prosody-modules
2bb29ece216b
mod_lib_ldap/dev/prosody-posix-ldap.cfg.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_lib_ldap/dev/prosody-posix-ldap.cfg.lua @ 5193:2bb29ece216b

mod_http_oauth2: Implement stateless dynamic client registration Replaces previous explicit registration that required either the additional module mod_adhoc_oauth2_client or manually editing the database. That method was enough to have something to test with, but would not probably not scale easily. Dynamic client registration allows creating clients on the fly, which may be even easier in theory. In order to not allow basically unauthenticated writes to the database, we implement a stateless model here. per_host_key := HMAC(config -> oauth2_registration_key, hostname) client_id := JWT { client metadata } signed with per_host_key client_secret := HMAC(per_host_key, client_id) This should ensure everything we need to know is part of the client_id, allowing redirects etc to be validated, and the client_secret can be validated with only the client_id and the per_host_key. A nonce injected into the client_id JWT should ensure nobody can submit the same client metadata and retrieve the same client_secret
author Kim Alvefur <zash@zash.se>
date Fri, 03 Mar 2023 21:14:19 +0100
parent 1463:d47972f783fb
line wrap: on
line source

-- Use Include 'prosody-posix-ldap.cfg.lua' from prosody.cfg.lua to include this file
authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
storage        = 'ldap'  -- Indicate that we want to use LDAP for roster/vcard storage

ldap = {
    hostname      = 'localhost',                    -- LDAP server location
    bind_dn       = 'cn=Manager,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
    bind_password = 'prosody',                      -- Bind password (optional if anonymous bind is supported)

    user = {
      basedn        = 'ou=Users,dc=example,dc=com',                  -- The base DN where user records can be found
      filter        = '(&(objectClass=posixAccount)(!(uid=seven)))', -- Filter expression to find user records under basedn
      usernamefield = 'uid',                                         -- The field that contains the user's ID (this will be the username portion of the JID)
      namefield     = 'cn',                                          -- The field that contains the user's full name (this will be the alias found in the roster)
    },

    groups = {
      basedn      = 'ou=Groups,dc=example,dc=com', -- The base DN where group records can be found
      memberfield = 'memberUid',                   -- The field that contains user ID records for this group (each member must have a corresponding entry under the user basedn with the same value in usernamefield)
      namefield   = 'cn',                          -- The field that contains the group's name (used for matching groups in LDAP to group definitions below)

      {
        name  = 'everyone', -- The group name that will be seen in users' rosters
        cn    = 'Everyone', -- This field's key *must* match ldap.groups.namefield! It's the name of the LDAP group this definition represents
        admin = false,      -- (Optional) A boolean flag that indicates whether members of this group should be considered administrators.
      },
      {
        name  = 'admin',
        cn    = 'Admin',
        admin = true,
      },
    },

    vcard_format = {
      displayname = 'cn', -- Consult the vCard configuration section in the README
      nickname    = 'uid',
      photo       = {
        type   = 'image/jpeg',
        binval = 'jpegPhoto',
      },
      telephone = {
        work = {
          voice = true,
          number = 'telephoneNumber',
        },
      },
    },
}