Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!-- c2s configuration -->
- <c2s>
- <!-- Our ID on the network (default: c2s) -->
- <id>c2s</id>
- <!-- The process ID file. Comment this out if you don't need to know
- the process ID from outside the process (eg for control scripts) -->
- <pidfile>/var/lib/jabberd/pid/c2s.pid</pidfile>
- <!-- Router connection configuration -->
- <router>
- <!-- IP/port the router is waiting for connections on -->
- <ip>::1</ip> <!-- default: 127.0.0.1 -->
- <port>5347</port> <!-- default: 5347 -->
- <!-- Username/password to authenticate as -->
- <user>jabberd</user> <!-- default: jabberd -->
- <pass>90ab48c641e2aec7d96465f86048628cf60cf739</pass> <!-- default: secret -->
- <!-- File containing an SSL certificate and private key to use when
- setting up an encrypted channel with the router. From
- SSL_CTX_use_certificate_chain_file(3): "The certificates must be
- in PEM format and must be sorted starting with the subject's
- certificate (actual client or server certificate), followed
- by intermediate CA certificates if applicable, and ending
- at the highest level (root) CA" (the latter one being optional).
- If this is commented out, or the file can't be read, no attempt
- will be made to establish an encrypted channel with the router. -->
- <!--
- <pemfile>/etc/jabberd/server.pem</pemfile>
- -->
- <!-- Router connection retry -->
- <retry>
- <!-- If the connection to the router can't be established at
- startup, we should try again this many times before exiting.
- Use -1 to retry indefinitely. [default: 3] -->
- <init>3</init>
- <!-- If we lost the connection to the router during normal
- operation (ie we've successfully connected to the router in
- the past), we should try to reconnect this many times before
- exiting. Use -1 to retry indefinitely. [default: 3] -->
- <lost>3</lost>
- <!-- Sleep for this many seconds before trying attempting a
- reconnect. [default: 2] -->
- <sleep>2</sleep>
- </retry>
- </router>
- <!-- Log configuration - type is "syslog", "file" or "stdout" -->
- <log type="syslog">
- <!-- If logging to syslog, this is the log ident -->
- <ident>jabberd/c2s</ident>
- <!-- If logging to syslog, this is the log facility
- (local0 - local7) [default: local3] -->
- <facility>local3</facility>
- <!-- If logging to file, this is the filename of the logfile -->
- <!--
- <file>/var/lib/jabberd/log/c2s.log</file>
- -->
- <!-- Filename of the debug logfile -->
- <!--
- <debug>/var/lib/jabberd/log/debug-${id}.log</debug>
- -->
- </log>
- <!-- Local network configuration -->
- <local>
- <!-- Who we identify ourselves as. This should correspond to the
- ID (host) that the session manager thinks it is. You can
- specify more than one to support virtual hosts, as long as you
- have additional session manager instances on the network to
- handle those hosts.
- You may leave the content of the <id/> empty to setup default
- virtual host setup, that will be used for all present but not
- configured otherwise SM domains.
- realm
- attribute specifies the auth/reg or SASL authentication realm
- for the host. If the attribute is not specified, the realm will
- be selected by the SASL mechanism, or will be the same as the ID
- itself. Be aware that users are assigned to a realm, not a host,
- so two hosts in the same realm will have the same users. If no
- realm is specified, it will be set to be the same as the ID.
- If empty "" realm is specified, the PAM backend wil authenticate
- using plain usernames, not JIDs.
- pemfile
- attribute specifies the file containing a SSL certificate and
- private key for client connections. If this is non existant,
- clients will not be offered the STARTTLS stream extension
- From SSL_CTX_use_certificate_chain_file(3):
- "The certificates must be in PEM format and must be sorted
- starting with the subject's certificate (actual client or server
- certificate), followed by intermediate CA certificates if
- applicable, and ending at the highest level (root) CA"
- (the latter one being optional).
- verify-mode
- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter.
- Sum of the following options:
- SSL_VERIFY_NONE 0x00
- SSL_VERIFY_PEER 0x01
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
- SSL_VERIFY_CLIENT_ONCE 0x04
- Use 7 to require all clients to present _valid_ certificates.
- cachain
- SSL CA chain. Used to verify client certificates.
- CA names published to client upon connection.
- require-starttls
- If this attribute is set to any value, clients must do STARTTLS
- before they can authenticate. Until the stream is encrypted,
- all packets will be dropped.
- register-enable
- Remove this attribute to disable account registrations.
- instructions
- Human-readable instructions to be returned to client when
- registration is requested.
- register-oob
- URL to be attached as an alternative, out-of-band registration
- method. Usually web-based http:// URL.
- password-change
- Password change only. When registration is disabled, it may
- still be useful to allow clients to change their password. If
- you want this, add this attribute with any value, when you need
- registration disabled.
- -->
- <id require-starttls="false" pemfile="/etc/pki/spacewalk/jabberd/server.pem" realm="" register-enable="true">gss-spacewalk-1-prod.aws.u.d.g</id>
- <!--<id require-starttls="false" pemfile="/etc/pki/spacewalk/jabberd/server.pem" realm="" register-enable="true">gss-spacewalk-1-prod.aws.u.d.g</
- id>-->
- <!--<id require-starttls="false" pemfile="/etc/pki/spacewalk/jabberd/server.pem" realm="" register-enable="true">spacewalk.u.d.g</id>-->
- <!-- or
- <id realm='company.int'
- pemfile='/etc/jabberd/server.pem'
- verify-mode='7'
- cachain='/etc/jabberd/client_ca_certs.pem'
- require-starttls='mu'
- register-enable='mu'
- instructions='Enter a username and password to register with this server.'
- register-oob='http://example.org/register'
- password-change='mu'
- >example.net</id> -->
- <!-- or the default host
- <id password-change='mu' /> -->
- <!-- IP address to bind to (default: 0.0.0.0) -->
- <ip>::</ip>
- <!-- Port to bind to, or 0 to disable unencrypted access to the
- server (default: 5222) -->
- <port>5222</port>
- <!-- Older versions of jabberd support encrypted client connections
- via an additional listening socket on port 5223. If you want
- this (required to allow pre-STARTTLS clients to do SSL),
- uncomment this -->
- <!--
- <ssl-port>5223</ssl-port>
- -->
- <!-- File containing an SSL certificate and private key for client
- connections. From SSL_CTX_use_certificate_chain_file(3):
- "The certificates must be in PEM format and must be sorted
- starting with the subject's certificate (actual client or server
- certificate), followed by intermediate CA certificates if
- applicable, and ending at the highest level (root) CA"
- (the latter one being optional).
- Note: This certificate is ONLY used for old style SSL
- connections on port 5223 (pre-STARTTLS). If you want to
- use STARTTLS over the standard XMPP port 5222 then you
- MUST specify the pemfile in the 'id' tag above. -->
- <!--
- <pemfile>/etc/jabberd/server.pem</pemfile>
- -->
- <!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
- <!--
- <verify-mode>7</verify-mode>
- -->
- <!-- SSL CA chain. Used to verify client certificates. CA names published to client upon connection -->
- <!--
- <cachain>/etc/jabberd/client_ca_certs.pem</cachain>
- -->
- <!-- Forward incoming HTTP clients to a real HTTP server -->
- <!--
- <httpforward>http://www.jabber.org/</httpforward>
- -->
- </local>
- <!-- Input/output settings -->
- <io>
- <!-- Maximum number of file descriptors. This value sets an upper
- limit on the number of users who may be logged in to this
- server at a given time. Each user consumers one file
- descriptor.
- Note that the number of possible connections will be slightly
- less than this, because c2s itself can use up five on its own,
- and auth/reg modules may need a few also. If the supply of
- file descriptors is exhausted, new incoming connections will
- be denied.
- Also note that this value only affects how many file descriptors
- jabberd is able to handle internally. You may also need to
- tell your operating system to allow jabberd to use more file
- descriptors. On Linux this can be done using ulimit -n or by
- changing the value of /proc/sys/fd/file-max.
- (default: 1024) -->
- <max_fds>1024</max_fds>
- <!-- Rate limiting -->
- <limits>
- <!-- Maximum bytes per second - if more than X bytes are sent in Y
- seconds, connection is throttled for Z seconds. The format
- is:
- <bytes seconds='Y' throttle='Z'>X</bytes>
- Default Y is 1, default Z is 5. set X to 0 to disable. -->
- <bytes>0</bytes>
- <!-- Maximum number of stanzas per second - if more than X stanzas
- are sent in Y seconds, connection is throttled for Z seconds.
- The format is:
- <stanzas seconds='Y' throttle='Z'>X</stanzas>
- Default Y 1, default Z is 5. Set X to 0 to disable -->
- <stanzas>1000</stanzas>
- <!-- Maximum connects per second - if more than X connects are
- attempted from a single IP in Y seconds, that IP is throttled
- for Z seconds. The format is:
- <connects seconds='Y' throttle='Z'>X</connects>
- Default Y is 5, default Z is 5. set X to 0 to disable. -->
- <connects>0</connects>
- <!-- Maximum stanza size - if more than given number of bytes
- are read in one incoming stanza, the stream is closed
- with policy-violation error.
- Set to 0 to disable.
- Values less than 16384 might not work. -->
- <stanzasize>65535</stanzasize>
- </limits>
- <!-- Enable XEP-0138: Stream Compression -->
- <!--
- <compression/>
- -->
- <!-- IP-based access controls. If a connection IP matches an allow
- rule, the connection will be accepted. If a connecting IP
- matches a deny rule, the connection will be refused. If the
- connecting IP does not match any rules, or it matches both an
- allow and a deny rule, the contents of the <order/> option
- determines what happens. -->
- <access>
- <!-- Rule check order (default: allow,deny)
- allow,deny - Check allow rules, then check deny rules.
- Allow by default.
- deny,allow - Check deny rules, then check allow rules.
- Deny by default. -->
- <order>allow,deny</order>
- <!-- Allow a network. If the mask isn't specified, it defaults to
- 255.255.255.255 (ie allow onle the specified IP) -->
- <!--
- <allow ip='127.0.0.0' mask='255.0.0.0'/>
- -->
- <!-- Allow a single host -->
- <!--
- <allow ip='12.34.56.78'/>
- -->
- <!-- Deny a network or a host -->
- <!--
- <deny ip='127.0.0.1' mask='255.0.0.0'/>
- <deny ip='87.65.43.21'/>
- -->
- </access>
- <!-- Timed checks -->
- <check>
- <!-- Interval between checks.
- Open client connections will be checked every n seconds, and
- the following checks applied.
- 0 disables all checks. (default: 0) -->
- <interval>60</interval>
- <!-- Idle connection checks.
- Connections that have not sent data for longer than this many
- seconds will be dropped.
- 0 disables idle timeouts. (default: 0) -->
- <idle>0</idle>
- <!-- Keepalives.
- Connections that have not sent data for longer than this many
- seconds will have a single whitespace character sent to them.
- This will force the TCP connection to be closed if they have
- disconnected without us knowing about it.
- 0 disables keepalives. (default: 0) -->
- <keepalive>60</keepalive>
- </check>
- </io>
- <!-- Statistics -->
- <stats>
- <!-- file containing count of packets that went through -->
- <!--
- <packet>/var/lib/jabberd/stats/c2s.packets</packet>
- -->
- </stats>
- <!-- PBX integration -->
- <pbx>
- <!-- Commands named pipe path. Allows creating "fake" sessions
- with given resource and status -->
- <!--
- <pipe>/var/lib/jabberd/run/pbx</pipe>
- -->
- <!-- Available commands:
- START jid/resource [[priority ]status] [description]
- STOP jid/resource [description]
- where priority is integer between -128 and +127
- and status is one of: CHAT, ONLINE, DND, AWAY, XA
- -->
- </pbx>
- <!-- see-other-host error stream redirection support
- This will redirect connections to specified domains to other host:port
- Usefull when migrating service and DNS change did not propagate yet.
- Note that to_address should be RFC 3986 compliant. -->
- <stream_redirect>
- <!--
- <redirect requested_domain="some.domain" to_address="other.hostname" to_port="5269" />
- <redirect requested_domain="other.domain" to_address="other.host" to_port="1234" />
- -->
- </stream_redirect>
- <!-- Authentication/registration database configuration -->
- <authreg>
- <!-- Dynamic authreg modules path -->
- <path>/usr/lib64/jabberd</path>
- <!-- Backend module to use -->
- <module>db</module>
- <!-- Available authentication mechanisms -->
- <mechanisms>
- <!-- These are the traditional Jabber authentication mechanisms.
- Comment out any that you don't want to be offered to clients.
- Note that if the auth/reg module does not support one of
- these mechanisms, then it will not be offered regardless of
- whether or not it is enabled here. -->
- <traditional>
- <plain/>
- <digest/>
- </traditional>
- <!-- SASL authentication mechanisms. Comment out any that you
- don't want to be offered to clients. Again, if the auth/reg
- module does not support one of these mechanisms, then it will
- not be offered. -->
- <sasl>
- <plain/>
- <digest-md5/>
- <!--
- <anonymous/>
- <gssapi/>
- -->
- </sasl>
- </mechanisms>
- <!-- Additional mechanisms that are also available when the
- connection is encrypted. Ie. when START-TLS had been
- negotiated, or user connected on SSL-wrapped port. -->
- <ssl-mechanisms>
- <!-- it's advisable that you disable plain in the above
- <mechanisms/> section -->
- <traditional>
- <plain/>
- </traditional>
- <sasl>
- <plain/>
- <external/>
- </sasl>
- </ssl-mechanisms>
- <!-- SQLite driver configuration -->
- <sqlite>
- <!-- Database name -->
- <dbname>/var/lib/jabberd/db/sqlite.db</dbname>
- <!-- Transacation support. If this is commented out, transactions
- will be disabled. This might make database accesses faster,
- but data may be lost if jabberd crashes. -->
- <transactions/>
- <!-- SQLite busy-timeout in milliseconds. -->
- <busy-timeout>2000</busy-timeout>
- <!-- Passwords in DB may be stored in plain or hashed format -->
- <!-- NOTE: If you are using hashed passwords, the only auth
- method that will work is PLAIN.
- Make sure that you disabled others in 'mechanisms'
- sections of the config file. -->
- <password_type>
- <!-- only one may be enabled here -->
- <plaintext/>
- <!-- use crypt(3)ed passwords
- <crypt/>
- -->
- <!-- use A1HASH passwords
- This stores the MD5 digest of user:realm:password in the database
- <a1hash/>
- -->
- </password_type>
- </sqlite>
- <!-- MySQL module configuration -->
- <mysql>
- <!-- Database server host and port -->
- <host>localhost</host>
- <port>3306</port>
- <!-- Database name -->
- <dbname>jabberd2</dbname>
- <!-- Database username and password -->
- <user>jabberd2</user>
- <pass>90ab48c641e2aec7d96465f86048628cf60cf739</pass>
- <!-- Passwords in DB may be stored in plain or hashed format -->
- <!-- NOTE: If you are using hashed passwords, the only auth
- method that will work is PLAIN.
- Make sure that you disabled others in 'mechanisms'
- sections of the config file. -->
- <password_type>
- <!-- only one may be enabled here -->
- <plaintext/>
- <!-- use crypt(3)ed passwords
- <crypt/>
- -->
- <!-- use A1HASH passwords
- This stores the MD5 digest of user:realm:password in the database
- <a1hash/>
- -->
- </password_type>
- </mysql>
- <!-- PostgreSQL module configuration -->
- <pgsql>
- <!-- PostgreSQL connection info.
- For the rest of the options see
- http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
- <conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
- <!-- Alternatively you may set connection settings separately.
- These are used only in absence of 'conninfo' -->
- <!-- Database server host and port -->
- <host>localhost</host>
- <port>5432</port>
- <!-- Database name -->
- <dbname>jabberd2</dbname>
- <!-- Database schema -->
- <schema>public</schema>
- <!-- Database username and password -->
- <user>jabberd2</user>
- <pass>90ab48c641e2aec7d96465f86048628cf60cf739</pass>
- <!-- Passwords in DB may be stored in plain or hashed format -->
- <!-- NOTE: If you are using hashed passwords, the only auth
- method that will work is PLAIN.
- Make sure that you disabled others in 'mechanisms'
- sections of the config file. -->
- <password_type>
- <!-- only one may be enabled here -->
- <plaintext/>
- <!-- use crypt(3)ed passwords
- <crypt/>
- -->
- <!-- use A1HASH passwords
- This stores the MD5 digest of user:realm:password in the database
- <a1hash/>
- -->
- </password_type>
- </pgsql>
- <!-- Oracle driver configuration -->
- <oracle>
- <!-- Database server host and port. -->
- <host>localhost</host>
- <port>1521</port>
- <!-- Database name -->
- <dbname>jabberd2</dbname>
- <!-- Database username and password -->
- <user>jabberd2</user>
- <pass>90ab48c641e2aec7d96465f86048628cf60cf739</pass>
- </oracle>
- <!-- Berkeley DB module configuration -->
- <db>
- <!-- Directory to store database files under -->
- <path>/var/lib/jabberd/db</path>
- <!-- Synchronize the database to disk after each write. If you
- disable this, database accesses may be faster, but data may
- be lost if jabberd crashes. -->
- <sync/>
- </db>
- <!-- LDAPFULL module configuration -->
- <ldapfull>
- <!-- LDAP server host and port (default: 389) -->
- <uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
- <!-- DN to bind as for searches. If unspecified, the searches
- will be done anonymously. -->
- <!--
- <binddn>cn=Directory Manager</binddn>
- <bindpw>secret</bindpw>
- -->
- <!-- Type of LDAP server. Currently "ad" for active directory and "ldap"
- for other ldap servers. If not specified, then it is ldap. -->
- <!--
- <type>ad</type>
- -->
- <!-- LDAP attribute that holds the user ID (default: uid) -->
- <uidattr>uid</uidattr>
- <objectclass>posixAccount</objectclass>
- <!-- LDAP attribute that holds the cleartext or hashed password
- (not needed when pwscheme is set to 'bind') -->
- <pwattr>userPassword</pwattr>
- <!-- if you use included jabberd.schema use this:
- <uidattr>jid</uidattr>
- <objectclass>jabberUser</objectclass>
- <pwattr>jabberPassword</pwattr>
- -->
- <!-- Attribute that holds jabber account status. Must be TRUE for AD,
- and 1 for other LDAP server.
- If not specified, then it will not be used. -->
- <!--
- <validattr>valid</validattr>
- -->
- <!-- Group that users must be members of
- If this is set, only user that are members of the specified LDAP
- group can log in. The group must be specified with its full
- distinguished name -->
- <!--
- <group_dn>cn=jabberdusers,ou=servicegroups,dc=example,dc=com</group_dn>
- -->
- <fulluid/>
- <!-- If pwscheme is not defined, then passwords are stored in clear
- text and digest authentication may be done.
- If passwords are hashed, then you cannot use digest authentication
- and should use plain text authentication.
- Any of sha, ssha, crypt, bind and clear may be specified.
- 'sha' specifies that the attribute in pwattr holds a base-64
- encoded SHA-1 hashed password beginning with the string {SHA}.
- 'ssha' specifies that the attribute in pwattr holds a base-64
- SHA-1 hashed password appended with 32 bits of salt and beginning
- with the string {SSHA}.
- 'crypt' specifies that the attribute in pwattr holds a UNIX-style
- crypt(3) hashed password.
- 'bind' specifies that the password is not stored in an attribute
- but is authenticated directly by the LDAP server by binding
- using the user's DN. This should be compatible with the
- widest variety of LDAP servers.
- -->
- <!-- <pwscheme>bind</pwscheme> -->
- <!-- base DN of the tree. You should specify a DN for each
- authentication realm declared in the <local/> section above,
- by using the realm attribute. -->
- <basedn realm="company">o=Company.com</basedn>
- <basedn>o=Example Corp.</basedn>
- </ldapfull>
- <!-- LDAP module configuration -->
- <!-- Remember that you need to use PLAIN auth with LDAP backend -->
- <ldap>
- <!-- LDAP server host and port (default: 389) -->
- <host>ldap.example.com</host>
- <port>389</port>
- <!-- Use LDAP v3 if possible. If disabled, v2 will be used.
- Encryption options are only available if v3 is enabled. -->
- <!--
- <v3/>
- -->
- <!-- Encryption. If enabled, this will create an encrypted channel
- to the LDAP server using the LDAP STARTTLS mechanism. -->
- <!--
- <starttls/>
- -->
- <!-- Encryption. If enabled, this will create an encrypted channel
- to the server using the old-style "ldaps://" mechanism. It is
- recommended that you use <starttls/> instead of this. -->
- <!--
- <ssl/>
- -->
- <!-- DN to bind as for searches. If unspecified, the searches
- will be done anonymously. -->
- <!--
- <binddn>cn=Directory Manager</binddn>
- <bindpw>secret</bindpw>
- -->
- <!-- LDAP attribute that holds the user ID (default: uid) -->
- <uidattr>uid</uidattr>
- <!-- Enable the append-realm element if you want to append
- realm value (usernam@realm) to the uidattr value
- <append-realm/>
- -->
- <!-- Alternatively to <uidattr/> and <append-realm/> you may
- specify full LDAP search <query/> that will be used to
- get user objects from directory.
- The following replacements take place:
- %u is replaced by user login name
- %r is replaced by user login realm
- When <query/> is specified, <uidattr/> and <append-realm/>
- are unused and take no effect. -->
- <!--
- <query>(&(mail=%u@%r)(objectClass=inetOrgPerson))</query>
- -->
- <!-- base DN of the tree. You should specify a DN for each
- authentication realm declared in the <local/> section above,
- by using the realm attribute. -->
- <basedn realm="company">o=Company.com</basedn>
- <basedn>o=Example Corp.</basedn>
- </ldap>
- <!-- if you want to configure more than one LDAP server
- create ldap1, ldap2 etc. sections
- <ldap1>
- </ldap1>
- -->
- <!-- Pipe module configuration -->
- <pipe>
- <!-- Program to execute -->
- <exec>/usr/bin/pipe-auth.pl</exec>
- </pipe>
- </authreg>
- </c2s><!--
- vim: syntax=xml
- -->
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement