Mercurial > prosody-modules
view mod_lib_ldap/dev/prosody-posix-ldap.cfg.lua @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 23 Jul 2023 02:56:08 +0200 |
parents | d47972f783fb |
children |
line wrap: on
line source
-- Use Include 'prosody-posix-ldap.cfg.lua' from prosody.cfg.lua to include this file authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication storage = 'ldap' -- Indicate that we want to use LDAP for roster/vcard storage ldap = { hostname = 'localhost', -- LDAP server location bind_dn = 'cn=Manager,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported) bind_password = 'prosody', -- Bind password (optional if anonymous bind is supported) user = { basedn = 'ou=Users,dc=example,dc=com', -- The base DN where user records can be found filter = '(&(objectClass=posixAccount)(!(uid=seven)))', -- Filter expression to find user records under basedn usernamefield = 'uid', -- The field that contains the user's ID (this will be the username portion of the JID) namefield = 'cn', -- The field that contains the user's full name (this will be the alias found in the roster) }, groups = { basedn = 'ou=Groups,dc=example,dc=com', -- The base DN where group records can be found memberfield = 'memberUid', -- The field that contains user ID records for this group (each member must have a corresponding entry under the user basedn with the same value in usernamefield) namefield = 'cn', -- The field that contains the group's name (used for matching groups in LDAP to group definitions below) { name = 'everyone', -- The group name that will be seen in users' rosters cn = 'Everyone', -- This field's key *must* match ldap.groups.namefield! It's the name of the LDAP group this definition represents admin = false, -- (Optional) A boolean flag that indicates whether members of this group should be considered administrators. }, { name = 'admin', cn = 'Admin', admin = true, }, }, vcard_format = { displayname = 'cn', -- Consult the vCard configuration section in the README nickname = 'uid', photo = { type = 'image/jpeg', binval = 'jpegPhoto', }, telephone = { work = { voice = true, number = 'telephoneNumber', }, }, }, }