annotate mod_lib_ldap/dev/prosody-posix-ldap.cfg.lua @ 5425:3b30635d215c

mod_http_oauth2: Support granting zero role-scopes It seems Very Bad that if you uncheck all roles on the consent page, you get the default scopes, which seems the opposite of what you probably intended. Currently, mod_tokenauth will do the same thing, so work is needed there too to allow issuing tokens without roles. A token without a role could be used for OIDC login, and not much else. This seems like a valuable thing to support.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 19:29:15 +0200
parents d47972f783fb
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
1 -- Use Include 'prosody-posix-ldap.cfg.lua' from prosody.cfg.lua to include this file
862
675945ea2ed6 Change hoelzro's mod_auth_ldap to mod_auth_ldap2
Rob Hoelz <rob@hoelz.ro>
parents: 826
diff changeset
2 authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
675945ea2ed6 Change hoelzro's mod_auth_ldap to mod_auth_ldap2
Rob Hoelz <rob@hoelz.ro>
parents: 826
diff changeset
3 storage = 'ldap' -- Indicate that we want to use LDAP for roster/vcard storage
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
4
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
5 ldap = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
6 hostname = 'localhost', -- LDAP server location
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
7 bind_dn = 'cn=Manager,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
8 bind_password = 'prosody', -- Bind password (optional if anonymous bind is supported)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
9
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
10 user = {
873
7aaf5d8750a3 Filter out test record 'seven'
Rob Hoelz <rob@hoelz.ro>
parents: 862
diff changeset
11 basedn = 'ou=Users,dc=example,dc=com', -- The base DN where user records can be found
7aaf5d8750a3 Filter out test record 'seven'
Rob Hoelz <rob@hoelz.ro>
parents: 862
diff changeset
12 filter = '(&(objectClass=posixAccount)(!(uid=seven)))', -- Filter expression to find user records under basedn
7aaf5d8750a3 Filter out test record 'seven'
Rob Hoelz <rob@hoelz.ro>
parents: 862
diff changeset
13 usernamefield = 'uid', -- The field that contains the user's ID (this will be the username portion of the JID)
7aaf5d8750a3 Filter out test record 'seven'
Rob Hoelz <rob@hoelz.ro>
parents: 862
diff changeset
14 namefield = 'cn', -- The field that contains the user's full name (this will be the alias found in the roster)
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
15 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
16
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
17 groups = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
18 basedn = 'ou=Groups,dc=example,dc=com', -- The base DN where group records can be found
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
19 memberfield = 'memberUid', -- The field that contains user ID records for this group (each member must have a corresponding entry under the user basedn with the same value in usernamefield)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
20 namefield = 'cn', -- The field that contains the group's name (used for matching groups in LDAP to group definitions below)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
21
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
22 {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
23 name = 'everyone', -- The group name that will be seen in users' rosters
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
24 cn = 'Everyone', -- This field's key *must* match ldap.groups.namefield! It's the name of the LDAP group this definition represents
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
25 admin = false, -- (Optional) A boolean flag that indicates whether members of this group should be considered administrators.
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
26 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
27 {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
28 name = 'admin',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
29 cn = 'Admin',
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
30 admin = true,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
31 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
32 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
33
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
34 vcard_format = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
35 displayname = 'cn', -- Consult the vCard configuration section in the README
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
36 nickname = 'uid',
824
bc173b17c15f Add photo config to sample config
Rob Hoelz <rob@hoelz.ro>
parents: 809
diff changeset
37 photo = {
826
9dc7d92f44e8 Fix prosody config (type is MIME type)
Rob Hoelz <rob@hoelz.ro>
parents: 824
diff changeset
38 type = 'image/jpeg',
824
bc173b17c15f Add photo config to sample config
Rob Hoelz <rob@hoelz.ro>
parents: 809
diff changeset
39 binval = 'jpegPhoto',
1463
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
40 },
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
41 telephone = {
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
42 work = {
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
43 voice = true,
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
44 number = 'telephoneNumber',
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
45 },
d47972f783fb Include configuration for telephone numbers for LDAP test config
Rob Hoelz <rob@hoelz.ro>
parents: 873
diff changeset
46 },
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
47 },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
48 }