1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
|
<!-- c2s configuration -->
<c2s>
<!-- Our ID on the network (default: c2s) -->
<id>c2s</id>
<!-- The process ID file. Comment this out if you don't need to know
the process ID from outside the process (eg for control scripts) -->
<pidfile>/var/run/jabberd2/c2s.pid</pidfile>
<!-- Router connection configuration -->
<router>
<!-- IP/port the router is waiting for connections on -->
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
<port>5347</port> <!-- default: 5347 -->
<!-- Username/password to authenticate as -->
<user>jabberd</user> <!-- default: jabberd -->
<pass>secret</pass> <!-- default: secret -->
<!-- File containing an SSL certificate and private key to use when
setting up an encrypted channel with the router. From
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
in PEM format and must be sorted starting with the subject's
certificate (actual client or server certificate), followed
by intermediate CA certificates if applicable, and ending
at the highest level (root) CA" (the latter one being optional).
If this is commented out, or the file can't be read, no attempt
will be made to establish an encrypted channel with the router. -->
<!--
<pemfile>@sysconfdir@/server.pem</pemfile>
-->
<!-- Router connection retry -->
<retry>
<!-- If the connection to the router can't be established at
startup, we should try again this many times before exiting.
Use -1 to retry indefinitely. [default: 3] -->
<init>3</init>
<!-- If we lost the connection to the router during normal
operation (ie we've successfully connected to the router in
the past), we should try to reconnect this many times before
exiting. Use -1 to retry indefinitely. [default: 3] -->
<lost>3</lost>
<!-- Sleep for this many seconds before trying attempting a
reconnect. [default: 2] -->
<sleep>2</sleep>
</retry>
</router>
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
<log type='file'>
<!-- If logging to syslog, this is the log ident -->
<ident>jabberd/c2s</ident>
<!-- If logging to syslog, this is the log facility
(local0 - local7) [default: local3] -->
<facility>local3</facility>
<!-- If logging to file, this is the filename of the logfile -->
<file>/var/log/jabberd2/c2s.log</file>
<!-- Filename of the debug logfile -->
<!--
<debug>@localstatedir@/@package@/log/debug-${id}.log</debug>
-->
</log>
<!-- Local network configuration -->
<local>
<!-- Who we identify ourselves as. This should correspond to the
ID (host) that the session manager thinks it is. You can
specify more than one to support virtual hosts, as long as you
have additional session manager instances on the network to
handle those hosts.
You may leave the content of the <id/> empty to setup default
virtual host setup, that will be used for all present but not
configured otherwise SM domains.
realm
attribute specifies the auth/reg or SASL authentication realm
for the host. If the attribute is not specified, the realm will
be selected by the SASL mechanism, or will be the same as the ID
itself. Be aware that users are assigned to a realm, not a host,
so two hosts in the same realm will have the same users. If no
realm is specified, it will be set to be the same as the ID.
If empty "" realm is specified, the PAM backend wil authenticate
using plain usernames, not JIDs.
pemfile
attribute specifies the file containing a SSL certificate and
private key for client connections. If this is non existant,
clients will not be offered the STARTTLS stream extension
From SSL_CTX_use_certificate_chain_file(3):
"The certificates must be in PEM format and must be sorted
starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if
applicable, and ending at the highest level (root) CA"
(the latter one being optional).
verify-mode
SSL verify mode - see SSL_CTX_set_verify(3), mode parameter.
Sum of the following options:
SSL_VERIFY_NONE 0x00
SSL_VERIFY_PEER 0x01
SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
SSL_VERIFY_CLIENT_ONCE 0x04
Use 7 to require all clients to present _valid_ certificates.
ciphers
List of available TLS ciphers. The format of the string is
described in https://www.openssl.org/docs/apps/ciphers.html
cachain
SSL CA chain. Used to verify client certificates.
CA names published to client upon connection.
require-starttls
If this attribute is set to any value, clients must do STARTTLS
before they can authenticate. Until the stream is encrypted,
all packets will be dropped.
register-enable
Remove this attribute to disable account registrations.
instructions
Human-readable instructions to be returned to client when
registration is requested.
register-oob
URL to be attached as an alternative, out-of-band registration
method. Usually web-based http:// URL.
password-change
Password change only. When registration is disabled, it may
still be useful to allow clients to change their password. If
you want this, add this attribute with any value, when you need
registration disabled.
authreg-module
Use different authreg module than default one set in <authreg> section.
-->
<id register-enable='mu'>localhost.localdomain</id>
<!-- or
<id realm='company.int'
pemfile='@sysconfdir@/server.pem'
verify-mode='7'
cachain='@sysconfdir@/client_ca_certs.pem'
require-starttls='mu'
register-oob='http://example.net/register'
password-change='mu'
>example.net</id> -->
<!-- or the default host
<id password-change='mu' /> -->
<!-- IP address to bind to (default: 0.0.0.0) -->
<ip>0.0.0.0</ip>
<!-- Port to bind to, or 0 to disable unencrypted access to the
server (default: 5222) -->
<port>5222</port>
<!-- Older versions of jabberd support encrypted client connections
via an additional listening socket on port 5223. If you want
this (required to allow pre-STARTTLS clients to do SSL),
uncomment this -->
<!--
<ssl-port>5223</ssl-port>
-->
<!-- File containing an SSL certificate and private key for client
connections. From SSL_CTX_use_certificate_chain_file(3):
"The certificates must be in PEM format and must be sorted
starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if
applicable, and ending at the highest level (root) CA"
(the latter one being optional).
Note: This certificate is ONLY used for old style SSL
connections on port 5223 (pre-STARTTLS). If you want to
use STARTTLS over the standard XMPP port 5222 then you
MUST specify the pemfile in the 'id' tag above. -->
<!--
<pemfile>@sysconfdir@/server.pem</pemfile>
-->
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
<!--
<verify-mode>7</verify-mode>
-->
<!-- List of available TLS ciphers -->
<!--
<ciphers>DEFAULT</ciphers>
-->
<!-- SSL CA chain. Used to verify client certificates. CA names published to client upon connection -->
<!--
<cachain>@sysconfdir@/client_ca_certs.pem</cachain>
-->
<!-- Forward incoming HTTP clients to a real HTTP server -->
<!--
<httpforward>http://www.jabber.org/</httpforward>
-->
</local>
<!-- Input/output settings -->
<io>
<!-- Maximum number of file descriptors. This value sets an upper
limit on the number of users who may be logged in to this
server at a given time. Each user consumers one file
descriptor.
Note that the number of possible connections will be slightly
less than this, because c2s itself can use up five on its own,
and auth/reg modules may need a few also. If the supply of
file descriptors is exhausted, new incoming connections will
be denied.
Also note that this value only affects how many file descriptors
jabberd is able to handle internally. You may also need to
tell your operating system to allow jabberd to use more file
descriptors. On Linux this can be done using ulimit -n or by
changing the value of /proc/sys/fd/file-max.
(default: 1024) -->
<max_fds>1024</max_fds>
<!-- Rate limiting -->
<limits>
<!-- Maximum bytes per second - if more than X bytes are sent in Y
seconds, connection is throttled for Z seconds. The format
is:
<bytes seconds='Y' throttle='Z'>X</bytes>
Default Y is 1, default Z is 5. set X to 0 to disable. -->
<bytes>0</bytes>
<!-- Maximum number of stanzas per second - if more than X stanzas
are sent in Y seconds, connection is throttled for Z seconds.
The format is:
<stanzas seconds='Y' throttle='Z'>X</stanzas>
Default Y 1, default Z is 5. Set X to 0 to disable -->
<stanzas>1000</stanzas>
<!-- Maximum connects per second - if more than X connects are
attempted from a single IP in Y seconds, that IP is throttled
for Z seconds. The format is:
<connects seconds='Y' throttle='Z'>X</connects>
Default Y is 5, default Z is 5. set X to 0 to disable. -->
<connects>0</connects>
<!-- Maximum stanza size - if more than given number of bytes
are read in one incoming stanza, the stream is closed
with policy-violation error.
Set to 0 to disable.
Values less than 16384 might not work. -->
<stanzasize>65535</stanzasize>
</limits>
<!-- Enable XEP-0138: Stream Compression -->
<!--
<compression/>
-->
<!-- Enable WebSocket protocol support -->
<!--
<websocket/>
-->
<!-- IP-based access controls. If a connection IP matches an allow
rule, the connection will be accepted. If a connecting IP
matches a deny rule, the connection will be refused. If the
connecting IP does not match any rules, or it matches both an
allow and a deny rule, the contents of the <order/> option
determines what happens. -->
<access>
<!-- Rule check order (default: allow,deny)
allow,deny - Check allow rules, then check deny rules.
Allow by default.
deny,allow - Check deny rules, then check allow rules.
Deny by default. -->
<order>allow,deny</order>
<!-- Allow a network. If the mask isn't specified, it defaults to
255.255.255.255 (ie allow onle the specified IP) -->
<!--
<allow ip='127.0.0.0' mask='255.0.0.0'/>
-->
<!-- Allow a single host -->
<!--
<allow ip='12.34.56.78'/>
-->
<!-- Deny a network or a host -->
<!--
<deny ip='127.0.0.1' mask='255.0.0.0'/>
<deny ip='87.65.43.21'/>
-->
</access>
<!-- Timed checks -->
<check>
<!-- Interval between checks.
Open client connections will be checked every n seconds, and
the following checks applied.
0 disables all checks. (default: 0) -->
<interval>0</interval>
<!-- Idle connection checks.
Connections that have not sent data for longer than this many
seconds will be dropped.
0 disables idle timeouts. (default: 0) -->
<idle>0</idle>
<!-- Keepalives.
Connections that have not sent data for longer than this many
seconds will have a single whitespace character sent to them.
This will force the TCP connection to be closed if they have
disconnected without us knowing about it.
0 disables keepalives. (default: 0) -->
<keepalive>0</keepalive>
</check>
</io>
<!-- Statistics -->
<stats>
<!-- file containing count of packets that went through -->
<!--
<packet>@localstatedir@/@package@/stats/c2s.packets</packet>
-->
</stats>
<!-- PBX integration -->
<pbx>
<!-- Commands named pipe path. Allows creating "fake" sessions
with given resource and status -->
<!--
<pipe>@localstatedir@/@package@/run/pbx</pipe>
-->
<!-- Available commands:
START jid/resource [[priority ]status] [description]
STOP jid/resource [description]
where priority is integer between -128 and +127
and status is one of: CHAT, ONLINE, DND, AWAY, XA
-->
</pbx>
<!-- see-other-host error stream redirection support
This will redirect connections to specified domains to other host:port
Usefull when migrating service and DNS change did not propagate yet.
Note that to_address should be RFC 3986 compliant. -->
<stream_redirect>
<!--
<redirect requested_domain="some.domain" to_address="other.hostname" to_port="5269" />
<redirect requested_domain="other.domain" to_address="other.host" to_port="1234" />
-->
</stream_redirect>
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Dynamic authreg modules path -->
<path>@pkglibdir@</path>
<!-- Backend module to use -->
<module>sqlite</module>
<!-- Available authentication mechanisms -->
<mechanisms>
<!-- These are the traditional Jabber authentication mechanisms.
Comment out any that you don't want to be offered to clients.
Note that if the auth/reg module does not support one of
these mechanisms, then it will not be offered regardless of
whether or not it is enabled here. -->
<traditional>
<plain/>
<digest/>
</traditional>
<!-- SASL authentication mechanisms. Comment out any that you
don't want to be offered to clients. Again, if the auth/reg
module does not support one of these mechanisms, then it will
not be offered. -->
<sasl>
<plain/>
<digest-md5/>
<!--
<anonymous/>
<gssapi/>
-->
</sasl>
</mechanisms>
<!-- Additional mechanisms that are also available when the
connection is encrypted. Ie. when START-TLS had been
negotiated, or user connected on SSL-wrapped port. -->
<ssl-mechanisms>
<!-- it's advisable that you disable plain in the above
<mechanisms/> section -->
<traditional>
<plain/>
</traditional>
<sasl>
<plain/>
<external/>
</sasl>
</ssl-mechanisms>
<!-- SQLite driver configuration -->
<sqlite>
<!-- Database name -->
<dbname>/var/lib/jabberd2/sqlite.db</dbname>
<!-- Use this to pass any SQL statements to the database immediately
after opening it. This is typically used to set pragmas for
performance tuning. -->
<sql>
<!-- This will cause the database to sync less often but it will
still sync at the most critical moments.
Default is FULL. -->
PRAGMA synchronous = NORMAL;
</sql>
<!-- SQLite busy-timeout in milliseconds. -->
<busy-timeout>2000</busy-timeout>
<!-- Passwords in DB may be stored in plain or hashed format -->
<!-- NOTE: If you are using hashed passwords, the only auth
method that will work is PLAIN.
Make sure that you disabled others in 'mechanisms'
sections of the config file. -->
<password_type>
<!-- only one may be enabled here -->
<plaintext/>
<!-- use crypt(3)ed passwords
<crypt/>
-->
<!-- use A1HASH passwords
This stores the MD5 digest of user:realm:password in the database
<a1hash/>
-->
</password_type>
</sqlite>
<!-- MySQL module configuration -->
<mysql>
<!-- Database server host and port -->
<host>localhost</host>
<port>3306</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
<!-- Passwords in DB may be stored in plain or hashed format -->
<!-- NOTE: If you are using hashed passwords, the only auth
method that will work is PLAIN.
Make sure that you disabled others in 'mechanisms'
sections of the config file. -->
<password_type>
<!-- only one may be enabled here -->
<plaintext/>
<!-- use crypt(3)ed passwords
<crypt/>
-->
<!-- use A1HASH passwords
This stores the MD5 digest of user:realm:password in the database
<a1hash/>
-->
<!-- use bcrypt passwords
NOTE: cost has to be higher than 3 and lower than 32
<bcrypt cost='10'/>
-->
</password_type>
</mysql>
<!-- PostgreSQL module configuration -->
<pgsql>
<!-- PostgreSQL connection info.
For the rest of the options see
http://www.postgresql.org/docs/8.0/interactive/libpq.html -->
<conninfo>dbname=jabberd2 user=jabberd2 password=secret</conninfo>
<!-- Alternatively you may set connection settings separately.
These are used only in absence of 'conninfo' -->
<!-- Database server host and port -->
<host>localhost</host>
<port>5432</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database schema -->
<schema>public</schema>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
<!-- Passwords in DB may be stored in plain or hashed format -->
<!-- NOTE: If you are using hashed passwords, the only auth
method that will work is PLAIN.
Make sure that you disabled others in 'mechanisms'
sections of the config file. -->
<password_type>
<!-- only one may be enabled here -->
<plaintext/>
<!-- use crypt(3)ed passwords
<crypt/>
-->
<!-- use A1HASH passwords
This stores the MD5 digest of user:realm:password in the database
<a1hash/>
-->
</password_type>
</pgsql>
<!-- Oracle driver configuration -->
<oracle>
<!-- Database server host and port. -->
<host>localhost</host>
<port>1521</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
</oracle>
<!-- Berkeley DB module configuration -->
<db>
<!-- Directory to store database files under -->
<path>/var/lib/jabberd2/</path>
<!-- Synchronize the database to disk after each write. If you
disable this, database accesses may be faster, but data may
be lost if jabberd crashes. -->
<sync/>
</db>
<!-- LDAPFULL module configuration -->
<ldapfull>
<!-- LDAP server host and port (default: 389) -->
<uri>ldap://localhost/ ldaps://ldap.example.com/</uri>
<!-- DN to bind as for searches. If unspecified, the searches
will be done anonymously. -->
<!--
<binddn>cn=Directory Manager</binddn>
<bindpw>secret</bindpw>
-->
<!-- Type of LDAP server. Currently "ad" for active directory and "ldap"
for other ldap servers. If not specified, then it is ldap. -->
<!--
<type>ad</type>
-->
<!-- LDAP attribute that holds the user ID (default: uid) -->
<uidattr>uid</uidattr>
<objectclass>posixAccount</objectclass>
<!-- LDAP attribute that holds the cleartext or hashed password
(not needed when pwscheme is set to 'bind') -->
<pwattr>userPassword</pwattr>
<!-- if you use included jabberd.schema use this:
<uidattr>jid</uidattr>
<objectclass>jabberUser</objectclass>
<pwattr>jabberPassword</pwattr>
-->
<!-- Attribute that holds jabber account status. Must be TRUE for AD,
and 1 for other LDAP server.
If not specified, then it will not be used. -->
<!--
<validattr>valid</validattr>
-->
<!-- Group that users must be members of
If this is set, only user that are members of the specified LDAP
group can log in. The group must be specified with its full
distinguished name -->
<!--
<group_dn>cn=jabberdusers,ou=servicegroups,dc=example,dc=com</group_dn>
-->
<fulluid/>
<!-- If pwscheme is not defined, then passwords are stored in clear
text and digest authentication may be done.
If passwords are hashed, then you cannot use digest authentication
and should use plain text authentication.
Any of sha, ssha, crypt, bind and clear may be specified.
'sha' specifies that the attribute in pwattr holds a base-64
encoded SHA-1 hashed password beginning with the string {SHA}.
'ssha' specifies that the attribute in pwattr holds a base-64
SHA-1 hashed password appended with 32 bits of salt and beginning
with the string {SSHA}.
'crypt' specifies that the attribute in pwattr holds a UNIX-style
crypt(3) hashed password.
'bind' specifies that the password is not stored in an attribute
but is authenticated directly by the LDAP server by binding
using the user's DN. This should be compatible with the
widest variety of LDAP servers.
-->
<!-- <pwscheme>bind</pwscheme> -->
<!-- base DN of the tree. You should specify a DN for each
authentication realm declared in the <local/> section above,
by using the realm attribute. -->
<basedn realm='company'>o=Company.com</basedn>
<basedn>o=Example Corp.</basedn>
</ldapfull>
<!-- LDAP module configuration -->
<!-- Remember that you need to use PLAIN auth with LDAP backend -->
<ldap>
<!-- LDAP server host and port (default: 389) -->
<host>ldap.example.com</host>
<port>389</port>
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
Encryption options are only available if v3 is enabled. -->
<!--
<v3/>
-->
<!-- Encryption. If enabled, this will create an encrypted channel
to the LDAP server using the LDAP STARTTLS mechanism. -->
<!--
<starttls/>
-->
<!-- Encryption. If enabled, this will create an encrypted channel
to the server using the old-style "ldaps://" mechanism. It is
recommended that you use <starttls/> instead of this. -->
<!--
<ssl/>
-->
<!-- DN to bind as for searches. If unspecified, the searches
will be done anonymously. -->
<!--
<binddn>cn=Directory Manager</binddn>
<bindpw>secret</bindpw>
-->
<!-- LDAP attribute that holds the user ID (default: uid) -->
<uidattr>uid</uidattr>
<!-- Enable the append-realm element if you want to append
realm value (usernam@realm) to the uidattr value
<append-realm/>
-->
<!-- Alternatively to <uidattr/> and <append-realm/> you may
specify full LDAP search <query/> that will be used to
get user objects from directory.
The following replacements take place:
%u is replaced by user login name
%r is replaced by user login realm
When <query/> is specified, <uidattr/> and <append-realm/>
are unused and take no effect. -->
<!--
<query>(&(mail=%u@%r)(objectClass=inetOrgPerson))</query>
-->
<!-- base DN of the tree. You should specify a DN for each
authentication realm declared in the <local/> section above,
by using the realm attribute. -->
<basedn realm='company'>o=Company.com</basedn>
<basedn>o=Example Corp.</basedn>
</ldap>
<!-- if you want to configure more than one LDAP server
create ldap1, ldap2 etc. sections
<ldap1>
</ldap1>
-->
<!-- Pipe module configuration -->
<pipe>
<!-- Program to execute -->
<exec>@bindir@/pipe-auth.pl</exec>
</pipe>
</authreg>
</c2s>
<!--
vim: syntax=xml
-->
|
