105 lines
3.3 KiB
YAML
105 lines
3.3 KiB
YAML
server:
|
|
|
|
# Indicate on which port the Identity Server will listen.
|
|
#
|
|
# This is be default an unencrypted port.
|
|
# HTTPS can be configured using Tomcat configuration properties.
|
|
port: 8090
|
|
|
|
# Realm under which this Identity Server is authoritative.
|
|
#
|
|
# This is used to avoid unnecessary connections and endless recursive lookup.
|
|
# e.g. domain name in e-mails.
|
|
name: 'example.org'
|
|
|
|
|
|
|
|
key:
|
|
|
|
# Where the Identity Server signing key will be stored.
|
|
#
|
|
# /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
|
|
# /!\ CHANGE THIS TO A MORE PERMANENT LOCATION! /!\
|
|
# /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
|
|
path: '/var/tmp/mxis-signing.key'
|
|
|
|
|
|
|
|
# This element contains all the configuration item for lookup strategies
|
|
lookup:
|
|
|
|
# Configuration items for recursion-type of lookup
|
|
#
|
|
# Lookup access are divided into two types:
|
|
# - Local
|
|
# - Remote
|
|
#
|
|
# This is similar to DNS lookup and recursion and is therefore prone to the same vulnerabilities.
|
|
# By default, only non-public hosts are allowed to perform recursive lookup.
|
|
#
|
|
# This will also prevent very basic endless loops where host A ask host B, which in turn is configured to ask host A,
|
|
# which would then ask host B again, etc.
|
|
recursive:
|
|
|
|
# Enable recursive lookup globally
|
|
enabled: true
|
|
|
|
# Whitelist of CIDR that will trigger a recursive lookup.
|
|
# The default list includes all private IPv4 address and the IPv6 loopback.
|
|
allowedCidr:
|
|
- '127.0.0.0/8'
|
|
- '10.0.0.0/8'
|
|
- '172.16.0.0/12'
|
|
- '192.168.0.0/16'
|
|
- '::1/128'
|
|
|
|
|
|
|
|
ldap:
|
|
host: 'localhost'
|
|
port: 389
|
|
bindDn: 'CN=Matrix Identity Server,CN=Users,DC=example,DC=org'
|
|
bindPassword: 'password'
|
|
baseDn: 'CN=Users,DC=example,DC=org'
|
|
|
|
# How should we resolve the Matrix ID in case of a match using the attribute.
|
|
#
|
|
# The following type are supported:
|
|
# - uid : the attribute only contains the UID part of the Matrix ID. e.g. 'john.doe' in @john.doe:example.org
|
|
# - mxid : the attribute contains the full Matrix ID - e.g. '@john.doe:example.org'
|
|
type: 'uid'
|
|
|
|
# The attribute containing the binding itself. This value will be used differently depending on the type.
|
|
#
|
|
# Typical values:
|
|
# - For type 'uid':
|
|
# - Samba/AD: sAMAccountName
|
|
# - LDAP: If someone knows the most appropriate value, please open an issue
|
|
#
|
|
# - For type 'mxid', regardless of the directory type, we recommend using 'pager' as it is a standard attribute and
|
|
# are typically not used.
|
|
attribute: 'sAMAccountName'
|
|
|
|
# Configure each 3PID type with a dedicated query.
|
|
mappings:
|
|
email: "(|(mailPrimaryAddress=%3pid)(mail=%3pid)(otherMailbox=%3pid))"
|
|
|
|
# Phone numbers query.
|
|
#
|
|
# Phone numbers use the MSISDN format: https://en.wikipedia.org/wiki/MSISDN
|
|
# This format does not include international prefix (+ or 00) and therefore has to be put in the query.
|
|
# Adapt this to your needs for each attribute.
|
|
msisdn: "(|(telephoneNumber=+%3pid)(mobile=+%3pid)(homePhone=+%3pid)(otherMobile=+%3pid)(otherHomePhone=+%3pid)(otherTelephone=+%3pid))"
|
|
|
|
|
|
|
|
forward:
|
|
|
|
# List of forwarders to use to try to match a 3PID.
|
|
#
|
|
# Each server will be tried in the given order, going to the next if no binding was found or an error occurred.
|
|
# These are the current root Identity Servers of the Matrix network.
|
|
servers:
|
|
- "https://matrix.org"
|
|
- "https://vector.im"
|