mxids/application.example.yaml

server:

  # Indicate on which port the Identity Server will listen.
  #
  # This is be default an unencrypted port.
  # HTTPS can be configured using Tomcat configuration properties.
  port: 8090

  # Realm under which this Identity Server is authoritative, required.
  #
  # This is used to avoid unnecessary connections and endless recursive lookup.
  # e.g. domain name in e-mails.
  name: 'example.org'



key:

  # Absolute path for the Identity Server signing key, required.
  # During testing, /var/tmp/mxisd.key is a possible value
  #
  # For production, use a stable location like:
  #   - /var/opt/mxisd/sign.key
  #   - /var/local/mxisd/sign.key
  #   - /var/lib/mxisd/sign.key
  path: '%SIGNING_KEYS_PATH%'



# This element contains all the configuration item for lookup strategies
lookup:

  # Configuration items for recursion-type of lookup
  #
  # Lookup access are divided into two types:
  # - Local
  # - Remote
  #
  # This is similar to DNS lookup and recursion and is therefore prone to the same vulnerabilities.
  # By default, only non-public hosts are allowed to perform recursive lookup.
  #
  # This will also prevent very basic endless loops where host A ask host B, which in turn is configured to ask host A,
  # which would then ask host B again, etc.
  recursive:

    # Enable recursive lookup globally
    enabled: true

    # Whitelist of CIDR that will trigger a recursive lookup.
    # The default list includes all private IPv4 address and the IPv6 loopback.
    allowedCidr:
      - '127.0.0.0/8'
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
      - '::1/128'

    # In case no binding is found, query an application server which implements the single lookup end-point
    # to return bridge virtual user that would allow the user to be contacted directly by the said bridge.
    #
    # If a binding is returned, the application server is not expected to sign the message as it is not meant to be
    # reachable from the outside.
    # If a signature is provided, it will be discarded/replaced by this IS implementation (to be implemented).
    #
    # IMPORTANT: This bypass the regular Invite system of the Homeserver. It will be up to the Application Server
    # to handle such invite. Also, if the bridged user were to actually join Matrix later, or if a 3PID binding is found
    # room rights and history would not be transferred, as it would appear as a regular Matrix user to the Homeserver.
    #
    # This configuration is only helpful for Application Services that want to overwrite bridging for 3PID that are
    # handled by the Homeserver. Do not enable unless the Application Server specifically supports it!
    bridge:

      # Enable unknown 3PID bridging globally
      enabled: false

      # Enable unknown 3PID bridging for hosts that are allowed to perform recursive lookups.
      # Leaving this setting to true is highly recommended in a standard setup, unless this Identity Server
      # is meant to always return a virtual user MXID even for the outside world.
      recursiveOnly: true

      # This mechanism can handle the following scenarios:
      #
      # - Single Application Server for all 3PID types: only configure the server value, comment out the rest.
      #
      # - Specific Application Server for some 3PID types, default server for the rest: configure the server value and
      #          each specific 3PID type.
      #
      # - Only specific 3PID types: do not configure the server value or leave it empty/blank, configure each specific
      #          3PID type.

      # Default application server to use for all 3PID types. Remove config item or leave empty/blank to disable.
      server: ''

      # Configure each 3PID type with a specific application server. Remove config item or leave empty/blank to disable.
      mappings:
        email: 'http://localhost:8091'
        msisdn: ''



ldap:
  enabled: false
  tls: false
  host: 'localhost'
  port: 389
  bindDn: 'CN=Matrix Identity Server,CN=Users,DC=example,DC=org'
  bindPassword: 'password'
  baseDn: 'CN=Users,DC=example,DC=org'

  # How should we resolve the Matrix ID in case of a match using the attribute.
  #
  # The following type are supported:
  # - uid : the attribute only contains the UID part of the Matrix ID. e.g. 'john.doe' in @john.doe:example.org
  # - mxid : the attribute contains the full Matrix ID - e.g. '@john.doe:example.org'
  type: 'uid'

  # The attribute containing the binding itself. This value will be used differently depending on the type.
  #
  # /!\ This should match the synapse LDAP Authenticator 'uid' configuration /!\
  #
  # Typical values:
  # - For type 'uid': 'userPrincipalName' or 'uid' or 'saMAccountName'
  # - For type 'mxid', regardless of the directory type, we recommend using 'pager' as it is a standard attribute and
  #   is typically not used.
  attribute: 'userPrincipalName'

  # Configure each 3PID type with a dedicated query.
  mappings:
    email: "(|(mailPrimaryAddress=%3pid)(mail=%3pid)(otherMailbox=%3pid))"

    # Phone numbers query.
    #
    # Phone numbers use the MSISDN format: https://en.wikipedia.org/wiki/MSISDN
    # This format does not include international prefix (+ or 00) and therefore has to be put in the query.
    # Adapt this to your needs for each attribute.
    msisdn: "(|(telephoneNumber=+%3pid)(mobile=+%3pid)(homePhone=+%3pid)(otherTelephone=+%3pid)(otherMobile=+%3pid)(otherHomePhone=+%3pid))"



forward:

  # List of forwarders to use to try to match a 3PID.
  #
  # Each server will be tried in the given order, going to the next if no binding was found or an error occurred.
  # These are the current root Identity Servers of the Matrix network.
  servers:
    - "https://matrix.org"
    - "https://vector.im"