||
-->
|
||||
|
||||
<!-- Deny a network or a host -->
|
||||
<!--
|
||||
<deny ip='127.0.0.1' mask='255.0.0.0'/>
|
||||
<deny ip='87.65.43.21'/>
|
||||
-->
|
||||
</access>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Open client connections will be checked every n seconds, and
|
||||
the following checks applied.
|
||||
|
||||
0 disables all checks. (default: 0) -->
|
||||
<interval>0</interval>
|
||||
|
||||
<!-- Idle connection checks.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will be dropped.
|
||||
|
||||
0 disables idle timeouts. (default: 0) -->
|
||||
<idle>0</idle>
|
||||
|
||||
<!-- Keepalives.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will have a single whitespace character sent to them.
|
||||
This will force the TCP connection to be closed if they have
|
||||
disconnected without us knowing about it.
|
||||
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
</check>
|
||||
|
||||
</io>
|
||||
|
||||
<!-- Statistics -->
|
||||
<stats>
|
||||
<!-- file containing count of packets that went through -->
|
||||
<!--
|
||||
<packet>/var/spool/jabber/stats/c2s.packets</packet>
|
||||
-->
|
||||
</stats>
|
||||
|
||||
<!-- PBX integration -->
|
||||
<pbx>
|
||||
<!-- Commands named pipe path. Allows creating "fake" sessions
|
||||
with given resource and status -->
|
||||
<!--
|
||||
<pipe>/var/run/jabber/pbx</pipe>
|
||||
-->
|
||||
<!-- Available commands:
|
||||
START jid/resource [[priority ]status] [description]
|
||||
STOP jid/resource [description]
|
||||
where priority is integer between -128 and +127
|
||||
and status is one of: CHAT, ONLINE, DND, AWAY, XA
|
||||
-->
|
||||
</pbx>
|
||||
|
||||
<!-- see-other-host error stream redirection support
|
||||
This will redirect connections to specified domains to other host:port
|
||||
Usefull when migrating service and DNS change did not propagate yet.
|
||||
Note that to_address should be RFC 3986 compliant. -->
|
||||
<stream_redirect>
|
||||
<!--
|
||||
<redirect requested_domain="some.domain" to_address="other.hostname" to_port="5269" />
|
||||
<redirect requested_domain="other.domain" to_address="other.host" to_port="1234" />
|
||||
-->
|
||||
</stream_redirect>
|
||||
|
||||
<!-- Authentication/registration database configuration -->
|
||||
<authreg>
|
||||
<!-- Dynamic authreg modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- Backend module to use -->
|
||||
<module>db</module>
|
||||
|
||||
<!-- Available authentication mechanisms -->
|
||||
<mechanisms>
|
||||
|
||||
<!-- These are the traditional Jabber authentication mechanisms.
|
||||
Comment out any that you don't want to be offered to clients.
|
||||
Note that if the auth/reg module does not support one of
|
||||
these mechanisms, then it will not be offered regardless of
|
||||
whether or not it is enabled here. -->
|
||||
<traditional>
|
||||
<plain/>
|
||||
<digest/>
|
||||
</traditional>
|
||||
|
||||
<!-- SASL authentication mechanisms. Comment out any that you
|
||||
don't want to be offered to clients. Again, if the auth/reg
|
||||
module does not support one of these mechanisms, then it will
|
||||
not be offered. -->
|
||||
<sasl>
|
||||
<plain/>
|
||||
<digest-md5/>
|
||||
<!--
|
||||
<anonymous/>
|
||||
<gssapi/>
|
||||
-->
|
||||
</sasl>
|
||||
|
||||
</mechanisms>
|
||||
|
||||
<!-- Additional mechanisms that are also available when the
|
||||
connection is encrypted. Ie. when START-TLS had been
|
||||
negotiated, or user connected on SSL-wrapped port. -->
|
||||
<ssl-mechanisms>
|
||||
|
||||
<!-- it's advisable that you disable plain in the above
|
||||
<mechanisms/> section -->
|
||||
<traditional>
|
||||
<plain/>
|
||||
</traditional>
|
||||
|
||||
<sasl>
|
||||
<plain/>
|
||||
<external/>
|
||||
</sasl>
|
||||
|
||||
</ssl-mechanisms>
|
||||
|
||||
<!-- SQLite driver configuration -->
|
||||
<sqlite>
|
||||
<!-- Database name -->
|
||||
<dbname>/var/spool/jabber/db/sqlite.db</dbname>
|
||||
|
||||
<!-- Transacation support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
|
||||
<!-- SQLite busy-timeout in milliseconds. -->
|
||||
<busy-timeout>2000</busy-timeout>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</sqlite>
|
||||
|
||||
<!-- MySQL module configuration -->
|
||||
<mysql>
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>3306</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</mysql>
|
||||
|
||||
<!-- PostgreSQL module configuration -->
|
||||
<pgsql>
|
||||
<!-- PostgreSQL connection info.
|
||||
For the rest of the options see
|
||||
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
|
||||
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
|
||||
|
||||
<!-- Alternatively you may set connection settings separately.
|
||||
These are used only in absence of 'conninfo' -->
|
||||
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>5432</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database schema -->
|
||||
<schema>public</schema>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</pgsql>
|
||||
|
||||
<!-- Oracle driver configuration -->
|
||||
<oracle>
|
||||
<!-- Database server host and port. -->
|
||||
<host>localhost</host>
|
||||
<port>1521</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
</oracle>
|
||||
|
||||
<!-- Berkeley DB module configuration -->
|
||||
<db>
|
||||
<!-- Directory to store database files under -->
|
||||
<path>/var/spool/jabber/db</path>
|
||||
|
||||
<!-- Synchronize the database to disk after each write. If you
|
||||
disable this, database accesses may be faster, but data may
|
||||
be lost if jabberd crashes. -->
|
||||
<sync/>
|
||||
</db>
|
||||
|
||||
<!-- LDAPFULL module configuration -->
|
||||
<ldapfull>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- Type of LDAP server. Currently "ad" for active directory and "ldap"
|
||||
for other ldap servers. If not specified, then it is ldap. -->
|
||||
<!--
|
||||
<type>ad</type>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
<objectclass>posixAccount</objectclass>
|
||||
<!-- LDAP attribute that holds the cleartext or hashed password
|
||||
(not needed when pwscheme is set to 'bind') -->
|
||||
<pwattr>userPassword</pwattr>
|
||||
<!-- if you use included jabberd.schema use this:
|
||||
<uidattr>jid</uidattr>
|
||||
<objectclass>jabberUser</objectclass>
|
||||
<pwattr>jabberPassword</pwattr>
|
||||
-->
|
||||
|
||||
<!-- Attribute that holds jabber account status. Must be TRUE for AD,
|
||||
and 1 for other LDAP server.
|
||||
If not specified, then it will not be used. -->
|
||||
<!--
|
||||
<validattr>valid</validattr>
|
||||
-->
|
||||
|
||||
<!-- Group that users must be members of
|
||||
If this is set, only user that are members of the specified LDAP
|
||||
group can log in. The group must be specified with its full
|
||||
distinguished name -->
|
||||
<!--
|
||||
<group_dn>cn=jabberdusers,ou=servicegroups,dc=example,dc=com</group_dn>
|
||||
-->
|
||||
|
||||
<fulluid/>
|
||||
<!-- If pwscheme is not defined, then passwords are stored in clear
|
||||
text and digest authentication may be done.
|
||||
If passwords are hashed, then you cannot use digest authentication
|
||||
and should use plain text authentication.
|
||||
Any of sha, ssha, crypt, bind and clear may be specified.
|
||||
'sha' specifies that the attribute in pwattr holds a base-64
|
||||
encoded SHA-1 hashed password beginning with the string {SHA}.
|
||||
'ssha' specifies that the attribute in pwattr holds a base-64
|
||||
SHA-1 hashed password appended with 32 bits of salt and beginning
|
||||
with the string {SSHA}.
|
||||
'crypt' specifies that the attribute in pwattr holds a UNIX-style
|
||||
crypt(3) hashed password.
|
||||
'bind' specifies that the password is not stored in an attribute
|
||||
but is authenticated directly by the LDAP server by binding
|
||||
using the user's DN. This should be compatible with the
|
||||
widest variety of LDAP servers.
|
||||
-->
|
||||
<!-- <pwscheme>bind</pwscheme> -->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn realm='company'>o=Company.com</basedn>
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
</ldapfull>
|
||||
|
||||
<!-- LDAP module configuration -->
|
||||
<!-- Remember that you need to use PLAIN auth with LDAP backend -->
|
||||
<ldap>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<host>ldap.example.com</host>
|
||||
<port>389</port>
|
||||
|
||||
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
|
||||
Encryption options are only available if v3 is enabled. -->
|
||||
<!--
|
||||
<v3/>
|
||||
-->
|
||||
|
||||
<!-- Encryption. If enabled, this will create an encrypted channel
|
||||
to the LDAP server using the LDAP STARTTLS mechanism. -->
|
||||
<!--
|
||||
<starttls/>
|
||||
-->
|
||||
|
||||
<!-- Encryption. If enabled, this will create an encrypted channel
|
||||
to the server using the old-style "ldaps://" mechanism. It is
|
||||
recommended that you use <starttls/> instead of this. -->
|
||||
<!--
|
||||
<ssl/>
|
||||
-->
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
|
||||
<!-- Enable the append-realm element if you want to append
|
||||
realm value (usernam@realm) to the uidattr value
|
||||
<append-realm/>
|
||||
-->
|
||||
|
||||
<!-- Alternatively to <uidattr/> and <append-realm/> you may
|
||||
specify full LDAP search <query/> that will be used to
|
||||
get user objects from directory.
|
||||
|
||||
The following replacements take place:
|
||||
%u is replaced by user login name
|
||||
%r is replaced by user login realm
|
||||
|
||||
When <query/> is specified, <uidattr/> and <append-realm/>
|
||||
are unused and take no effect. -->
|
||||
<!--
|
||||
<query>(&(mail=%u@%r)(objectClass=inetOrgPerson))</query>
|
||||
-->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn realm='company'>o=Company.com</basedn>
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
</ldap>
|
||||
<!-- if you want to configure more than one LDAP server
|
||||
create ldap1, ldap2 etc. sections
|
||||
<ldap1>
|
||||
|
||||
</ldap1>
|
||||
-->
|
||||
|
||||
<!-- Pipe module configuration -->
|
||||
<pipe>
|
||||
<!-- Program to execute -->
|
||||
<exec>/usr/bin/pipe-auth.pl</exec>
|
||||
</pipe>
|
||||
|
||||
</authreg>
|
||||
|
||||
</c2s>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
701
jabber/c2s.xml.dist
Normal file
701
jabber/c2s.xml.dist
Normal file
@ -0,0 +1,701 @@
|
||||
<!-- c2s configuration -->
|
||||
<c2s>
|
||||
<!-- Our ID on the network (default: c2s) -->
|
||||
<id>c2s</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-c2s.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/c2s</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/c2s.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- Who we identify ourselves as. This should correspond to the
|
||||
ID (host) that the session manager thinks it is. You can
|
||||
specify more than one to support virtual hosts, as long as you
|
||||
have additional session manager instances on the network to
|
||||
handle those hosts.
|
||||
|
||||
You may leave the content of the <id/> empty to setup default
|
||||
virtual host setup, that will be used for all present but not
|
||||
configured otherwise SM domains.
|
||||
|
||||
realm
|
||||
attribute specifies the auth/reg or SASL authentication realm
|
||||
for the host. If the attribute is not specified, the realm will
|
||||
be selected by the SASL mechanism, or will be the same as the ID
|
||||
itself. Be aware that users are assigned to a realm, not a host,
|
||||
so two hosts in the same realm will have the same users. If no
|
||||
realm is specified, it will be set to be the same as the ID.
|
||||
If empty "" realm is specified, the PAM backend wil authenticate
|
||||
using plain usernames, not JIDs.
|
||||
|
||||
pemfile
|
||||
attribute specifies the file containing a SSL certificate and
|
||||
private key for client connections. If this is non existant,
|
||||
clients will not be offered the STARTTLS stream extension
|
||||
From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or server
|
||||
certificate), followed by intermediate CA certificates if
|
||||
applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
|
||||
verify-mode
|
||||
SSL verify mode - see SSL_CTX_set_verify(3), mode parameter.
|
||||
Sum of the following options:
|
||||
SSL_VERIFY_NONE 0x00
|
||||
SSL_VERIFY_PEER 0x01
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
|
||||
SSL_VERIFY_CLIENT_ONCE 0x04
|
||||
Use 7 to require all clients to present _valid_ certificates.
|
||||
|
||||
|
||||
cachain
|
||||
SSL CA chain. Used to verify client certificates.
|
||||
CA names published to client upon connection.
|
||||
|
||||
require-starttls
|
||||
If this attribute is set to any value, clients must do STARTTLS
|
||||
before they can authenticate. Until the stream is encrypted,
|
||||
all packets will be dropped.
|
||||
|
||||
register-enable
|
||||
Remove this attribute to disable account registrations.
|
||||
|
||||
instructions
|
||||
Human-readable instructions to be returned to client when
|
||||
registration is requested.
|
||||
|
||||
register-oob
|
||||
URL to be attached as an alternative, out-of-band registration
|
||||
method. Usually web-based http:// URL.
|
||||
|
||||
password-change
|
||||
Password change only. When registration is disabled, it may
|
||||
still be useful to allow clients to change their password. If
|
||||
you want this, add this attribute with any value, when you need
|
||||
registration disabled.
|
||||
-->
|
||||
<id register-enable='mu'>localhost.localdomain</id>
|
||||
<!-- or
|
||||
<id realm='company.int'
|
||||
pemfile='/etc/jabber/server.pem'
|
||||
verify-mode='7'
|
||||
cachain='/etc/jabber/client_ca_certs.pem'
|
||||
require-starttls='mu'
|
||||
register-enable='mu'
|
||||
instructions='Enter a username and password to register with this server.'
|
||||
register-oob='http://example.org/register'
|
||||
password-change='mu'
|
||||
>example.net</id> -->
|
||||
<!-- or the default host
|
||||
<id password-change='mu' /> -->
|
||||
|
||||
<!-- IP address to bind to (default: 0.0.0.0) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
|
||||
<!-- Port to bind to, or 0 to disable unencrypted access to the
|
||||
server (default: 5222) -->
|
||||
<port>5222</port>
|
||||
|
||||
<!-- Older versions of jabberd support encrypted client connections
|
||||
via an additional listening socket on port 5223. If you want
|
||||
this (required to allow pre-STARTTLS clients to do SSL),
|
||||
uncomment this -->
|
||||
<!--
|
||||
<ssl-port>5223</ssl-port>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key for client
|
||||
connections. From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or server
|
||||
certificate), followed by intermediate CA certificates if
|
||||
applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
|
||||
Note: This certificate is ONLY used for old style SSL
|
||||
connections on port 5223 (pre-STARTTLS). If you want to
|
||||
use STARTTLS over the standard XMPP port 5222 then you
|
||||
MUST specify the pemfile in the 'id' tag above. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
|
||||
<!--
|
||||
<verify-mode>7</verify-mode>
|
||||
-->
|
||||
|
||||
<!-- SSL CA chain. Used to verify client certificates. CA names published to client upon connection -->
|
||||
<!--
|
||||
<cachain>/etc/jabber/client_ca_certs.pem</cachain>
|
||||
-->
|
||||
|
||||
<!-- Forward incoming HTTP clients to a real HTTP server -->
|
||||
<!--
|
||||
<httpforward>http://www.jabber.org/</httpforward>
|
||||
-->
|
||||
</local>
|
||||
|
||||
<!-- Input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. This value sets an upper
|
||||
limit on the number of users who may be logged in to this
|
||||
server at a given time. Each user consumers one file
|
||||
descriptor.
|
||||
|
||||
Note that the number of possible connections will be slightly
|
||||
less than this, because c2s itself can use up five on its own,
|
||||
and auth/reg modules may need a few also. If the supply of
|
||||
file descriptors is exhausted, new incoming connections will
|
||||
be denied.
|
||||
|
||||
Also note that this value only affects how many file descriptors
|
||||
jabberd is able to handle internally. You may also need to
|
||||
tell your operating system to allow jabberd to use more file
|
||||
descriptors. On Linux this can be done using ulimit -n or by
|
||||
changing the value of /proc/sys/fd/file-max.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum bytes per second - if more than X bytes are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<bytes seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 1, default Z is 5. set X to 0 to disable. -->
|
||||
<bytes>0</bytes>
|
||||
|
||||
<!-- Maximum number of stanzas per second - if more than X stanzas
|
||||
are sent in Y seconds, connection is throttled for Z seconds.
|
||||
The format is:
|
||||
|
||||
<stanzas seconds='Y' throttle='Z'>X</stanzas>
|
||||
|
||||
Default Y 1, default Z is 5. Set X to 0 to disable -->
|
||||
<stanzas>1000</stanzas>
|
||||
|
||||
<!-- Maximum connects per second - if more than X connects are
|
||||
attempted from a single IP in Y seconds, that IP is throttled
|
||||
for Z seconds. The format is:
|
||||
|
||||
<connects seconds='Y' throttle='Z'>X</connects>
|
||||
|
||||
Default Y is 5, default Z is 5. set X to 0 to disable. -->
|
||||
<connects>0</connects>
|
||||
|
||||
<!-- Maximum stanza size - if more than given number of bytes
|
||||
are read in one incoming stanza, the stream is closed
|
||||
with policy-violation error.
|
||||
|
||||
Set to 0 to disable.
|
||||
Values less than 16384 might not work. -->
|
||||
<stanzasize>65535</stanzasize>
|
||||
</limits>
|
||||
|
||||
<!-- Enable XEP-0138: Stream Compression -->
|
||||
<!--
|
||||
<compression/>
|
||||
-->
|
||||
|
||||
<!-- IP-based access controls. If a connection IP matches an allow
|
||||
rule, the connection will be accepted. If a connecting IP
|
||||
matches a deny rule, the connection will be refused. If the
|
||||
connecting IP does not match any rules, or it matches both an
|
||||
allow and a deny rule, the contents of the <order/> option
|
||||
determines what happens. -->
|
||||
<access>
|
||||
<!-- Rule check order (default: allow,deny)
|
||||
|
||||
allow,deny - Check allow rules, then check deny rules.
|
||||
Allow by default.
|
||||
deny,allow - Check deny rules, then check allow rules.
|
||||
Deny by default. -->
|
||||
<order>allow,deny</order>
|
||||
|
||||
<!-- Allow a network. If the mask isn't specified, it defaults to
|
||||
255.255.255.255 (ie allow onle the specified IP) -->
|
||||
<!--
|
||||
<allow ip='127.0.0.0' mask='255.0.0.0'/>
|
||||
-->
|
||||
|
||||
<!-- Allow a single host -->
|
||||
<!--
|
||||
<allow ip='12.34.56.78'/>
|
||||
-->
|
||||
|
||||
<!-- Deny a network or a host -->
|
||||
<!--
|
||||
<deny ip='127.0.0.1' mask='255.0.0.0'/>
|
||||
<deny ip='87.65.43.21'/>
|
||||
-->
|
||||
</access>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Open client connections will be checked every n seconds, and
|
||||
the following checks applied.
|
||||
|
||||
0 disables all checks. (default: 0) -->
|
||||
<interval>0</interval>
|
||||
|
||||
<!-- Idle connection checks.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will be dropped.
|
||||
|
||||
0 disables idle timeouts. (default: 0) -->
|
||||
<idle>0</idle>
|
||||
|
||||
<!-- Keepalives.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will have a single whitespace character sent to them.
|
||||
This will force the TCP connection to be closed if they have
|
||||
disconnected without us knowing about it.
|
||||
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
</check>
|
||||
|
||||
</io>
|
||||
|
||||
<!-- Statistics -->
|
||||
<stats>
|
||||
<!-- file containing count of packets that went through -->
|
||||
<!--
|
||||
<packet>/var/spool/jabber/stats/c2s.packets</packet>
|
||||
-->
|
||||
</stats>
|
||||
|
||||
<!-- PBX integration -->
|
||||
<pbx>
|
||||
<!-- Commands named pipe path. Allows creating "fake" sessions
|
||||
with given resource and status -->
|
||||
<!--
|
||||
<pipe>/var/run/jabber/pbx</pipe>
|
||||
-->
|
||||
<!-- Available commands:
|
||||
START jid/resource [[priority ]status] [description]
|
||||
STOP jid/resource [description]
|
||||
where priority is integer between -128 and +127
|
||||
and status is one of: CHAT, ONLINE, DND, AWAY, XA
|
||||
-->
|
||||
</pbx>
|
||||
|
||||
<!-- see-other-host error stream redirection support
|
||||
This will redirect connections to specified domains to other host:port
|
||||
Usefull when migrating service and DNS change did not propagate yet.
|
||||
Note that to_address should be RFC 3986 compliant. -->
|
||||
<stream_redirect>
|
||||
<!--
|
||||
<redirect requested_domain="some.domain" to_address="other.hostname" to_port="5269" />
|
||||
<redirect requested_domain="other.domain" to_address="other.host" to_port="1234" />
|
||||
-->
|
||||
</stream_redirect>
|
||||
|
||||
<!-- Authentication/registration database configuration -->
|
||||
<authreg>
|
||||
<!-- Dynamic authreg modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- Backend module to use -->
|
||||
<module>db</module>
|
||||
|
||||
<!-- Available authentication mechanisms -->
|
||||
<mechanisms>
|
||||
|
||||
<!-- These are the traditional Jabber authentication mechanisms.
|
||||
Comment out any that you don't want to be offered to clients.
|
||||
Note that if the auth/reg module does not support one of
|
||||
these mechanisms, then it will not be offered regardless of
|
||||
whether or not it is enabled here. -->
|
||||
<traditional>
|
||||
<plain/>
|
||||
<digest/>
|
||||
</traditional>
|
||||
|
||||
<!-- SASL authentication mechanisms. Comment out any that you
|
||||
don't want to be offered to clients. Again, if the auth/reg
|
||||
module does not support one of these mechanisms, then it will
|
||||
not be offered. -->
|
||||
<sasl>
|
||||
<plain/>
|
||||
<digest-md5/>
|
||||
<!--
|
||||
<anonymous/>
|
||||
<gssapi/>
|
||||
-->
|
||||
</sasl>
|
||||
|
||||
</mechanisms>
|
||||
|
||||
<!-- Additional mechanisms that are also available when the
|
||||
connection is encrypted. Ie. when START-TLS had been
|
||||
negotiated, or user connected on SSL-wrapped port. -->
|
||||
<ssl-mechanisms>
|
||||
|
||||
<!-- it's advisable that you disable plain in the above
|
||||
<mechanisms/> section -->
|
||||
<traditional>
|
||||
<plain/>
|
||||
</traditional>
|
||||
|
||||
<sasl>
|
||||
<plain/>
|
||||
<external/>
|
||||
</sasl>
|
||||
|
||||
</ssl-mechanisms>
|
||||
|
||||
<!-- SQLite driver configuration -->
|
||||
<sqlite>
|
||||
<!-- Database name -->
|
||||
<dbname>/var/spool/jabber/db/sqlite.db</dbname>
|
||||
|
||||
<!-- Transacation support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
|
||||
<!-- SQLite busy-timeout in milliseconds. -->
|
||||
<busy-timeout>2000</busy-timeout>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</sqlite>
|
||||
|
||||
<!-- MySQL module configuration -->
|
||||
<mysql>
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>3306</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</mysql>
|
||||
|
||||
<!-- PostgreSQL module configuration -->
|
||||
<pgsql>
|
||||
<!-- PostgreSQL connection info.
|
||||
For the rest of the options see
|
||||
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
|
||||
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
|
||||
|
||||
<!-- Alternatively you may set connection settings separately.
|
||||
These are used only in absence of 'conninfo' -->
|
||||
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>5432</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database schema -->
|
||||
<schema>public</schema>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Passwords in DB may be stored in plain or hashed format -->
|
||||
<!-- NOTE: If you are using hashed passwords, the only auth
|
||||
method that will work is PLAIN.
|
||||
Make sure that you disabled others in 'mechanisms'
|
||||
sections of the config file. -->
|
||||
<password_type>
|
||||
<!-- only one may be enabled here -->
|
||||
<plaintext/>
|
||||
<!-- use crypt(3)ed passwords
|
||||
<crypt/>
|
||||
-->
|
||||
<!-- use A1HASH passwords
|
||||
This stores the MD5 digest of user:realm:password in the database
|
||||
<a1hash/>
|
||||
-->
|
||||
</password_type>
|
||||
</pgsql>
|
||||
|
||||
<!-- Oracle driver configuration -->
|
||||
<oracle>
|
||||
<!-- Database server host and port. -->
|
||||
<host>localhost</host>
|
||||
<port>1521</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
</oracle>
|
||||
|
||||
<!-- Berkeley DB module configuration -->
|
||||
<db>
|
||||
<!-- Directory to store database files under -->
|
||||
<path>/var/spool/jabber/db</path>
|
||||
|
||||
<!-- Synchronize the database to disk after each write. If you
|
||||
disable this, database accesses may be faster, but data may
|
||||
be lost if jabberd crashes. -->
|
||||
<sync/>
|
||||
</db>
|
||||
|
||||
<!-- LDAPFULL module configuration -->
|
||||
<ldapfull>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- Type of LDAP server. Currently "ad" for active directory and "ldap"
|
||||
for other ldap servers. If not specified, then it is ldap. -->
|
||||
<!--
|
||||
<type>ad</type>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
<objectclass>posixAccount</objectclass>
|
||||
<!-- LDAP attribute that holds the cleartext or hashed password
|
||||
(not needed when pwscheme is set to 'bind') -->
|
||||
<pwattr>userPassword</pwattr>
|
||||
<!-- if you use included jabberd.schema use this:
|
||||
<uidattr>jid</uidattr>
|
||||
<objectclass>jabberUser</objectclass>
|
||||
<pwattr>jabberPassword</pwattr>
|
||||
-->
|
||||
|
||||
<!-- Attribute that holds jabber account status. Must be TRUE for AD,
|
||||
and 1 for other LDAP server.
|
||||
If not specified, then it will not be used. -->
|
||||
<!--
|
||||
<validattr>valid</validattr>
|
||||
-->
|
||||
|
||||
<!-- Group that users must be members of
|
||||
If this is set, only user that are members of the specified LDAP
|
||||
group can log in. The group must be specified with its full
|
||||
distinguished name -->
|
||||
<!--
|
||||
<group_dn>cn=jabberdusers,ou=servicegroups,dc=example,dc=com</group_dn>
|
||||
-->
|
||||
|
||||
<fulluid/>
|
||||
<!-- If pwscheme is not defined, then passwords are stored in clear
|
||||
text and digest authentication may be done.
|
||||
If passwords are hashed, then you cannot use digest authentication
|
||||
and should use plain text authentication.
|
||||
Any of sha, ssha, crypt, bind and clear may be specified.
|
||||
'sha' specifies that the attribute in pwattr holds a base-64
|
||||
encoded SHA-1 hashed password beginning with the string {SHA}.
|
||||
'ssha' specifies that the attribute in pwattr holds a base-64
|
||||
SHA-1 hashed password appended with 32 bits of salt and beginning
|
||||
with the string {SSHA}.
|
||||
'crypt' specifies that the attribute in pwattr holds a UNIX-style
|
||||
crypt(3) hashed password.
|
||||
'bind' specifies that the password is not stored in an attribute
|
||||
but is authenticated directly by the LDAP server by binding
|
||||
using the user's DN. This should be compatible with the
|
||||
widest variety of LDAP servers.
|
||||
-->
|
||||
<!-- <pwscheme>bind</pwscheme> -->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn realm='company'>o=Company.com</basedn>
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
</ldapfull>
|
||||
|
||||
<!-- LDAP module configuration -->
|
||||
<!-- Remember that you need to use PLAIN auth with LDAP backend -->
|
||||
<ldap>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<host>ldap.example.com</host>
|
||||
<port>389</port>
|
||||
|
||||
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
|
||||
Encryption options are only available if v3 is enabled. -->
|
||||
<!--
|
||||
<v3/>
|
||||
-->
|
||||
|
||||
<!-- Encryption. If enabled, this will create an encrypted channel
|
||||
to the LDAP server using the LDAP STARTTLS mechanism. -->
|
||||
<!--
|
||||
<starttls/>
|
||||
-->
|
||||
|
||||
<!-- Encryption. If enabled, this will create an encrypted channel
|
||||
to the server using the old-style "ldaps://" mechanism. It is
|
||||
recommended that you use <starttls/> instead of this. -->
|
||||
<!--
|
||||
<ssl/>
|
||||
-->
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
|
||||
<!-- Enable the append-realm element if you want to append
|
||||
realm value (usernam@realm) to the uidattr value
|
||||
<append-realm/>
|
||||
-->
|
||||
|
||||
<!-- Alternatively to <uidattr/> and <append-realm/> you may
|
||||
specify full LDAP search <query/> that will be used to
|
||||
get user objects from directory.
|
||||
|
||||
The following replacements take place:
|
||||
%u is replaced by user login name
|
||||
%r is replaced by user login realm
|
||||
|
||||
When <query/> is specified, <uidattr/> and <append-realm/>
|
||||
are unused and take no effect. -->
|
||||
<!--
|
||||
<query>(&(mail=%u@%r)(objectClass=inetOrgPerson))</query>
|
||||
-->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn realm='company'>o=Company.com</basedn>
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
</ldap>
|
||||
<!-- if you want to configure more than one LDAP server
|
||||
create ldap1, ldap2 etc. sections
|
||||
<ldap1>
|
||||
|
||||
</ldap1>
|
||||
-->
|
||||
|
||||
<!-- Pipe module configuration -->
|
||||
<pipe>
|
||||
<!-- Program to execute -->
|
||||
<exec>/usr/bin/pipe-auth.pl</exec>
|
||||
</pipe>
|
||||
|
||||
</authreg>
|
||||
|
||||
</c2s>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
18
jabber/jabberd.cfg
Normal file
18
jabber/jabberd.cfg
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# jabberd config file
|
||||
#
|
||||
#
|
||||
# This file tells the jabberd wrapper what programs to launch,
|
||||
# and the config files to launch them with. If the config file
|
||||
# is left out, then the system default will be used.
|
||||
#
|
||||
# To run multiple Session Managers, just list them all seperatly
|
||||
# and provide the path to the appropriate config files.
|
||||
#
|
||||
# program [ path to config file ]
|
||||
#
|
||||
|
||||
jabberd2-router /etc/jabber/router.xml
|
||||
jabberd2-sm /etc/jabber/sm.xml
|
||||
jabberd2-s2s /etc/jabber/s2s.xml
|
||||
jabberd2-c2s /etc/jabber/c2s.xml
|
18
jabber/jabberd.cfg.dist
Normal file
18
jabber/jabberd.cfg.dist
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# jabberd config file
|
||||
#
|
||||
#
|
||||
# This file tells the jabberd wrapper what programs to launch,
|
||||
# and the config files to launch them with. If the config file
|
||||
# is left out, then the system default will be used.
|
||||
#
|
||||
# To run multiple Session Managers, just list them all seperatly
|
||||
# and provide the path to the appropriate config files.
|
||||
#
|
||||
# program [ path to config file ]
|
||||
#
|
||||
|
||||
jabberd2-router /etc/jabber/router.xml
|
||||
jabberd2-sm /etc/jabber/sm.xml
|
||||
jabberd2-s2s /etc/jabber/s2s.xml
|
||||
jabberd2-c2s /etc/jabber/c2s.xml
|
47
jabber/router-filter.xml
Normal file
47
jabber/router-filter.xml
Normal file
@ -0,0 +1,47 @@
|
||||
<!-- This is the router filter ruleset.
|
||||
It allows for finegrained routing control.
|
||||
|
||||
to, from - wildmat patterns
|
||||
absent attribute matches absence of attribute
|
||||
"*" matches any value of attribute
|
||||
what - XPath like query
|
||||
redirect - send packet to given JID instead original recipient
|
||||
error - none given means allow, if given means deny
|
||||
this is an XMPP RFC defined error condition
|
||||
log - if set, the matched packets will be logged in router log
|
||||
|
||||
Rules are matched in order of apperance. First match is efffective.
|
||||
-->
|
||||
|
||||
<filter>
|
||||
<!-- first allow any routing without to or from - it's internal. -->
|
||||
<!--
|
||||
<rule/>
|
||||
<rule from="*"/>
|
||||
<rule to="*"/>
|
||||
-->
|
||||
|
||||
<!-- create simple alias -->
|
||||
<!-- <rule from="*" to="god@example.org" redirect="admin@example.org"/> -->
|
||||
|
||||
<!-- don't allow msn registrations, but... -->
|
||||
<!-- <rule from="dearhart@example.org" to="msn.example.org"/> -->
|
||||
<!-- <rule error="not-allowed" from="*" to="msn.example.org" what="iq/query?xmlns=jabber:iq:register" log="yes"/> -->
|
||||
|
||||
<!-- this user should not talk with evil -->
|
||||
<!-- <rule error="not-allowed" from="user@example.org" to="*@evil.gov" what="message"/> -->
|
||||
|
||||
<!-- I don't want evil to read my data -->
|
||||
<!-- <rule error="forbidden" from="*@evil.gov" to="admin@example.org" what="iq/vCard" log="on"/> -->
|
||||
|
||||
<!-- and finally, let's blind the world with some exceptions -->
|
||||
<!--
|
||||
<rule from="*@goodguys.org" to="*" what="presence"/>
|
||||
<rule from="admin@example.org" to="*" what="presence"/>
|
||||
<rule error="not-acceptable" from="*" to="*" what="presence"/>
|
||||
-->
|
||||
|
||||
</filter>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
47
jabber/router-filter.xml.dist
Normal file
47
jabber/router-filter.xml.dist
Normal file
@ -0,0 +1,47 @@
|
||||
<!-- This is the router filter ruleset.
|
||||
It allows for finegrained routing control.
|
||||
|
||||
to, from - wildmat patterns
|
||||
absent attribute matches absence of attribute
|
||||
"*" matches any value of attribute
|
||||
what - XPath like query
|
||||
redirect - send packet to given JID instead original recipient
|
||||
error - none given means allow, if given means deny
|
||||
this is an XMPP RFC defined error condition
|
||||
log - if set, the matched packets will be logged in router log
|
||||
|
||||
Rules are matched in order of apperance. First match is efffective.
|
||||
-->
|
||||
|
||||
<filter>
|
||||
<!-- first allow any routing without to or from - it's internal. -->
|
||||
<!--
|
||||
<rule/>
|
||||
<rule from="*"/>
|
||||
<rule to="*"/>
|
||||
-->
|
||||
|
||||
<!-- create simple alias -->
|
||||
<!-- <rule from="*" to="god@example.org" redirect="admin@example.org"/> -->
|
||||
|
||||
<!-- don't allow msn registrations, but... -->
|
||||
<!-- <rule from="dearhart@example.org" to="msn.example.org"/> -->
|
||||
<!-- <rule error="not-allowed" from="*" to="msn.example.org" what="iq/query?xmlns=jabber:iq:register" log="yes"/> -->
|
||||
|
||||
<!-- this user should not talk with evil -->
|
||||
<!-- <rule error="not-allowed" from="user@example.org" to="*@evil.gov" what="message"/> -->
|
||||
|
||||
<!-- I don't want evil to read my data -->
|
||||
<!-- <rule error="forbidden" from="*@evil.gov" to="admin@example.org" what="iq/vCard" log="on"/> -->
|
||||
|
||||
<!-- and finally, let's blind the world with some exceptions -->
|
||||
<!--
|
||||
<rule from="*@goodguys.org" to="*" what="presence"/>
|
||||
<rule from="admin@example.org" to="*" what="presence"/>
|
||||
<rule error="not-acceptable" from="*" to="*" what="presence"/>
|
||||
-->
|
||||
|
||||
</filter>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
11
jabber/router-users.xml
Normal file
11
jabber/router-users.xml
Normal file
@ -0,0 +1,11 @@
|
||||
<!-- This is the list of known router users, and their authentication
|
||||
secrets. Access control is done via the settings in router.xml -->
|
||||
<users>
|
||||
<user>
|
||||
<name>jabberd</name>
|
||||
<secret>secret</secret>
|
||||
</user>
|
||||
</users>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
11
jabber/router-users.xml.dist
Normal file
11
jabber/router-users.xml.dist
Normal file
@ -0,0 +1,11 @@
|
||||
<!-- This is the list of known router users, and their authentication
|
||||
secrets. Access control is done via the settings in router.xml -->
|
||||
<users>
|
||||
<user>
|
||||
<name>jabberd</name>
|
||||
<secret>secret</secret>
|
||||
</user>
|
||||
</users>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
215
jabber/router.xml
Normal file
215
jabber/router.xml
Normal file
@ -0,0 +1,215 @@
|
||||
<!-- Router configuration -->
|
||||
<router>
|
||||
<!-- ID of the router on the network (default: router) -->
|
||||
<id>router</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-router.pid</pidfile>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/router</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/router.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- IP address to bind to (default: 0.0.0.0) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
|
||||
<!-- Port to bind to (default: 5347) -->
|
||||
<port>5347</port>
|
||||
|
||||
<!-- File containing the user table. This is where the router gets
|
||||
its component and secret information from for component
|
||||
authentication.-->
|
||||
<users>/etc/jabber/router-users.xml</users>
|
||||
|
||||
<!-- Shared secret used to identify XEP-0114 components (that is,
|
||||
"jabber:component:accept" components that authenticate using
|
||||
the Jabber Component Protocol's "handshake", for example
|
||||
mu-conference). If this is commented out, support for XEP-0114
|
||||
components will be disabled. -->
|
||||
<secret>secret</secret>
|
||||
|
||||
<!-- File containing an SSL certificate and private key for client
|
||||
connections. From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or
|
||||
server certificate), followed by intermediate CA certificates
|
||||
if applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
If this is commented out, connecting components will not be able
|
||||
to request an SSL-encrypted channel. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
</local>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Checks will be run every n seconds.
|
||||
|
||||
0 disables all checks. (default: 60) -->
|
||||
<interval>60</interval>
|
||||
|
||||
<!-- Keepalives.
|
||||
Connections that have not been used for longer than
|
||||
this many seconds will have a single whitespace character sent
|
||||
to them. This will force the TCP connection to be closed if
|
||||
they have disconnected without us knowing about it.
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
</check>
|
||||
|
||||
<!-- input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. Note that the number of
|
||||
possible connections will be slightly less than this, because
|
||||
the router itself can use up four on its own. If the supply of
|
||||
file descriptors is exhausted, new incoming connections will be
|
||||
denied.
|
||||
|
||||
These file descriptors are really only used when a component
|
||||
connects to the router. So unless you have a lot of components
|
||||
for some reason then you probably don't need to change this
|
||||
value.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum bytes per second - if more than X bytes are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<bytes seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 1, default Z is 5. set X to 0 to disable. -->
|
||||
<bytes>0</bytes>
|
||||
|
||||
<!-- Maximum connects per second - if more than X connects are
|
||||
attempted from a single IP in Y seconds, that IP is throttled
|
||||
for Z seconds. The format is:
|
||||
|
||||
<connects seconds='Y' throttle='Z'>X</connects>
|
||||
|
||||
Default Y is 5, default Z is 5. set X to 0 to disable. -->
|
||||
<connects>0</connects>
|
||||
</limits>
|
||||
|
||||
<!-- IP-based access controls. If a connection IP matches an allow
|
||||
rule, the connection will be accepted. If a connecting IP
|
||||
matches a deny rule, the connection will be refused. If the
|
||||
connecting IP does not match any rules, or it matches both an
|
||||
allow and a deny rule, the contents of the <order/> option
|
||||
determines what happens. -->
|
||||
<access>
|
||||
<!-- Rule check order (default: allow,deny)
|
||||
|
||||
allow,deny - Check allow rules, then check deny rules.
|
||||
Allow by default.
|
||||
deny,allow - Check deny rules, then check allow rules.
|
||||
Deny by default. -->
|
||||
<order>allow,deny</order>
|
||||
|
||||
<!-- Allow a network. If the mask isn't specified, it defaults to
|
||||
255.255.255.255 (ie allow onle the specified IP) -->
|
||||
<!--
|
||||
<allow ip='127.0.0.0' mask='255.0.0.0'/>
|
||||
-->
|
||||
|
||||
<!-- Allow a single host -->
|
||||
<!--
|
||||
<allow ip='12.34.56.78'/>
|
||||
-->
|
||||
|
||||
<!-- Deny a network or a host -->
|
||||
<!--
|
||||
<deny ip='127.0.0.1' mask='255.0.0.0'/>
|
||||
<deny ip='87.65.43.21'/>
|
||||
-->
|
||||
</access>
|
||||
</io>
|
||||
|
||||
<!-- Name aliases.
|
||||
|
||||
Packets destined for the domain specified in the "name" attribute
|
||||
will be routed to the component that has currently bound the name
|
||||
in the "target" attribute (assuming it is online).
|
||||
|
||||
This is usually only required for some kinds of legacy
|
||||
components (particularly jabberd 1.4 "uplink" components) -->
|
||||
<aliases>
|
||||
<!-- Example for a MUC component running from a jabberd 1.4 uplink -->
|
||||
<!--
|
||||
<alias name='conference.domain.com' target='muclinker'/>
|
||||
-->
|
||||
</aliases>
|
||||
|
||||
<!-- Access control information -->
|
||||
<aci>
|
||||
<!-- The usernames listed here will get access to all restricted
|
||||
functions, regardless of restrictions further down -->
|
||||
<acl type='all'>
|
||||
<user>jabberd</user>
|
||||
</acl>
|
||||
|
||||
<!-- These users can bind names other than their username -->
|
||||
<!--
|
||||
<acl type='bind'>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These users can bind a name as a default route -->
|
||||
<!--
|
||||
<acl type='default-route'>
|
||||
<user>s2s</user>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These users can elect to receive all packets that pass through the router -->
|
||||
<!--
|
||||
<acl type='log'>
|
||||
<user>msglog</user>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- File containing packet filter rules.
|
||||
May be used for fine grained packet routing control. -->
|
||||
<filter>/etc/jabber/router-filter.xml</filter>
|
||||
|
||||
</aci>
|
||||
|
||||
<!-- Simple message logging to flat file
|
||||
Remove <enabled/> tag to disable logging -->
|
||||
<!--
|
||||
<message_logging>
|
||||
<enabled/>
|
||||
<file>filename</file>
|
||||
</message_logging>
|
||||
-->
|
||||
|
||||
</router>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
215
jabber/router.xml.dist
Normal file
215
jabber/router.xml.dist
Normal file
@ -0,0 +1,215 @@
|
||||
<!-- Router configuration -->
|
||||
<router>
|
||||
<!-- ID of the router on the network (default: router) -->
|
||||
<id>router</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-router.pid</pidfile>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/router</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/router.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- IP address to bind to (default: 0.0.0.0) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
|
||||
<!-- Port to bind to (default: 5347) -->
|
||||
<port>5347</port>
|
||||
|
||||
<!-- File containing the user table. This is where the router gets
|
||||
its component and secret information from for component
|
||||
authentication.-->
|
||||
<users>/etc/jabber/router-users.xml</users>
|
||||
|
||||
<!-- Shared secret used to identify XEP-0114 components (that is,
|
||||
"jabber:component:accept" components that authenticate using
|
||||
the Jabber Component Protocol's "handshake", for example
|
||||
mu-conference). If this is commented out, support for XEP-0114
|
||||
components will be disabled. -->
|
||||
<secret>secret</secret>
|
||||
|
||||
<!-- File containing an SSL certificate and private key for client
|
||||
connections. From SSL_CTX_use_certificate_chain_file(3):
|
||||
"The certificates must be in PEM format and must be sorted
|
||||
starting with the subject's certificate (actual client or
|
||||
server certificate), followed by intermediate CA certificates
|
||||
if applicable, and ending at the highest level (root) CA"
|
||||
(the latter one being optional).
|
||||
If this is commented out, connecting components will not be able
|
||||
to request an SSL-encrypted channel. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
</local>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Checks will be run every n seconds.
|
||||
|
||||
0 disables all checks. (default: 60) -->
|
||||
<interval>60</interval>
|
||||
|
||||
<!-- Keepalives.
|
||||
Connections that have not been used for longer than
|
||||
this many seconds will have a single whitespace character sent
|
||||
to them. This will force the TCP connection to be closed if
|
||||
they have disconnected without us knowing about it.
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
</check>
|
||||
|
||||
<!-- input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. Note that the number of
|
||||
possible connections will be slightly less than this, because
|
||||
the router itself can use up four on its own. If the supply of
|
||||
file descriptors is exhausted, new incoming connections will be
|
||||
denied.
|
||||
|
||||
These file descriptors are really only used when a component
|
||||
connects to the router. So unless you have a lot of components
|
||||
for some reason then you probably don't need to change this
|
||||
value.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum bytes per second - if more than X bytes are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<bytes seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 1, default Z is 5. set X to 0 to disable. -->
|
||||
<bytes>0</bytes>
|
||||
|
||||
<!-- Maximum connects per second - if more than X connects are
|
||||
attempted from a single IP in Y seconds, that IP is throttled
|
||||
for Z seconds. The format is:
|
||||
|
||||
<connects seconds='Y' throttle='Z'>X</connects>
|
||||
|
||||
Default Y is 5, default Z is 5. set X to 0 to disable. -->
|
||||
<connects>0</connects>
|
||||
</limits>
|
||||
|
||||
<!-- IP-based access controls. If a connection IP matches an allow
|
||||
rule, the connection will be accepted. If a connecting IP
|
||||
matches a deny rule, the connection will be refused. If the
|
||||
connecting IP does not match any rules, or it matches both an
|
||||
allow and a deny rule, the contents of the <order/> option
|
||||
determines what happens. -->
|
||||
<access>
|
||||
<!-- Rule check order (default: allow,deny)
|
||||
|
||||
allow,deny - Check allow rules, then check deny rules.
|
||||
Allow by default.
|
||||
deny,allow - Check deny rules, then check allow rules.
|
||||
Deny by default. -->
|
||||
<order>allow,deny</order>
|
||||
|
||||
<!-- Allow a network. If the mask isn't specified, it defaults to
|
||||
255.255.255.255 (ie allow onle the specified IP) -->
|
||||
<!--
|
||||
<allow ip='127.0.0.0' mask='255.0.0.0'/>
|
||||
-->
|
||||
|
||||
<!-- Allow a single host -->
|
||||
<!--
|
||||
<allow ip='12.34.56.78'/>
|
||||
-->
|
||||
|
||||
<!-- Deny a network or a host -->
|
||||
<!--
|
||||
<deny ip='127.0.0.1' mask='255.0.0.0'/>
|
||||
<deny ip='87.65.43.21'/>
|
||||
-->
|
||||
</access>
|
||||
</io>
|
||||
|
||||
<!-- Name aliases.
|
||||
|
||||
Packets destined for the domain specified in the "name" attribute
|
||||
will be routed to the component that has currently bound the name
|
||||
in the "target" attribute (assuming it is online).
|
||||
|
||||
This is usually only required for some kinds of legacy
|
||||
components (particularly jabberd 1.4 "uplink" components) -->
|
||||
<aliases>
|
||||
<!-- Example for a MUC component running from a jabberd 1.4 uplink -->
|
||||
<!--
|
||||
<alias name='conference.domain.com' target='muclinker'/>
|
||||
-->
|
||||
</aliases>
|
||||
|
||||
<!-- Access control information -->
|
||||
<aci>
|
||||
<!-- The usernames listed here will get access to all restricted
|
||||
functions, regardless of restrictions further down -->
|
||||
<acl type='all'>
|
||||
<user>jabberd</user>
|
||||
</acl>
|
||||
|
||||
<!-- These users can bind names other than their username -->
|
||||
<!--
|
||||
<acl type='bind'>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These users can bind a name as a default route -->
|
||||
<!--
|
||||
<acl type='default-route'>
|
||||
<user>s2s</user>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These users can elect to receive all packets that pass through the router -->
|
||||
<!--
|
||||
<acl type='log'>
|
||||
<user>msglog</user>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- File containing packet filter rules.
|
||||
May be used for fine grained packet routing control. -->
|
||||
<filter>/etc/jabber/router-filter.xml</filter>
|
||||
|
||||
</aci>
|
||||
|
||||
<!-- Simple message logging to flat file
|
||||
Remove <enabled/> tag to disable logging -->
|
||||
<!--
|
||||
<message_logging>
|
||||
<enabled/>
|
||||
<file>filename</file>
|
||||
</message_logging>
|
||||
-->
|
||||
|
||||
</router>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
323
jabber/s2s.xml
Normal file
323
jabber/s2s.xml
Normal file
@ -0,0 +1,323 @@
|
||||
<!-- s2s configuration -->
|
||||
<s2s>
|
||||
<!-- Our ID on the network (default: s2s) -->
|
||||
<id>s2s</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-s2s.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- The router will only allow one component to be the default
|
||||
route (ie the component that receives packets destined for
|
||||
unknown hosts). If you want to run more than one s2s instance,
|
||||
you need to uncomment this so that s2s does not try to become
|
||||
the default route. Note that all outgoing s2s communication
|
||||
will go to the component that is the default route. -->
|
||||
<!--
|
||||
<non-default/>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/s2s</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- if logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/s2s.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- IP and port to listen for incoming s2s connections on
|
||||
(default: 0.0.0.0, 5269) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
<port>5269</port>
|
||||
|
||||
<!-- Multihomed machines (with more than one interface and IP address)
|
||||
need to specify outgoing S2S connections interface/address.
|
||||
If not set, the <ip> section address above is used. -->
|
||||
<!--
|
||||
<origins>
|
||||
<ip>1.2.3.4</ip>
|
||||
<ip>fe80::202:b3ff:fe1e:8329</ip>
|
||||
</origins>
|
||||
-->
|
||||
|
||||
<!-- Secret used to generate dialback keys. If you have more than
|
||||
one s2s instance configured, make sure that this is the same on
|
||||
all of them. If this is commented out, a random one will be
|
||||
generated. -->
|
||||
<!--
|
||||
<secret>secret</secret>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when setting
|
||||
up encrypted s2s connections with other servers (STARTTLS + Dialback).
|
||||
From SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt will be
|
||||
made to establish encrypted connections with other servers. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
|
||||
<!--
|
||||
<verify-mode>7</verify-mode>
|
||||
-->
|
||||
|
||||
<!-- File containing an optional SSL certificate chain file for SSL
|
||||
connections. -->
|
||||
<!--
|
||||
<cachain>/etc/jabber/cachain.pem</cachain>
|
||||
-->
|
||||
|
||||
</local>
|
||||
|
||||
<!-- input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. Note that the number of
|
||||
possible connections will be slightly less than this, because
|
||||
s2s itself can use some on its own. If the supply of file
|
||||
descriptors is exhausted, new incoming connections will be
|
||||
denied.
|
||||
|
||||
These connections are mainly consumed when we make a
|
||||
connection to an external jabber server, or an external jabber
|
||||
server connects to us. If you don't have a lot of users then
|
||||
there's probably no need for s2s to establish connections to
|
||||
external jabber servers and the default value here is probably
|
||||
fine. On the other hand, if you have lots of users with lots
|
||||
of remote buddies in their buddylist then s2s will need to have
|
||||
lots of open connections with other jabber servers and you may
|
||||
need to increase this value.
|
||||
|
||||
Note that this value only affects how many file descriptors
|
||||
jabberd is able to handle internally. You may also need to
|
||||
tell your operating system to allow jabberd to use more file
|
||||
descriptors. On Linux this can be done using ulimit -n or by
|
||||
changing the value of /proc/sys/fd/file-max.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum stanza size - if more than given number of bytes
|
||||
are read in one incoming stanza, the stream is closed
|
||||
with policy-violation error.
|
||||
|
||||
Set to 0 to disable.
|
||||
Values less than 16384 might not work. -->
|
||||
<stanzasize>65535</stanzasize>
|
||||
</limits>
|
||||
|
||||
<!-- Enable XEP-0138: Stream Compression -->
|
||||
<!--
|
||||
<compression/>
|
||||
-->
|
||||
|
||||
</io>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Checks will be run every n seconds.
|
||||
|
||||
0 disables all checks except DNS expiry. (default: 60) -->
|
||||
<interval>60</interval>
|
||||
|
||||
<!-- Queue expiry and connection timeout.
|
||||
|
||||
While a connection is being established and dialback is in
|
||||
progress, packets are queued. If a valid connection has not
|
||||
been established within this many seconds, the connection
|
||||
process will be aborted and the queued packets will be
|
||||
bounced. Timeout checks are made for three phases of
|
||||
setting up a route authenticated through dialback:
|
||||
1. Connection establishment to exchange of stream headers
|
||||
2. Initiating dialback (incoming connections)
|
||||
3. Completing dialback (incoming and outgoing)
|
||||
|
||||
If stage 1 connection establishment fails and there are
|
||||
alternative hosts for this route that have not failed
|
||||
recently, they will be tried too before finally giving up.
|
||||
|
||||
0 disables queue expiry. (default: 60) -->
|
||||
<queue>60</queue>
|
||||
|
||||
<!-- Queue retry timeout.
|
||||
|
||||
If the queue is older than this timeout, the connection
|
||||
will not be retried even if there are alternative hosts
|
||||
that have not failed recently.
|
||||
|
||||
0 disables retry expiry. (default: 300) -->
|
||||
<retry>300</retry>
|
||||
|
||||
<!-- Idle connection checks.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will be dropped.
|
||||
|
||||
0 disables idle timeouts. (default: 86400) -->
|
||||
<idle>86400</idle>
|
||||
|
||||
<!-- Keepalives.
|
||||
|
||||
Outgoing connections that have not been used for longer than
|
||||
this many seconds will have a single whitespace character sent
|
||||
to them. This will force the TCP connection to be closed if
|
||||
they have disconnected without us knowing about it.
|
||||
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
<!-- Interval between DNS result/bad host expiry.
|
||||
|
||||
0 disables expiry checks. (default: 300) -->
|
||||
<dnscache>300</dnscache>
|
||||
</check>
|
||||
|
||||
<!-- Statistics -->
|
||||
<stats>
|
||||
<!-- file containing count of packets that went through -->
|
||||
<!--
|
||||
<packet>/var/spool/jabber/stats/s2s.packets</packet>
|
||||
-->
|
||||
</stats>
|
||||
|
||||
<lookup>
|
||||
<!-- SRV TCP services will be resolved in the following order. The first
|
||||
one that returns something will be used (ie dereferenced via an
|
||||
A/AAAA lookup). If no SRV records are found, resolver will
|
||||
fallback to a straight A/AAAA lookup. -->
|
||||
|
||||
<!-- xmpp-server is mandated by the XMPP spec -->
|
||||
<srv>xmpp-server</srv>
|
||||
|
||||
<!-- traditionally, jabber has been used -->
|
||||
<srv>jabber</srv>
|
||||
|
||||
|
||||
<!-- If this is enabled, the resolver will look up AAAA records as well
|
||||
as A records. This is needed if you want s2s to use IPv6.
|
||||
Connection attempts will be made to all IPv6 hosts before trying
|
||||
IPv4 (see bad host timeout below). -->
|
||||
<!--
|
||||
<resolve-ipv6/>
|
||||
-->
|
||||
|
||||
<!-- Minimum time that DNS lookup results are cached (overrides max below). -->
|
||||
<min-ttl>30</min-ttl>
|
||||
|
||||
<!-- Maximum time that DNS lookup results are cached. -->
|
||||
<max-ttl>86400</max-ttl>
|
||||
|
||||
<!-- Time /etc/hosts lookup results are cached for (default: 86400). -->
|
||||
<etc-hosts-ttl>86400</etc-hosts-ttl>
|
||||
|
||||
<!-- Minimum time to wait before using hosts that we have failed to
|
||||
establish a connection to (unless there are no alternatives).
|
||||
Do not set this too low - it is required to detect permanent
|
||||
problems like broken IPv6 connectivity in order to attempt IPv4.
|
||||
|
||||
0 disables bad host caching. (default: 3600) -->
|
||||
<bad-host-timeout>3600</bad-host-timeout>
|
||||
|
||||
<!-- Disable the DNS cache (negative caching will still be done).
|
||||
This is likely to negatively impact performance while saving
|
||||
a small amount of memory since multiple DNS requests must
|
||||
then be made for every re-connection. -->
|
||||
<!--
|
||||
<no-cache/>
|
||||
-->
|
||||
</lookup>
|
||||
|
||||
<!-- If this is enabled, domains which share the same host will re-use
|
||||
existing outgoing connections. This is a potential security risk
|
||||
as the SSL connection from the first domain will be re-used too. -->
|
||||
<out-conn-reuse/>
|
||||
|
||||
<security>
|
||||
<!-- Require TLS secured S2S connections -->
|
||||
<!--
|
||||
<require_tls/>
|
||||
-->
|
||||
|
||||
<!--
|
||||
Domain whitelisting
|
||||
-->
|
||||
<!--
|
||||
<enable_whitelist/>
|
||||
-->
|
||||
|
||||
<!-- Domain whitelisting
|
||||
When defined, only whitelisted domains are allowed to connect -->
|
||||
<!--
|
||||
<whitelist_domain>domain1.tld</whitelist_domain>
|
||||
<whitelist_domain>domain2.tld</whitelist_domain>
|
||||
<whitelist_domain>other.tld</whitelist_domain>
|
||||
-->
|
||||
</security>
|
||||
</s2s>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
323
jabber/s2s.xml.dist
Normal file
323
jabber/s2s.xml.dist
Normal file
@ -0,0 +1,323 @@
|
||||
<!-- s2s configuration -->
|
||||
<s2s>
|
||||
<!-- Our ID on the network (default: s2s) -->
|
||||
<id>s2s</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-s2s.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- The router will only allow one component to be the default
|
||||
route (ie the component that receives packets destined for
|
||||
unknown hosts). If you want to run more than one s2s instance,
|
||||
you need to uncomment this so that s2s does not try to become
|
||||
the default route. Note that all outgoing s2s communication
|
||||
will go to the component that is the default route. -->
|
||||
<!--
|
||||
<non-default/>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/s2s</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- if logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/s2s.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- IP and port to listen for incoming s2s connections on
|
||||
(default: 0.0.0.0, 5269) -->
|
||||
<ip>0.0.0.0</ip>
|
||||
<port>5269</port>
|
||||
|
||||
<!-- Multihomed machines (with more than one interface and IP address)
|
||||
need to specify outgoing S2S connections interface/address.
|
||||
If not set, the <ip> section address above is used. -->
|
||||
<!--
|
||||
<origins>
|
||||
<ip>1.2.3.4</ip>
|
||||
<ip>fe80::202:b3ff:fe1e:8329</ip>
|
||||
</origins>
|
||||
-->
|
||||
|
||||
<!-- Secret used to generate dialback keys. If you have more than
|
||||
one s2s instance configured, make sure that this is the same on
|
||||
all of them. If this is commented out, a random one will be
|
||||
generated. -->
|
||||
<!--
|
||||
<secret>secret</secret>
|
||||
-->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when setting
|
||||
up encrypted s2s connections with other servers (STARTTLS + Dialback).
|
||||
From SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt will be
|
||||
made to establish encrypted connections with other servers. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
|
||||
<!--
|
||||
<verify-mode>7</verify-mode>
|
||||
-->
|
||||
|
||||
<!-- File containing an optional SSL certificate chain file for SSL
|
||||
connections. -->
|
||||
<!--
|
||||
<cachain>/etc/jabber/cachain.pem</cachain>
|
||||
-->
|
||||
|
||||
</local>
|
||||
|
||||
<!-- input/output settings -->
|
||||
<io>
|
||||
<!-- Maximum number of file descriptors. Note that the number of
|
||||
possible connections will be slightly less than this, because
|
||||
s2s itself can use some on its own. If the supply of file
|
||||
descriptors is exhausted, new incoming connections will be
|
||||
denied.
|
||||
|
||||
These connections are mainly consumed when we make a
|
||||
connection to an external jabber server, or an external jabber
|
||||
server connects to us. If you don't have a lot of users then
|
||||
there's probably no need for s2s to establish connections to
|
||||
external jabber servers and the default value here is probably
|
||||
fine. On the other hand, if you have lots of users with lots
|
||||
of remote buddies in their buddylist then s2s will need to have
|
||||
lots of open connections with other jabber servers and you may
|
||||
need to increase this value.
|
||||
|
||||
Note that this value only affects how many file descriptors
|
||||
jabberd is able to handle internally. You may also need to
|
||||
tell your operating system to allow jabberd to use more file
|
||||
descriptors. On Linux this can be done using ulimit -n or by
|
||||
changing the value of /proc/sys/fd/file-max.
|
||||
|
||||
(default: 1024) -->
|
||||
<max_fds>1024</max_fds>
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum stanza size - if more than given number of bytes
|
||||
are read in one incoming stanza, the stream is closed
|
||||
with policy-violation error.
|
||||
|
||||
Set to 0 to disable.
|
||||
Values less than 16384 might not work. -->
|
||||
<stanzasize>65535</stanzasize>
|
||||
</limits>
|
||||
|
||||
<!-- Enable XEP-0138: Stream Compression -->
|
||||
<!--
|
||||
<compression/>
|
||||
-->
|
||||
|
||||
</io>
|
||||
|
||||
<!-- Timed checks -->
|
||||
<check>
|
||||
<!-- Interval between checks.
|
||||
|
||||
Checks will be run every n seconds.
|
||||
|
||||
0 disables all checks except DNS expiry. (default: 60) -->
|
||||
<interval>60</interval>
|
||||
|
||||
<!-- Queue expiry and connection timeout.
|
||||
|
||||
While a connection is being established and dialback is in
|
||||
progress, packets are queued. If a valid connection has not
|
||||
been established within this many seconds, the connection
|
||||
process will be aborted and the queued packets will be
|
||||
bounced. Timeout checks are made for three phases of
|
||||
setting up a route authenticated through dialback:
|
||||
1. Connection establishment to exchange of stream headers
|
||||
2. Initiating dialback (incoming connections)
|
||||
3. Completing dialback (incoming and outgoing)
|
||||
|
||||
If stage 1 connection establishment fails and there are
|
||||
alternative hosts for this route that have not failed
|
||||
recently, they will be tried too before finally giving up.
|
||||
|
||||
0 disables queue expiry. (default: 60) -->
|
||||
<queue>60</queue>
|
||||
|
||||
<!-- Queue retry timeout.
|
||||
|
||||
If the queue is older than this timeout, the connection
|
||||
will not be retried even if there are alternative hosts
|
||||
that have not failed recently.
|
||||
|
||||
0 disables retry expiry. (default: 300) -->
|
||||
<retry>300</retry>
|
||||
|
||||
<!-- Idle connection checks.
|
||||
|
||||
Connections that have not sent data for longer than this many
|
||||
seconds will be dropped.
|
||||
|
||||
0 disables idle timeouts. (default: 86400) -->
|
||||
<idle>86400</idle>
|
||||
|
||||
<!-- Keepalives.
|
||||
|
||||
Outgoing connections that have not been used for longer than
|
||||
this many seconds will have a single whitespace character sent
|
||||
to them. This will force the TCP connection to be closed if
|
||||
they have disconnected without us knowing about it.
|
||||
|
||||
0 disables keepalives. (default: 0) -->
|
||||
<keepalive>0</keepalive>
|
||||
|
||||
<!-- Interval between DNS result/bad host expiry.
|
||||
|
||||
0 disables expiry checks. (default: 300) -->
|
||||
<dnscache>300</dnscache>
|
||||
</check>
|
||||
|
||||
<!-- Statistics -->
|
||||
<stats>
|
||||
<!-- file containing count of packets that went through -->
|
||||
<!--
|
||||
<packet>/var/spool/jabber/stats/s2s.packets</packet>
|
||||
-->
|
||||
</stats>
|
||||
|
||||
<lookup>
|
||||
<!-- SRV TCP services will be resolved in the following order. The first
|
||||
one that returns something will be used (ie dereferenced via an
|
||||
A/AAAA lookup). If no SRV records are found, resolver will
|
||||
fallback to a straight A/AAAA lookup. -->
|
||||
|
||||
<!-- xmpp-server is mandated by the XMPP spec -->
|
||||
<srv>xmpp-server</srv>
|
||||
|
||||
<!-- traditionally, jabber has been used -->
|
||||
<srv>jabber</srv>
|
||||
|
||||
|
||||
<!-- If this is enabled, the resolver will look up AAAA records as well
|
||||
as A records. This is needed if you want s2s to use IPv6.
|
||||
Connection attempts will be made to all IPv6 hosts before trying
|
||||
IPv4 (see bad host timeout below). -->
|
||||
<!--
|
||||
<resolve-ipv6/>
|
||||
-->
|
||||
|
||||
<!-- Minimum time that DNS lookup results are cached (overrides max below). -->
|
||||
<min-ttl>30</min-ttl>
|
||||
|
||||
<!-- Maximum time that DNS lookup results are cached. -->
|
||||
<max-ttl>86400</max-ttl>
|
||||
|
||||
<!-- Time /etc/hosts lookup results are cached for (default: 86400). -->
|
||||
<etc-hosts-ttl>86400</etc-hosts-ttl>
|
||||
|
||||
<!-- Minimum time to wait before using hosts that we have failed to
|
||||
establish a connection to (unless there are no alternatives).
|
||||
Do not set this too low - it is required to detect permanent
|
||||
problems like broken IPv6 connectivity in order to attempt IPv4.
|
||||
|
||||
0 disables bad host caching. (default: 3600) -->
|
||||
<bad-host-timeout>3600</bad-host-timeout>
|
||||
|
||||
<!-- Disable the DNS cache (negative caching will still be done).
|
||||
This is likely to negatively impact performance while saving
|
||||
a small amount of memory since multiple DNS requests must
|
||||
then be made for every re-connection. -->
|
||||
<!--
|
||||
<no-cache/>
|
||||
-->
|
||||
</lookup>
|
||||
|
||||
<!-- If this is enabled, domains which share the same host will re-use
|
||||
existing outgoing connections. This is a potential security risk
|
||||
as the SSL connection from the first domain will be re-used too. -->
|
||||
<out-conn-reuse/>
|
||||
|
||||
<security>
|
||||
<!-- Require TLS secured S2S connections -->
|
||||
<!--
|
||||
<require_tls/>
|
||||
-->
|
||||
|
||||
<!--
|
||||
Domain whitelisting
|
||||
-->
|
||||
<!--
|
||||
<enable_whitelist/>
|
||||
-->
|
||||
|
||||
<!-- Domain whitelisting
|
||||
When defined, only whitelisted domains are allowed to connect -->
|
||||
<!--
|
||||
<whitelist_domain>domain1.tld</whitelist_domain>
|
||||
<whitelist_domain>domain2.tld</whitelist_domain>
|
||||
<whitelist_domain>other.tld</whitelist_domain>
|
||||
-->
|
||||
</security>
|
||||
</s2s>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
811
jabber/sm.xml
Normal file
811
jabber/sm.xml
Normal file
@ -0,0 +1,811 @@
|
||||
<!-- Session manager configuration -->
|
||||
<sm>
|
||||
<!-- Our ID on the network (default: sm) -->
|
||||
<id>sm</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-sm.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/sm</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/sm.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- Who we identify ourselves as.
|
||||
Users will have this as the domain part of their JID.
|
||||
If you want your server to be accessible from other
|
||||
Jabber servers, this IDs must be FQDN resolvable by DNSes.
|
||||
If not set, the SM id is used. -->
|
||||
<id>localhost.localdomain</id>
|
||||
<!--
|
||||
<id>vhost1.localdomain</id>
|
||||
<id>vhost2.localdomain</id>
|
||||
-->
|
||||
|
||||
</local>
|
||||
|
||||
<!-- Storage database configuration -->
|
||||
<storage>
|
||||
<!-- Dynamic storage modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- By default, we use the SQLite driver for all storage -->
|
||||
<driver>db</driver>
|
||||
|
||||
<!-- Its also possible to explicitly list alternate drivers for
|
||||
specific data types. -->
|
||||
|
||||
<!-- Store vcards in a ldapvcard database instead -->
|
||||
<!--
|
||||
<driver type='vcard'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Only ldapvcard driver implements published-roster: -->
|
||||
<!--
|
||||
<driver type='published-roster'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Use ldapvcard driver for published-roster-groups.
|
||||
See description in section sm/user/template/mapped-groups.
|
||||
Used by mod_published_roster.
|
||||
See ldapvcard section for options.
|
||||
When resolving group id to group name, it searches for
|
||||
groupsobjectclass objects at groupsdn base using group id
|
||||
(in groupsidattr) as key and returns the first value of
|
||||
groupattr of first found entry.
|
||||
E.g.. in general case, if group id is "some-dep", and groupsdn
|
||||
is o=org, and class is jabberGroup, it searches for
|
||||
(&(objectClass=jabberGroup)(cn=some-dep)) and returns value of
|
||||
jabberPublishedItem attribute, which may contain textual description.
|
||||
-->
|
||||
<!--
|
||||
<driver type='published-roster-groups'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum queries per second - if more than X queries are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<queries seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 5, default Z is 60. set X to 0 to disable. -->
|
||||
<!--
|
||||
<queries>3</queries>
|
||||
-->
|
||||
</limits>
|
||||
|
||||
<!-- SQLite driver configuration -->
|
||||
<sqlite>
|
||||
<!-- Database name -->
|
||||
<dbname>/var/spool/jabber/db/sqlite.db</dbname>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
|
||||
<!-- SQLite busy-timeout in milliseconds. -->
|
||||
<busy-timeout>2000</busy-timeout>
|
||||
</sqlite>
|
||||
|
||||
<!-- MySQL driver configuration -->
|
||||
<mysql>
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>3306</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes.
|
||||
|
||||
This will need to be disabled if you are using a MySQL
|
||||
earlier than v3.23.xx, as transaction support did not appear
|
||||
until this version. -->
|
||||
<transactions/>
|
||||
</mysql>
|
||||
|
||||
<!-- PostgreSQL driver configuration -->
|
||||
<pgsql>
|
||||
<!-- PostgreSQL connection info.
|
||||
For the rest of the options see
|
||||
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
|
||||
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
|
||||
|
||||
<!-- Alternatively you may set connection settings separately.
|
||||
These are used only in absence of 'conninfo' -->
|
||||
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>5432</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database schema -->
|
||||
<schema>public</schema>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
</pgsql>
|
||||
|
||||
<!-- Berkeley DB driver configuration. This does not support roster
|
||||
maxitems or offline userquota (because the mod_roster
|
||||
implementation does not implement the 'count' callback). -->
|
||||
<db>
|
||||
<!-- Directory to store database files under -->
|
||||
<path>/var/spool/jabber/db</path>
|
||||
|
||||
<!-- Synchronize the database to disk after each write. If you
|
||||
disable this, database accesses may be faster, but data may
|
||||
be lost if jabberd crashes. -->
|
||||
<sync/>
|
||||
</db>
|
||||
|
||||
<!-- Oracle driver configuration -->
|
||||
<oracle>
|
||||
<!-- Database server host and port. -->
|
||||
<host>localhost</host>
|
||||
<port>1521</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
</oracle>
|
||||
|
||||
<!-- Filesystem driver configuration -->
|
||||
<fs>
|
||||
<!-- Directory to store database files under. -->
|
||||
<path>/var/spool/jabber/fs</path>
|
||||
</fs>
|
||||
|
||||
<!-- LDAPVCARD driver configuration -->
|
||||
<ldapvcard>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- see authreg.ldapfull in c2s.xml for description. -->
|
||||
<!--
|
||||
<type>ad</type>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
<objectclass>posixAccount</objectclass>
|
||||
<pwattr>userPassword</pwattr>
|
||||
<!-- if you use included jabberd.schema use this:
|
||||
<uidattr>jid</uidattr>
|
||||
<objectclass>jabberUser</objectclass>
|
||||
<pwattr>jabberPassword</pwattr>
|
||||
-->
|
||||
|
||||
<!-- Realm to append to uidattr. -->
|
||||
<!--
|
||||
<realm>example.org</realm>
|
||||
-->
|
||||
|
||||
<!-- see authreg.ldapfull in c2s.xml for description. -->
|
||||
<!--
|
||||
<validattr>valid</validattr>
|
||||
-->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
|
||||
<!-- attribute that holds published group name or id,
|
||||
jabberPublishedGroup if not set -->
|
||||
<!--
|
||||
<groupattr>jabberPublishedGroup</groupattr>
|
||||
-->
|
||||
|
||||
<!-- this option is helpful if your schema does not have designated
|
||||
attribute that holds jabber group name
|
||||
you can use any attribute in <groupattr> i.e. 'distinguishedName'
|
||||
and then extract a part of it using Regular Expression;
|
||||
first matching () group will be used -->
|
||||
<!--
|
||||
<groupattr_regex>OU=([^,]*),</groupattr_regex>
|
||||
-->
|
||||
|
||||
<!-- boolean attribute that tells whether or not to publish this user
|
||||
jabberPublishedItem by default -->
|
||||
<!--
|
||||
<publishedattr>jabberPublishedItem</publishedattr>
|
||||
-->
|
||||
|
||||
<!-- If value specified, then keep cache of "published-roster"
|
||||
database, which is used for all users. Cache is renewed when kept more seconds than value
|
||||
specified. Setting this value increases perfomance of publishing
|
||||
roster. If not specified, then we don't keep cache. -->
|
||||
<publishedcachettl>60</publishedcachettl>
|
||||
|
||||
<mapped-groups>
|
||||
<!-- If turned on, then mapping of group ids to names with
|
||||
LDAP will works. -->
|
||||
<!--
|
||||
<map-groups/>
|
||||
-->
|
||||
|
||||
<!-- base for searches for group id to group name mappings -->
|
||||
<basedn>ou=jabbergroups, o=Example Corp.</basedn>
|
||||
|
||||
<!-- what objectclass to search, jabberGroup by default -->
|
||||
<!--
|
||||
<objectclass>jabberGroup</objectclass>
|
||||
-->
|
||||
|
||||
<!-- what attribute to search, cn by default -->
|
||||
<!--
|
||||
<idattr>cn</idattr>
|
||||
-->
|
||||
|
||||
<!-- attribute with text group name, description by default -->
|
||||
<!--
|
||||
<nameattr>description</nameattr>
|
||||
-->
|
||||
</mapped-groups>
|
||||
</ldapvcard>
|
||||
</storage>
|
||||
|
||||
<!-- Access control information -->
|
||||
<aci>
|
||||
<!-- The JIDs listed here will get access to all restricted
|
||||
functions, regardless of restrictions further down -->
|
||||
<acl type='all'>
|
||||
<jid>admin@localhost.localdomain</jid>
|
||||
</acl>
|
||||
|
||||
<!-- These JIDs can send broadcast messages (announce, motd) -->
|
||||
<!--
|
||||
<acl type='broadcast'>
|
||||
<jid>nocstaff1@localhost.localdomain</jid>
|
||||
<jid>nocstaff2@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These JIDs will receive messages addressed to the sm itself
|
||||
(help requestes and such) -->
|
||||
<!--
|
||||
<acl type='messages'>
|
||||
<jid>support@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These JIDs can discover active user/session information -->
|
||||
<!--
|
||||
<acl type='disco'>
|
||||
<jid>webstatus@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
</aci>
|
||||
|
||||
<!-- Module chain configuration
|
||||
|
||||
Modules listed in a chain are called in the order specified at
|
||||
the appropriate time for that chain (assuming that the module
|
||||
knows how to work with that chain; otherwise it simply ignores
|
||||
it).
|
||||
|
||||
Removing a module from these lists will stop the module being
|
||||
called, even if it's compiled into the server.
|
||||
|
||||
Serveral modules have a presence in more than one chain. It is
|
||||
possible to remove a module from one chain but not others, but
|
||||
this may cause strange behaviour. Make sure you know what you're
|
||||
doing. -->
|
||||
<modules>
|
||||
<!-- Dynamic sm modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- sess-start. The modules in this chain are called when a session
|
||||
is first started (usually on request by c2s as part of the
|
||||
authentication process). This is normally used to load
|
||||
per-session data. -->
|
||||
<chain id='sess-start'>
|
||||
<module>status</module> <!-- record status information -->
|
||||
</chain>
|
||||
|
||||
<!-- sess-end. The modules in this chain are called just before a
|
||||
session is destroyed (after the client has disconnected). -->
|
||||
<chain id='sess-end'>
|
||||
<module>status</module> <!-- update status information -->
|
||||
<module>iq-last</module> <!-- update logout time -->
|
||||
</chain>
|
||||
|
||||
<!-- in-sess. The modules in this chain are called when a packet
|
||||
arrives from an active user session. Note that this chain is
|
||||
also responsible for delivering packets to their destinations -
|
||||
this is usually handled by the "deliver" module. -->
|
||||
<chain id='in-sess'>
|
||||
<module>validate</module> <!-- validate packet type -->
|
||||
<module>status</module> <!-- update status information -->
|
||||
<module>privacy</module> <!-- manage privacy lists -->
|
||||
<module>roster</module> <!-- handle roster get/sets and s10ns -->
|
||||
<module>vacation</module> <!-- manage vacation settings -->
|
||||
<!-- <module>pep</module> <!- - personal eventing -->
|
||||
<module>iq-vcard</module> <!-- store and retrieve the user's vcard -->
|
||||
<module>iq-ping</module> <!-- return the server ping -->
|
||||
<module>iq-private</module> <!-- manage the user's private data store -->
|
||||
<module>disco</module> <!-- respond to agents requests from sessions -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>offline</module> <!-- if we're coming online for the first time, deliver queued messages -->
|
||||
<module>announce</module> <!-- deliver motd -->
|
||||
<module>presence</module> <!-- process and distribute presence updates -->
|
||||
<module>deliver</module> <!-- deliver packets with full jids directly -->
|
||||
</chain>
|
||||
|
||||
<!-- out-sess. The modules in this chain are called just before a
|
||||
packet is delivered to an active user session. -->
|
||||
<chain id='out-sess'>
|
||||
<!-- <module>pep</module> <!- - personal eventing -->
|
||||
</chain>
|
||||
|
||||
<!-- in-router. The modules in this chain are called when a packet
|
||||
arrives from the router (ie another component or s2s), but
|
||||
before any processing is done. This is a good place to filter
|
||||
incoming packets. -->
|
||||
<chain id='in-router'>
|
||||
<module>session</module> <!-- perform session actions as required by c2s -->
|
||||
<module>validate</module> <!-- validate packet type -->
|
||||
<module>presence</module> <!-- drop incoming presence if user not online -->
|
||||
<module>privacy</module> <!-- filter incoming packets based on privacy rules -->
|
||||
</chain>
|
||||
|
||||
<!-- out-router. The modules in this chain are called just before a
|
||||
packet is delivered to the router (destined for another
|
||||
component or s2s). This is a good place to filter outgoing
|
||||
packets. -->
|
||||
<chain id='out-router'>
|
||||
<module>privacy</module> <!-- filter outgoing packets based on privacy rules -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-sm. The modules in this chain are called when a packet
|
||||
arrives that is addressed to the session manager itself (ie the
|
||||
to JID has no node part). This is normally used to provide
|
||||
session-manager-wide services (like service discovery). -->
|
||||
<chain id='pkt-sm'>
|
||||
<module>iq-last</module> <!-- return the server uptime -->
|
||||
<module>iq-ping</module> <!-- return the server ping -->
|
||||
<module>iq-time</module> <!-- return the current server time -->
|
||||
<module>iq-version</module> <!-- return the server name and version -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>disco</module> <!-- build the disco list; respond to disco queries -->
|
||||
<module>announce</module> <!-- send broadcast messages (announce, motd, etc) -->
|
||||
<module>help</module> <!-- resend sm messages to administrators -->
|
||||
<module>echo</module> <!-- echo messages sent to /echo -->
|
||||
<module>status</module> <!-- track status information -->
|
||||
<module>presence</module> <!-- proces server presence subscriptions -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-user. The modules in this chain are called when a packet
|
||||
arrives that is address to a specific user. Note that this
|
||||
chain is also responsible for delivering packets to user
|
||||
sessions as appropriate - this is usually handled by the
|
||||
"deliver" module. -->
|
||||
<chain id='pkt-user'>
|
||||
<module>roster</module> <!-- handle s10n responses -->
|
||||
<module>presence</module> <!-- process and distribute incoming presence from external entities -->
|
||||
<module>iq-vcard</module> <!-- grab user vcards -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>deliver</module> <!-- deliver the packet to an active session if we can -->
|
||||
<module>vacation</module> <!-- send vacation messages -->
|
||||
<module>offline</module> <!-- save messages and s10ns for later -->
|
||||
<module>iq-last</module> <!-- return time since last logout -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-router. The modules in this chain are called when a
|
||||
special-purpose packet arrives from the router (eg domain
|
||||
advertisements). -->
|
||||
<chain id='pkt-router'>
|
||||
<module>session</module> <!-- take sessions offline if their c2s disappears -->
|
||||
<module>disco</module> <!-- query new components for service information -->
|
||||
</chain>
|
||||
|
||||
<!-- user-load. The modules in this chain are called to load
|
||||
per-user data. This will happen before a user can be used (ie
|
||||
before a session is created). -->
|
||||
<chain id='user-load'>
|
||||
<module>active</module> <!-- get active status -->
|
||||
<module>roster</module> <!-- load the roster and trust list -->
|
||||
<module>roster-publish</module> <!-- load the published roster -->
|
||||
<module>privacy</module> <!-- load privacy lists -->
|
||||
<module>vacation</module> <!-- load vacation settings -->
|
||||
</chain>
|
||||
|
||||
<!-- user-unload. The modules in this chain are called right
|
||||
after last per-user session is destroyed. -->
|
||||
<chain id='user-unload'>
|
||||
</chain>
|
||||
|
||||
<!-- user-create. The modules in this chain are called when a user
|
||||
creation request is received (usually from c2s as part of a
|
||||
registration request). This initialises any per-user data. -->
|
||||
<chain id='user-create'>
|
||||
<module>active</module> <!-- activate new users -->
|
||||
<module>template-roster</module> <!-- populate roster from template -->
|
||||
</chain>
|
||||
|
||||
<!-- user-delete. The modules in this chain are called when a user
|
||||
deletion request is received (usually from c2s as part of a
|
||||
registration removal request). This deletes all data that may
|
||||
have been previously created for the user during normal
|
||||
operation. -->
|
||||
<chain id='user-delete'>
|
||||
<module>active</module> <!-- deactivate users -->
|
||||
<module>announce</module> <!-- delete motd data -->
|
||||
<module>offline</module> <!-- bounce queued messages -->
|
||||
<module>privacy</module> <!-- delete privacy lists -->
|
||||
<module>roster</module> <!-- delete roster -->
|
||||
<module>vacation</module> <!-- delete vacation settings -->
|
||||
<module>status</module> <!-- delete status information -->
|
||||
<module>iq-last</module> <!-- delete last logout time -->
|
||||
<module>iq-private</module> <!-- delete private data -->
|
||||
<module>iq-vcard</module> <!-- delete vcard -->
|
||||
</chain>
|
||||
|
||||
<!-- disco-extend. The modules in this chain are called when a disco
|
||||
info request is send to session manager. It implements XEP-0128
|
||||
Service Discovery Extensions mechanizm to add additional
|
||||
information to disco#info reply. -->
|
||||
<chain id='disco-extend'>
|
||||
<module>iq-version</module> <!-- add XEP-xxxx Software Information -->
|
||||
<module>help</module> <!-- add XEP-0157 Contact Addresses -->
|
||||
</chain>
|
||||
|
||||
</modules>
|
||||
|
||||
<!-- Service discovery configuration -->
|
||||
<discovery>
|
||||
|
||||
<!-- Service identity. these specify the category, type and name of
|
||||
this service that will be included in discovery information
|
||||
responses. -->
|
||||
<identity>
|
||||
<category>server</category> <!-- default: server -->
|
||||
<type>im</type> <!-- default: im -->
|
||||
<name>Jabber IM server</name> <!-- default: Jabber IM server -->
|
||||
</identity>
|
||||
|
||||
<!-- The discovery module can respond to jabber:iq:agents queries
|
||||
for compatibility with older clients. Comment this out to
|
||||
disable this. -->
|
||||
<agents/>
|
||||
|
||||
<!-- Static service list.
|
||||
|
||||
The discover module can discover disco-capable services
|
||||
automatically as they come online. Most XEP-0114 components,
|
||||
however, will not support discovery. In order to get them to
|
||||
appear in disco/agents lists returned to the client, they
|
||||
should be listed here.
|
||||
|
||||
Note that if a disco-capable service with the same name as one
|
||||
listed below comes online, the information it provides will
|
||||
override the information listed below.
|
||||
|
||||
The "category" and "type" attributes, and the list of supported
|
||||
namespaces are only used for agents compatibility. If you have
|
||||
disabled this above, you may omit them. -->
|
||||
<items>
|
||||
|
||||
<!-- example entry for a user directory -->
|
||||
<!--
|
||||
<item category='service' type='jud' jid='users.jabber.org' name='Jabber User Directory'/>
|
||||
-->
|
||||
|
||||
<!-- example entry for a groupchat (conference) service -->
|
||||
<!--
|
||||
<item category='conference' type='public' jid='conference.jabber.org' name='Text conferencing'/>
|
||||
-->
|
||||
|
||||
</items>
|
||||
|
||||
<!-- Server information added to server discovery information
|
||||
in http://jabber.org/network/serverinfo jabber:x:data form. (XEP-0157)
|
||||
|
||||
May contain many values per item -->
|
||||
<!--
|
||||
<serverinfo>
|
||||
<admin-addresses>
|
||||
<value>mailto:xmpp@localhost.localdomain</value>
|
||||
<value>xmpp:admins@localhost.localdomain</value>
|
||||
</admin-addresses>
|
||||
<abuse-addresses>
|
||||
<value>mailto:abuse@localhost.localdomain</value>
|
||||
<value>xmpp:abuse@localhost.localdomain</value>
|
||||
</abuse-addresses>
|
||||
<feedback-addresses>
|
||||
<value>http://example.org/feedback.php</value>
|
||||
</feedback-addresses>
|
||||
<sales-addresses/>
|
||||
<security-addresses/>
|
||||
<support-addresses/>
|
||||
</serverinfo>
|
||||
-->
|
||||
|
||||
</discovery>
|
||||
|
||||
<!-- User options -->
|
||||
<user>
|
||||
<!-- By default, users must explicitly created before they can start
|
||||
a session. The creation process is usually triggered by a c2s
|
||||
component in response to a client registering a new user.
|
||||
|
||||
Enabling this option will make it so that user creation will be
|
||||
triggered the first time a non-existant user attempts to start
|
||||
a session. This is useful if you already have users in an
|
||||
external authentication database (eg LDAP) and you don't want
|
||||
them to have to register. -->
|
||||
<!--
|
||||
<auto-create/>
|
||||
-->
|
||||
|
||||
<!-- Define maximum size in bytes of fields of vcards.
|
||||
There is a recommendation that the avatar picture SHOULD NOT
|
||||
be larger than 16 KiB. -->
|
||||
<!--
|
||||
<vcard>
|
||||
<max-field-size>
|
||||
<default>16384</default>
|
||||
<avatar>16384</avatar>
|
||||
</max-field-size>
|
||||
</vcard>
|
||||
-->
|
||||
|
||||
<!-- Templates. If defined, the contents of these files will be
|
||||
stored in the users data store when they are created. -->
|
||||
<template>
|
||||
<!-- Uncomment <publish> if you wish to forcibly publish
|
||||
roster template from ldap on each user login -->
|
||||
<!--
|
||||
<publish>
|
||||
-->
|
||||
<!-- Key used for fetching published roster items.
|
||||
Only one might be set at a time.
|
||||
If not set, all items are fetched. -->
|
||||
<!--
|
||||
<fetch-key>
|
||||
<domain/>
|
||||
<user/>
|
||||
<fixed>grouping-key</fixed>
|
||||
</fetch-key>
|
||||
-->
|
||||
<!-- If <check-remove-domain> given, then published contact is checked
|
||||
against sm user database and if user is unknown to sm, contact
|
||||
will be deleted from user's roster (if it is in roster).
|
||||
If no domain set (tag empty) all contacts are checked. -->
|
||||
<!--
|
||||
<check-remove-domain>jabber.example.com</check-remove-domain>
|
||||
-->
|
||||
<!-- Alternatively if <force-create-contacts/> is not commented,
|
||||
published contact is added to sm user database
|
||||
and user set known to sm, so it won't auto-unsubscribe
|
||||
on connection established -->
|
||||
<!--
|
||||
<force-create-contacts/>
|
||||
-->
|
||||
<!-- Keep cache of "active" database specified number of seconds.
|
||||
This will significantly speed up publishing of roster.
|
||||
If unspecified or 0, no cache is used. -->
|
||||
<active-cache-ttl>60</active-cache-ttl>
|
||||
<!-- If <fix-subscriptions/> is not commented, set "to" and "from" subscriptions of
|
||||
user's contacts to subscriptions of corresponding published
|
||||
contacts. -->
|
||||
<!--
|
||||
<fix-subscriptions/>
|
||||
-->
|
||||
<!-- If <override-names/> is uncommented, then displayed names of
|
||||
contacts in user's roster will be updated accordingly to
|
||||
published roster (if they differ). If commented, then user can
|
||||
rename contacts in roster -->
|
||||
<!--
|
||||
<override-names/>
|
||||
-->
|
||||
<!-- when mapped-groups is on (<map-groups/> is uncommented), the actual
|
||||
group names for published contacts are read from
|
||||
published-roster-groups storage type, which may be set
|
||||
to ldapvcard driver. The key for searching is published user's
|
||||
group, and returned value is used as group name. So you can assign
|
||||
textual group IDs to users rather then group names.
|
||||
group-cache-ttl keeps cache of mapping from group id to name for
|
||||
specified number of seconds. If unspecified or 0, no cache is used.
|
||||
-->
|
||||
<!--
|
||||
<mapped-groups>
|
||||
<map-groups/>
|
||||
<group-cache-ttl>120</group-cache-ttl>
|
||||
</mapped-groups>
|
||||
-->
|
||||
<!-- If <force-groups> is commented out, published roster's contact
|
||||
added to user's roster only when user does not have this contact.
|
||||
|
||||
If <force-groups> is uncommented, then these checks are performed
|
||||
against each roster item already in user's roster:
|
||||
If roster item already present in user's roster in
|
||||
group of same name, no changes are made with this group (note
|
||||
that contact may be in more than one group).
|
||||
If <prefix> or <suffix> are given, then contact removed
|
||||
from any matching groups.
|
||||
After that, contact is added to group from published roster.
|
||||
|
||||
In other words, all groups of updated contact, that match prefix
|
||||
or suffix, are replaced with group of published contact.
|
||||
This is done because there is no way to determine that group was
|
||||
published or greated by user. -->
|
||||
<!--
|
||||
<force-groups>
|
||||
<prefix>MyOrg.</prefix>
|
||||
<suffix>(MyOrg)</suffix>
|
||||
</force-groups>
|
||||
-->
|
||||
<!--
|
||||
</publish>
|
||||
-->
|
||||
|
||||
<!-- If defined, the contents of these files will be
|
||||
stored in the users data store when they are created. -->
|
||||
<!-- If you defined publish, you should comment-out <roster> -->
|
||||
<!--
|
||||
<roster>/etc/jabber/templates/roster.xml</roster>
|
||||
-->
|
||||
</template>
|
||||
</user>
|
||||
|
||||
<!-- Advanced Message Processing module configuration -->
|
||||
<amp>
|
||||
<!-- You can disable some actions -->
|
||||
<!--
|
||||
<disableactions>
|
||||
<drop/>
|
||||
<error/>
|
||||
<alert/>
|
||||
<notify/>
|
||||
</disableactions>
|
||||
-->
|
||||
|
||||
<!-- You can disable some conditions -->
|
||||
<!--
|
||||
<disableconditions>
|
||||
<expireat/>
|
||||
<matchresource/>
|
||||
<deliver/>
|
||||
</disableconditions>
|
||||
-->
|
||||
|
||||
<!-- You need to enable this if your server has offline storage disabled -->
|
||||
<!--
|
||||
<offlinestoragedisabled/>
|
||||
-->
|
||||
</amp>
|
||||
|
||||
<!-- Offline module configuration -->
|
||||
<offline>
|
||||
<!-- Do not store messages in offline store -->
|
||||
<!--
|
||||
<dropmessages/>
|
||||
-->
|
||||
|
||||
<!-- Store headline messages in offline store -->
|
||||
<!--
|
||||
<storeheadlines/>
|
||||
-->
|
||||
|
||||
<!-- Do not store subscription requests in offline store -->
|
||||
<!--
|
||||
<dropsubscriptions/>
|
||||
-->
|
||||
|
||||
<!-- Offline storage message quota.
|
||||
Specifies how many messages will be stored in user offline store -->
|
||||
<!--
|
||||
<userquota>500</userquota>
|
||||
-->
|
||||
</offline>
|
||||
|
||||
<!-- roster module configuration -->
|
||||
<roster>
|
||||
<!-- maximum items per user roster -->
|
||||
<!--
|
||||
<maxitems>100</maxitems>
|
||||
-->
|
||||
</roster>
|
||||
|
||||
<!-- status module configuration -->
|
||||
<status>
|
||||
<!-- presence service resource
|
||||
disabled when commented out -->
|
||||
<!--
|
||||
<resource>webstatus</resource>
|
||||
-->
|
||||
</status>
|
||||
|
||||
</sm>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
811
jabber/sm.xml.dist
Normal file
811
jabber/sm.xml.dist
Normal file
@ -0,0 +1,811 @@
|
||||
<!-- Session manager configuration -->
|
||||
<sm>
|
||||
<!-- Our ID on the network (default: sm) -->
|
||||
<id>sm</id>
|
||||
|
||||
<!-- The process ID file. Comment this out if you don't need to know
|
||||
the process ID from outside the process (eg for control scripts) -->
|
||||
<pidfile>/var/run/jabber/jabberd2-sm.pid</pidfile>
|
||||
|
||||
<!-- Router connection configuration -->
|
||||
<router>
|
||||
<!-- IP/port the router is waiting for connections on -->
|
||||
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
|
||||
<port>5347</port> <!-- default: 5347 -->
|
||||
|
||||
<!-- Username/password to authenticate as -->
|
||||
<user>jabberd</user> <!-- default: jabberd -->
|
||||
<pass>secret</pass> <!-- default: secret -->
|
||||
|
||||
<!-- File containing an SSL certificate and private key to use when
|
||||
setting up an encrypted channel with the router. From
|
||||
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
|
||||
in PEM format and must be sorted starting with the subject's
|
||||
certificate (actual client or server certificate), followed
|
||||
by intermediate CA certificates if applicable, and ending
|
||||
at the highest level (root) CA" (the latter one being optional).
|
||||
If this is commented out, or the file can't be read, no attempt
|
||||
will be made to establish an encrypted channel with the router. -->
|
||||
<!--
|
||||
<pemfile>/etc/jabber/server.pem</pemfile>
|
||||
-->
|
||||
|
||||
<!-- Router connection retry -->
|
||||
<retry>
|
||||
<!-- If the connection to the router can't be established at
|
||||
startup, we should try again this many times before exiting.
|
||||
Use -1 to retry indefinitely. [default: 3] -->
|
||||
<init>3</init>
|
||||
|
||||
<!-- If we lost the connection to the router during normal
|
||||
operation (ie we've successfully connected to the router in
|
||||
the past), we should try to reconnect this many times before
|
||||
exiting. Use -1 to retry indefinitely. [default: 3] -->
|
||||
<lost>3</lost>
|
||||
|
||||
<!-- Sleep for this many seconds before trying attempting a
|
||||
reconnect. [default: 2] -->
|
||||
<sleep>2</sleep>
|
||||
</retry>
|
||||
</router>
|
||||
|
||||
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
|
||||
<log type='syslog'>
|
||||
<!-- If logging to syslog, this is the log ident -->
|
||||
<ident>jabberd/sm</ident>
|
||||
|
||||
<!-- If logging to syslog, this is the log facility
|
||||
(local0 - local7) [default: local3] -->
|
||||
<facility>local3</facility>
|
||||
|
||||
<!-- If logging to file, this is the filename of the logfile -->
|
||||
<!--
|
||||
<file>/var/log/jabber/sm.log</file>
|
||||
-->
|
||||
|
||||
<!-- Filename of the debug logfile -->
|
||||
<!--
|
||||
<debug>/var/log/jabber/debug-${id}.log</debug>
|
||||
-->
|
||||
</log>
|
||||
|
||||
<!-- Local network configuration -->
|
||||
<local>
|
||||
<!-- Who we identify ourselves as.
|
||||
Users will have this as the domain part of their JID.
|
||||
If you want your server to be accessible from other
|
||||
Jabber servers, this IDs must be FQDN resolvable by DNSes.
|
||||
If not set, the SM id is used. -->
|
||||
<id>localhost.localdomain</id>
|
||||
<!--
|
||||
<id>vhost1.localdomain</id>
|
||||
<id>vhost2.localdomain</id>
|
||||
-->
|
||||
|
||||
</local>
|
||||
|
||||
<!-- Storage database configuration -->
|
||||
<storage>
|
||||
<!-- Dynamic storage modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- By default, we use the SQLite driver for all storage -->
|
||||
<driver>db</driver>
|
||||
|
||||
<!-- Its also possible to explicitly list alternate drivers for
|
||||
specific data types. -->
|
||||
|
||||
<!-- Store vcards in a ldapvcard database instead -->
|
||||
<!--
|
||||
<driver type='vcard'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Only ldapvcard driver implements published-roster: -->
|
||||
<!--
|
||||
<driver type='published-roster'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Use ldapvcard driver for published-roster-groups.
|
||||
See description in section sm/user/template/mapped-groups.
|
||||
Used by mod_published_roster.
|
||||
See ldapvcard section for options.
|
||||
When resolving group id to group name, it searches for
|
||||
groupsobjectclass objects at groupsdn base using group id
|
||||
(in groupsidattr) as key and returns the first value of
|
||||
groupattr of first found entry.
|
||||
E.g.. in general case, if group id is "some-dep", and groupsdn
|
||||
is o=org, and class is jabberGroup, it searches for
|
||||
(&(objectClass=jabberGroup)(cn=some-dep)) and returns value of
|
||||
jabberPublishedItem attribute, which may contain textual description.
|
||||
-->
|
||||
<!--
|
||||
<driver type='published-roster-groups'>ldapvcard</driver>
|
||||
-->
|
||||
|
||||
<!-- Rate limiting -->
|
||||
<limits>
|
||||
<!-- Maximum queries per second - if more than X queries are sent in Y
|
||||
seconds, connection is throttled for Z seconds. The format
|
||||
is:
|
||||
|
||||
<queries seconds='Y' throttle='Z'>X</bytes>
|
||||
|
||||
Default Y is 5, default Z is 60. set X to 0 to disable. -->
|
||||
<!--
|
||||
<queries>3</queries>
|
||||
-->
|
||||
</limits>
|
||||
|
||||
<!-- SQLite driver configuration -->
|
||||
<sqlite>
|
||||
<!-- Database name -->
|
||||
<dbname>/var/spool/jabber/db/sqlite.db</dbname>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
|
||||
<!-- SQLite busy-timeout in milliseconds. -->
|
||||
<busy-timeout>2000</busy-timeout>
|
||||
</sqlite>
|
||||
|
||||
<!-- MySQL driver configuration -->
|
||||
<mysql>
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>3306</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes.
|
||||
|
||||
This will need to be disabled if you are using a MySQL
|
||||
earlier than v3.23.xx, as transaction support did not appear
|
||||
until this version. -->
|
||||
<transactions/>
|
||||
</mysql>
|
||||
|
||||
<!-- PostgreSQL driver configuration -->
|
||||
<pgsql>
|
||||
<!-- PostgreSQL connection info.
|
||||
For the rest of the options see
|
||||
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
|
||||
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
|
||||
|
||||
<!-- Alternatively you may set connection settings separately.
|
||||
These are used only in absence of 'conninfo' -->
|
||||
|
||||
<!-- Database server host and port -->
|
||||
<host>localhost</host>
|
||||
<port>5432</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database schema -->
|
||||
<schema>public</schema>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
|
||||
<!-- Transaction support. If this is commented out, transactions
|
||||
will be disabled. This might make database accesses faster,
|
||||
but data may be lost if jabberd crashes. -->
|
||||
<transactions/>
|
||||
</pgsql>
|
||||
|
||||
<!-- Berkeley DB driver configuration. This does not support roster
|
||||
maxitems or offline userquota (because the mod_roster
|
||||
implementation does not implement the 'count' callback). -->
|
||||
<db>
|
||||
<!-- Directory to store database files under -->
|
||||
<path>/var/spool/jabber/db</path>
|
||||
|
||||
<!-- Synchronize the database to disk after each write. If you
|
||||
disable this, database accesses may be faster, but data may
|
||||
be lost if jabberd crashes. -->
|
||||
<sync/>
|
||||
</db>
|
||||
|
||||
<!-- Oracle driver configuration -->
|
||||
<oracle>
|
||||
<!-- Database server host and port. -->
|
||||
<host>localhost</host>
|
||||
<port>1521</port>
|
||||
|
||||
<!-- Database name -->
|
||||
<dbname>jabberd2</dbname>
|
||||
|
||||
<!-- Database username and password -->
|
||||
<user>jabberd2</user>
|
||||
<pass>secret</pass>
|
||||
</oracle>
|
||||
|
||||
<!-- Filesystem driver configuration -->
|
||||
<fs>
|
||||
<!-- Directory to store database files under. -->
|
||||
<path>/var/spool/jabber/fs</path>
|
||||
</fs>
|
||||
|
||||
<!-- LDAPVCARD driver configuration -->
|
||||
<ldapvcard>
|
||||
<!-- LDAP server host and port (default: 389) -->
|
||||
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
|
||||
|
||||
<!-- DN to bind as for searches. If unspecified, the searches
|
||||
will be done anonymously. -->
|
||||
<!--
|
||||
<binddn>cn=Directory Manager</binddn>
|
||||
<bindpw>secret</bindpw>
|
||||
-->
|
||||
|
||||
<!-- see authreg.ldapfull in c2s.xml for description. -->
|
||||
<!--
|
||||
<type>ad</type>
|
||||
-->
|
||||
|
||||
<!-- LDAP attribute that holds the user ID (default: uid) -->
|
||||
<uidattr>uid</uidattr>
|
||||
<objectclass>posixAccount</objectclass>
|
||||
<pwattr>userPassword</pwattr>
|
||||
<!-- if you use included jabberd.schema use this:
|
||||
<uidattr>jid</uidattr>
|
||||
<objectclass>jabberUser</objectclass>
|
||||
<pwattr>jabberPassword</pwattr>
|
||||
-->
|
||||
|
||||
<!-- Realm to append to uidattr. -->
|
||||
<!--
|
||||
<realm>example.org</realm>
|
||||
-->
|
||||
|
||||
<!-- see authreg.ldapfull in c2s.xml for description. -->
|
||||
<!--
|
||||
<validattr>valid</validattr>
|
||||
-->
|
||||
|
||||
<!-- base DN of the tree. You should specify a DN for each
|
||||
authentication realm declared in the <local/> section above,
|
||||
by using the realm attribute. -->
|
||||
<basedn>o=Example Corp.</basedn>
|
||||
|
||||
<!-- attribute that holds published group name or id,
|
||||
jabberPublishedGroup if not set -->
|
||||
<!--
|
||||
<groupattr>jabberPublishedGroup</groupattr>
|
||||
-->
|
||||
|
||||
<!-- this option is helpful if your schema does not have designated
|
||||
attribute that holds jabber group name
|
||||
you can use any attribute in <groupattr> i.e. 'distinguishedName'
|
||||
and then extract a part of it using Regular Expression;
|
||||
first matching () group will be used -->
|
||||
<!--
|
||||
<groupattr_regex>OU=([^,]*),</groupattr_regex>
|
||||
-->
|
||||
|
||||
<!-- boolean attribute that tells whether or not to publish this user
|
||||
jabberPublishedItem by default -->
|
||||
<!--
|
||||
<publishedattr>jabberPublishedItem</publishedattr>
|
||||
-->
|
||||
|
||||
<!-- If value specified, then keep cache of "published-roster"
|
||||
database, which is used for all users. Cache is renewed when kept more seconds than value
|
||||
specified. Setting this value increases perfomance of publishing
|
||||
roster. If not specified, then we don't keep cache. -->
|
||||
<publishedcachettl>60</publishedcachettl>
|
||||
|
||||
<mapped-groups>
|
||||
<!-- If turned on, then mapping of group ids to names with
|
||||
LDAP will works. -->
|
||||
<!--
|
||||
<map-groups/>
|
||||
-->
|
||||
|
||||
<!-- base for searches for group id to group name mappings -->
|
||||
<basedn>ou=jabbergroups, o=Example Corp.</basedn>
|
||||
|
||||
<!-- what objectclass to search, jabberGroup by default -->
|
||||
<!--
|
||||
<objectclass>jabberGroup</objectclass>
|
||||
-->
|
||||
|
||||
<!-- what attribute to search, cn by default -->
|
||||
<!--
|
||||
<idattr>cn</idattr>
|
||||
-->
|
||||
|
||||
<!-- attribute with text group name, description by default -->
|
||||
<!--
|
||||
<nameattr>description</nameattr>
|
||||
-->
|
||||
</mapped-groups>
|
||||
</ldapvcard>
|
||||
</storage>
|
||||
|
||||
<!-- Access control information -->
|
||||
<aci>
|
||||
<!-- The JIDs listed here will get access to all restricted
|
||||
functions, regardless of restrictions further down -->
|
||||
<acl type='all'>
|
||||
<jid>admin@localhost.localdomain</jid>
|
||||
</acl>
|
||||
|
||||
<!-- These JIDs can send broadcast messages (announce, motd) -->
|
||||
<!--
|
||||
<acl type='broadcast'>
|
||||
<jid>nocstaff1@localhost.localdomain</jid>
|
||||
<jid>nocstaff2@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These JIDs will receive messages addressed to the sm itself
|
||||
(help requestes and such) -->
|
||||
<!--
|
||||
<acl type='messages'>
|
||||
<jid>support@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
|
||||
<!-- These JIDs can discover active user/session information -->
|
||||
<!--
|
||||
<acl type='disco'>
|
||||
<jid>webstatus@localhost.localdomain</jid>
|
||||
</acl>
|
||||
-->
|
||||
</aci>
|
||||
|
||||
<!-- Module chain configuration
|
||||
|
||||
Modules listed in a chain are called in the order specified at
|
||||
the appropriate time for that chain (assuming that the module
|
||||
knows how to work with that chain; otherwise it simply ignores
|
||||
it).
|
||||
|
||||
Removing a module from these lists will stop the module being
|
||||
called, even if it's compiled into the server.
|
||||
|
||||
Serveral modules have a presence in more than one chain. It is
|
||||
possible to remove a module from one chain but not others, but
|
||||
this may cause strange behaviour. Make sure you know what you're
|
||||
doing. -->
|
||||
<modules>
|
||||
<!-- Dynamic sm modules path -->
|
||||
<path>/usr/lib64/jabberd</path>
|
||||
|
||||
<!-- sess-start. The modules in this chain are called when a session
|
||||
is first started (usually on request by c2s as part of the
|
||||
authentication process). This is normally used to load
|
||||
per-session data. -->
|
||||
<chain id='sess-start'>
|
||||
<module>status</module> <!-- record status information -->
|
||||
</chain>
|
||||
|
||||
<!-- sess-end. The modules in this chain are called just before a
|
||||
session is destroyed (after the client has disconnected). -->
|
||||
<chain id='sess-end'>
|
||||
<module>status</module> <!-- update status information -->
|
||||
<module>iq-last</module> <!-- update logout time -->
|
||||
</chain>
|
||||
|
||||
<!-- in-sess. The modules in this chain are called when a packet
|
||||
arrives from an active user session. Note that this chain is
|
||||
also responsible for delivering packets to their destinations -
|
||||
this is usually handled by the "deliver" module. -->
|
||||
<chain id='in-sess'>
|
||||
<module>validate</module> <!-- validate packet type -->
|
||||
<module>status</module> <!-- update status information -->
|
||||
<module>privacy</module> <!-- manage privacy lists -->
|
||||
<module>roster</module> <!-- handle roster get/sets and s10ns -->
|
||||
<module>vacation</module> <!-- manage vacation settings -->
|
||||
<!-- <module>pep</module> <!- - personal eventing -->
|
||||
<module>iq-vcard</module> <!-- store and retrieve the user's vcard -->
|
||||
<module>iq-ping</module> <!-- return the server ping -->
|
||||
<module>iq-private</module> <!-- manage the user's private data store -->
|
||||
<module>disco</module> <!-- respond to agents requests from sessions -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>offline</module> <!-- if we're coming online for the first time, deliver queued messages -->
|
||||
<module>announce</module> <!-- deliver motd -->
|
||||
<module>presence</module> <!-- process and distribute presence updates -->
|
||||
<module>deliver</module> <!-- deliver packets with full jids directly -->
|
||||
</chain>
|
||||
|
||||
<!-- out-sess. The modules in this chain are called just before a
|
||||
packet is delivered to an active user session. -->
|
||||
<chain id='out-sess'>
|
||||
<!-- <module>pep</module> <!- - personal eventing -->
|
||||
</chain>
|
||||
|
||||
<!-- in-router. The modules in this chain are called when a packet
|
||||
arrives from the router (ie another component or s2s), but
|
||||
before any processing is done. This is a good place to filter
|
||||
incoming packets. -->
|
||||
<chain id='in-router'>
|
||||
<module>session</module> <!-- perform session actions as required by c2s -->
|
||||
<module>validate</module> <!-- validate packet type -->
|
||||
<module>presence</module> <!-- drop incoming presence if user not online -->
|
||||
<module>privacy</module> <!-- filter incoming packets based on privacy rules -->
|
||||
</chain>
|
||||
|
||||
<!-- out-router. The modules in this chain are called just before a
|
||||
packet is delivered to the router (destined for another
|
||||
component or s2s). This is a good place to filter outgoing
|
||||
packets. -->
|
||||
<chain id='out-router'>
|
||||
<module>privacy</module> <!-- filter outgoing packets based on privacy rules -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-sm. The modules in this chain are called when a packet
|
||||
arrives that is addressed to the session manager itself (ie the
|
||||
to JID has no node part). This is normally used to provide
|
||||
session-manager-wide services (like service discovery). -->
|
||||
<chain id='pkt-sm'>
|
||||
<module>iq-last</module> <!-- return the server uptime -->
|
||||
<module>iq-ping</module> <!-- return the server ping -->
|
||||
<module>iq-time</module> <!-- return the current server time -->
|
||||
<module>iq-version</module> <!-- return the server name and version -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>disco</module> <!-- build the disco list; respond to disco queries -->
|
||||
<module>announce</module> <!-- send broadcast messages (announce, motd, etc) -->
|
||||
<module>help</module> <!-- resend sm messages to administrators -->
|
||||
<module>echo</module> <!-- echo messages sent to /echo -->
|
||||
<module>status</module> <!-- track status information -->
|
||||
<module>presence</module> <!-- proces server presence subscriptions -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-user. The modules in this chain are called when a packet
|
||||
arrives that is address to a specific user. Note that this
|
||||
chain is also responsible for delivering packets to user
|
||||
sessions as appropriate - this is usually handled by the
|
||||
"deliver" module. -->
|
||||
<chain id='pkt-user'>
|
||||
<module>roster</module> <!-- handle s10n responses -->
|
||||
<module>presence</module> <!-- process and distribute incoming presence from external entities -->
|
||||
<module>iq-vcard</module> <!-- grab user vcards -->
|
||||
<module>amp</module> <!-- advanced message processing -->
|
||||
<module>deliver</module> <!-- deliver the packet to an active session if we can -->
|
||||
<module>vacation</module> <!-- send vacation messages -->
|
||||
<module>offline</module> <!-- save messages and s10ns for later -->
|
||||
<module>iq-last</module> <!-- return time since last logout -->
|
||||
</chain>
|
||||
|
||||
<!-- pkt-router. The modules in this chain are called when a
|
||||
special-purpose packet arrives from the router (eg domain
|
||||
advertisements). -->
|
||||
<chain id='pkt-router'>
|
||||
<module>session</module> <!-- take sessions offline if their c2s disappears -->
|
||||
<module>disco</module> <!-- query new components for service information -->
|
||||
</chain>
|
||||
|
||||
<!-- user-load. The modules in this chain are called to load
|
||||
per-user data. This will happen before a user can be used (ie
|
||||
before a session is created). -->
|
||||
<chain id='user-load'>
|
||||
<module>active</module> <!-- get active status -->
|
||||
<module>roster</module> <!-- load the roster and trust list -->
|
||||
<module>roster-publish</module> <!-- load the published roster -->
|
||||
<module>privacy</module> <!-- load privacy lists -->
|
||||
<module>vacation</module> <!-- load vacation settings -->
|
||||
</chain>
|
||||
|
||||
<!-- user-unload. The modules in this chain are called right
|
||||
after last per-user session is destroyed. -->
|
||||
<chain id='user-unload'>
|
||||
</chain>
|
||||
|
||||
<!-- user-create. The modules in this chain are called when a user
|
||||
creation request is received (usually from c2s as part of a
|
||||
registration request). This initialises any per-user data. -->
|
||||
<chain id='user-create'>
|
||||
<module>active</module> <!-- activate new users -->
|
||||
<module>template-roster</module> <!-- populate roster from template -->
|
||||
</chain>
|
||||
|
||||
<!-- user-delete. The modules in this chain are called when a user
|
||||
deletion request is received (usually from c2s as part of a
|
||||
registration removal request). This deletes all data that may
|
||||
have been previously created for the user during normal
|
||||
operation. -->
|
||||
<chain id='user-delete'>
|
||||
<module>active</module> <!-- deactivate users -->
|
||||
<module>announce</module> <!-- delete motd data -->
|
||||
<module>offline</module> <!-- bounce queued messages -->
|
||||
<module>privacy</module> <!-- delete privacy lists -->
|
||||
<module>roster</module> <!-- delete roster -->
|
||||
<module>vacation</module> <!-- delete vacation settings -->
|
||||
<module>status</module> <!-- delete status information -->
|
||||
<module>iq-last</module> <!-- delete last logout time -->
|
||||
<module>iq-private</module> <!-- delete private data -->
|
||||
<module>iq-vcard</module> <!-- delete vcard -->
|
||||
</chain>
|
||||
|
||||
<!-- disco-extend. The modules in this chain are called when a disco
|
||||
info request is send to session manager. It implements XEP-0128
|
||||
Service Discovery Extensions mechanizm to add additional
|
||||
information to disco#info reply. -->
|
||||
<chain id='disco-extend'>
|
||||
<module>iq-version</module> <!-- add XEP-xxxx Software Information -->
|
||||
<module>help</module> <!-- add XEP-0157 Contact Addresses -->
|
||||
</chain>
|
||||
|
||||
</modules>
|
||||
|
||||
<!-- Service discovery configuration -->
|
||||
<discovery>
|
||||
|
||||
<!-- Service identity. these specify the category, type and name of
|
||||
this service that will be included in discovery information
|
||||
responses. -->
|
||||
<identity>
|
||||
<category>server</category> <!-- default: server -->
|
||||
<type>im</type> <!-- default: im -->
|
||||
<name>Jabber IM server</name> <!-- default: Jabber IM server -->
|
||||
</identity>
|
||||
|
||||
<!-- The discovery module can respond to jabber:iq:agents queries
|
||||
for compatibility with older clients. Comment this out to
|
||||
disable this. -->
|
||||
<agents/>
|
||||
|
||||
<!-- Static service list.
|
||||
|
||||
The discover module can discover disco-capable services
|
||||
automatically as they come online. Most XEP-0114 components,
|
||||
however, will not support discovery. In order to get them to
|
||||
appear in disco/agents lists returned to the client, they
|
||||
should be listed here.
|
||||
|
||||
Note that if a disco-capable service with the same name as one
|
||||
listed below comes online, the information it provides will
|
||||
override the information listed below.
|
||||
|
||||
The "category" and "type" attributes, and the list of supported
|
||||
namespaces are only used for agents compatibility. If you have
|
||||
disabled this above, you may omit them. -->
|
||||
<items>
|
||||
|
||||
<!-- example entry for a user directory -->
|
||||
<!--
|
||||
<item category='service' type='jud' jid='users.jabber.org' name='Jabber User Directory'/>
|
||||
-->
|
||||
|
||||
<!-- example entry for a groupchat (conference) service -->
|
||||
<!--
|
||||
<item category='conference' type='public' jid='conference.jabber.org' name='Text conferencing'/>
|
||||
-->
|
||||
|
||||
</items>
|
||||
|
||||
<!-- Server information added to server discovery information
|
||||
in http://jabber.org/network/serverinfo jabber:x:data form. (XEP-0157)
|
||||
|
||||
May contain many values per item -->
|
||||
<!--
|
||||
<serverinfo>
|
||||
<admin-addresses>
|
||||
<value>mailto:xmpp@localhost.localdomain</value>
|
||||
<value>xmpp:admins@localhost.localdomain</value>
|
||||
</admin-addresses>
|
||||
<abuse-addresses>
|
||||
<value>mailto:abuse@localhost.localdomain</value>
|
||||
<value>xmpp:abuse@localhost.localdomain</value>
|
||||
</abuse-addresses>
|
||||
<feedback-addresses>
|
||||
<value>http://example.org/feedback.php</value>
|
||||
</feedback-addresses>
|
||||
<sales-addresses/>
|
||||
<security-addresses/>
|
||||
<support-addresses/>
|
||||
</serverinfo>
|
||||
-->
|
||||
|
||||
</discovery>
|
||||
|
||||
<!-- User options -->
|
||||
<user>
|
||||
<!-- By default, users must explicitly created before they can start
|
||||
a session. The creation process is usually triggered by a c2s
|
||||
component in response to a client registering a new user.
|
||||
|
||||
Enabling this option will make it so that user creation will be
|
||||
triggered the first time a non-existant user attempts to start
|
||||
a session. This is useful if you already have users in an
|
||||
external authentication database (eg LDAP) and you don't want
|
||||
them to have to register. -->
|
||||
<!--
|
||||
<auto-create/>
|
||||
-->
|
||||
|
||||
<!-- Define maximum size in bytes of fields of vcards.
|
||||
There is a recommendation that the avatar picture SHOULD NOT
|
||||
be larger than 16 KiB. -->
|
||||
<!--
|
||||
<vcard>
|
||||
<max-field-size>
|
||||
<default>16384</default>
|
||||
<avatar>16384</avatar>
|
||||
</max-field-size>
|
||||
</vcard>
|
||||
-->
|
||||
|
||||
<!-- Templates. If defined, the contents of these files will be
|
||||
stored in the users data store when they are created. -->
|
||||
<template>
|
||||
<!-- Uncomment <publish> if you wish to forcibly publish
|
||||
roster template from ldap on each user login -->
|
||||
<!--
|
||||
<publish>
|
||||
-->
|
||||
<!-- Key used for fetching published roster items.
|
||||
Only one might be set at a time.
|
||||
If not set, all items are fetched. -->
|
||||
<!--
|
||||
<fetch-key>
|
||||
<domain/>
|
||||
<user/>
|
||||
<fixed>grouping-key</fixed>
|
||||
</fetch-key>
|
||||
-->
|
||||
<!-- If <check-remove-domain> given, then published contact is checked
|
||||
against sm user database and if user is unknown to sm, contact
|
||||
will be deleted from user's roster (if it is in roster).
|
||||
If no domain set (tag empty) all contacts are checked. -->
|
||||
<!--
|
||||
<check-remove-domain>jabber.example.com</check-remove-domain>
|
||||
-->
|
||||
<!-- Alternatively if <force-create-contacts/> is not commented,
|
||||
published contact is added to sm user database
|
||||
and user set known to sm, so it won't auto-unsubscribe
|
||||
on connection established -->
|
||||
<!--
|
||||
<force-create-contacts/>
|
||||
-->
|
||||
<!-- Keep cache of "active" database specified number of seconds.
|
||||
This will significantly speed up publishing of roster.
|
||||
If unspecified or 0, no cache is used. -->
|
||||
<active-cache-ttl>60</active-cache-ttl>
|
||||
<!-- If <fix-subscriptions/> is not commented, set "to" and "from" subscriptions of
|
||||
user's contacts to subscriptions of corresponding published
|
||||
contacts. -->
|
||||
<!--
|
||||
<fix-subscriptions/>
|
||||
-->
|
||||
<!-- If <override-names/> is uncommented, then displayed names of
|
||||
contacts in user's roster will be updated accordingly to
|
||||
published roster (if they differ). If commented, then user can
|
||||
rename contacts in roster -->
|
||||
<!--
|
||||
<override-names/>
|
||||
-->
|
||||
<!-- when mapped-groups is on (<map-groups/> is uncommented), the actual
|
||||
group names for published contacts are read from
|
||||
published-roster-groups storage type, which may be set
|
||||
to ldapvcard driver. The key for searching is published user's
|
||||
group, and returned value is used as group name. So you can assign
|
||||
textual group IDs to users rather then group names.
|
||||
group-cache-ttl keeps cache of mapping from group id to name for
|
||||
specified number of seconds. If unspecified or 0, no cache is used.
|
||||
-->
|
||||
<!--
|
||||
<mapped-groups>
|
||||
<map-groups/>
|
||||
<group-cache-ttl>120</group-cache-ttl>
|
||||
</mapped-groups>
|
||||
-->
|
||||
<!-- If <force-groups> is commented out, published roster's contact
|
||||
added to user's roster only when user does not have this contact.
|
||||
|
||||
If <force-groups> is uncommented, then these checks are performed
|
||||
against each roster item already in user's roster:
|
||||
If roster item already present in user's roster in
|
||||
group of same name, no changes are made with this group (note
|
||||
that contact may be in more than one group).
|
||||
If <prefix> or <suffix> are given, then contact removed
|
||||
from any matching groups.
|
||||
After that, contact is added to group from published roster.
|
||||
|
||||
In other words, all groups of updated contact, that match prefix
|
||||
or suffix, are replaced with group of published contact.
|
||||
This is done because there is no way to determine that group was
|
||||
published or greated by user. -->
|
||||
<!--
|
||||
<force-groups>
|
||||
<prefix>MyOrg.</prefix>
|
||||
<suffix>(MyOrg)</suffix>
|
||||
</force-groups>
|
||||
-->
|
||||
<!--
|
||||
</publish>
|
||||
-->
|
||||
|
||||
<!-- If defined, the contents of these files will be
|
||||
stored in the users data store when they are created. -->
|
||||
<!-- If you defined publish, you should comment-out <roster> -->
|
||||
<!--
|
||||
<roster>/etc/jabber/templates/roster.xml</roster>
|
||||
-->
|
||||
</template>
|
||||
</user>
|
||||
|
||||
<!-- Advanced Message Processing module configuration -->
|
||||
<amp>
|
||||
<!-- You can disable some actions -->
|
||||
<!--
|
||||
<disableactions>
|
||||
<drop/>
|
||||
<error/>
|
||||
<alert/>
|
||||
<notify/>
|
||||
</disableactions>
|
||||
-->
|
||||
|
||||
<!-- You can disable some conditions -->
|
||||
<!--
|
||||
<disableconditions>
|
||||
<expireat/>
|
||||
<matchresource/>
|
||||
<deliver/>
|
||||
</disableconditions>
|
||||
-->
|
||||
|
||||
<!-- You need to enable this if your server has offline storage disabled -->
|
||||
<!--
|
||||
<offlinestoragedisabled/>
|
||||
-->
|
||||
</amp>
|
||||
|
||||
<!-- Offline module configuration -->
|
||||
<offline>
|
||||
<!-- Do not store messages in offline store -->
|
||||
<!--
|
||||
<dropmessages/>
|
||||
-->
|
||||
|
||||
<!-- Store headline messages in offline store -->
|
||||
<!--
|
||||
<storeheadlines/>
|
||||
-->
|
||||
|
||||
<!-- Do not store subscription requests in offline store -->
|
||||
<!--
|
||||
<dropsubscriptions/>
|
||||
-->
|
||||
|
||||
<!-- Offline storage message quota.
|
||||
Specifies how many messages will be stored in user offline store -->
|
||||
<!--
|
||||
<userquota>500</userquota>
|
||||
-->
|
||||
</offline>
|
||||
|
||||
<!-- roster module configuration -->
|
||||
<roster>
|
||||
<!-- maximum items per user roster -->
|
||||
<!--
|
||||
<maxitems>100</maxitems>
|
||||
-->
|
||||
</roster>
|
||||
|
||||
<!-- status module configuration -->
|
||||
<status>
|
||||
<!-- presence service resource
|
||||
disabled when commented out -->
|
||||
<!--
|
||||
<resource>webstatus</resource>
|
||||
-->
|
||||
</status>
|
||||
|
||||
</sm>
|
||||
<!--
|
||||
vim: syntax=xml
|
||||
-->
|
7
jabber/templates/roster.xml
Normal file
7
jabber/templates/roster.xml
Normal file
@ -0,0 +1,7 @@
|
||||
<!-- This is the roster template. If enabled in sm.xml, new users will
|
||||
get this roster by default. -->
|
||||
<query xmlns='jabber:iq:roster'>
|
||||
<!--
|
||||
<item name='Helpdesk' jid='helpdesk@localhost' subscription='none'><group>Support</group></item>
|
||||
-->
|
||||
</query>
|
7
jabber/templates/roster.xml.dist
Normal file
7
jabber/templates/roster.xml.dist
Normal file
@ -0,0 +1,7 @@
|
||||
<!-- This is the roster template. If enabled in sm.xml, new users will
|
||||
get this roster by default. -->
|
||||
<query xmlns='jabber:iq:roster'>
|
||||
<!--
|
||||
<item name='Helpdesk' jid='helpdesk@localhost' subscription='none'><group>Support</group></item>
|
||||
-->
|
||||
</query>
|
8
logrotate.d/jabberd
Normal file
8
logrotate.d/jabberd
Normal file
@ -0,0 +1,8 @@
|
||||
/var/log/jabber/c2s.log /var/log/jabber/s2s.log /var/log/jabber/sm.log /var/log/jabber/router.log {
|
||||
su jabber jabber
|
||||
sharedscripts
|
||||
missingok
|
||||
postrotate
|
||||
/etc/init.d/jabberd reload
|
||||
endscript
|
||||
}
|
6
pam.d/jabberd
Normal file
6
pam.d/jabberd
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
|
||||
auth required pam_nologin.so
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
session include system-auth
|
Loading…
Reference in New Issue
Block a user