149 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			149 lines
		
	
	
		
			5.7 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| server:
 | |
| 
 | |
|   # Indicate on which port the Identity Server will listen.
 | |
|   #
 | |
|   # This is be default an unencrypted port.
 | |
|   # HTTPS can be configured using Tomcat configuration properties.
 | |
|   port: 8090
 | |
| 
 | |
|   # Realm under which this Identity Server is authoritative, required.
 | |
|   #
 | |
|   # This is used to avoid unnecessary connections and endless recursive lookup.
 | |
|   # e.g. domain name in e-mails.
 | |
|   name: 'example.org'
 | |
| 
 | |
| 
 | |
| 
 | |
| key:
 | |
| 
 | |
|   # Absolute path for the Identity Server signing key, required.
 | |
|   # During testing, /var/tmp/mxisd.key is a possible value
 | |
|   #
 | |
|   # For production, use a stable location like:
 | |
|   #   - /var/opt/mxisd/sign.key
 | |
|   #   - /var/local/mxisd/sign.key
 | |
|   #   - /var/lib/mxisd/sign.key
 | |
|   path: '%SIGNING_KEYS_PATH%'
 | |
| 
 | |
| 
 | |
| 
 | |
| # This element contains all the configuration item for lookup strategies
 | |
| lookup:
 | |
| 
 | |
|   # Configuration items for recursion-type of lookup
 | |
|   #
 | |
|   # Lookup access are divided into two types:
 | |
|   # - Local
 | |
|   # - Remote
 | |
|   #
 | |
|   # This is similar to DNS lookup and recursion and is therefore prone to the same vulnerabilities.
 | |
|   # By default, only non-public hosts are allowed to perform recursive lookup.
 | |
|   #
 | |
|   # This will also prevent very basic endless loops where host A ask host B, which in turn is configured to ask host A,
 | |
|   # which would then ask host B again, etc.
 | |
|   recursive:
 | |
| 
 | |
|     # Enable recursive lookup globally
 | |
|     enabled: true
 | |
| 
 | |
|     # Whitelist of CIDR that will trigger a recursive lookup.
 | |
|     # The default list includes all private IPv4 address and the IPv6 loopback.
 | |
|     allowedCidr:
 | |
|       - '127.0.0.0/8'
 | |
|       - '10.0.0.0/8'
 | |
|       - '172.16.0.0/12'
 | |
|       - '192.168.0.0/16'
 | |
|       - '::1/128'
 | |
| 
 | |
|     # In case no binding is found, query an application server which implements the single lookup end-point
 | |
|     # to return bridge virtual user that would allow the user to be contacted directly by the said bridge.
 | |
|     #
 | |
|     # If a binding is returned, the application server is not expected to sign the message as it is not meant to be
 | |
|     # reachable from the outside.
 | |
|     # If a signature is provided, it will be discarded/replaced by this IS implementation (to be implemented).
 | |
|     #
 | |
|     # IMPORTANT: This bypass the regular Invite system of the Homeserver. It will be up to the Application Server
 | |
|     # to handle such invite. Also, if the bridged user were to actually join Matrix later, or if a 3PID binding is found
 | |
|     # room rights and history would not be transferred, as it would appear as a regular Matrix user to the Homeserver.
 | |
|     #
 | |
|     # This configuration is only helpful for Application Services that want to overwrite bridging for 3PID that are
 | |
|     # handled by the Homeserver. Do not enable unless the Application Server specifically supports it!
 | |
|     bridge:
 | |
| 
 | |
|       # Enable unknown 3PID bridging globally
 | |
|       enabled: false
 | |
| 
 | |
|       # Enable unknown 3PID bridging for hosts that are allowed to perform recursive lookups.
 | |
|       # Leaving this setting to true is highly recommended in a standard setup, unless this Identity Server
 | |
|       # is meant to always return a virtual user MXID even for the outside world.
 | |
|       recursiveOnly: true
 | |
| 
 | |
|       # This mechanism can handle the following scenarios:
 | |
|       #
 | |
|       # - Single Application Server for all 3PID types: only configure the server value, comment out the rest.
 | |
|       #
 | |
|       # - Specific Application Server for some 3PID types, default server for the rest: configure the server value and
 | |
|       #          each specific 3PID type.
 | |
|       #
 | |
|       # - Only specific 3PID types: do not configure the server value or leave it empty/blank, configure each specific
 | |
|       #          3PID type.
 | |
| 
 | |
|       # Default application server to use for all 3PID types. Remove config item or leave empty/blank to disable.
 | |
|       server: ''
 | |
| 
 | |
|       # Configure each 3PID type with a specific application server. Remove config item or leave empty/blank to disable.
 | |
|       mappings:
 | |
|         email: 'http://localhost:8091'
 | |
|         msisdn: ''
 | |
| 
 | |
| 
 | |
| 
 | |
| ldap:
 | |
|   enabled: false
 | |
|   tls: false
 | |
|   host: 'localhost'
 | |
|   port: 389
 | |
|   bindDn: 'CN=Matrix Identity Server,CN=Users,DC=example,DC=org'
 | |
|   bindPassword: 'password'
 | |
|   baseDn: 'CN=Users,DC=example,DC=org'
 | |
| 
 | |
|   # How should we resolve the Matrix ID in case of a match using the attribute.
 | |
|   #
 | |
|   # The following type are supported:
 | |
|   # - uid : the attribute only contains the UID part of the Matrix ID. e.g. 'john.doe' in @john.doe:example.org
 | |
|   # - mxid : the attribute contains the full Matrix ID - e.g. '@john.doe:example.org'
 | |
|   type: 'uid'
 | |
| 
 | |
|   # The attribute containing the binding itself. This value will be used differently depending on the type.
 | |
|   #
 | |
|   # /!\ This should match the synapse LDAP Authenticator 'uid' configuration /!\
 | |
|   #
 | |
|   # Typical values:
 | |
|   # - For type 'uid': 'userPrincipalName' or 'uid' or 'saMAccountName'
 | |
|   # - For type 'mxid', regardless of the directory type, we recommend using 'pager' as it is a standard attribute and
 | |
|   #   is typically not used.
 | |
|   attribute: 'userPrincipalName'
 | |
| 
 | |
|   # Configure each 3PID type with a dedicated query.
 | |
|   mappings:
 | |
|     email: "(|(mailPrimaryAddress=%3pid)(mail=%3pid)(otherMailbox=%3pid))"
 | |
| 
 | |
|     # Phone numbers query.
 | |
|     #
 | |
|     # Phone numbers use the MSISDN format: https://en.wikipedia.org/wiki/MSISDN
 | |
|     # This format does not include international prefix (+ or 00) and therefore has to be put in the query.
 | |
|     # Adapt this to your needs for each attribute.
 | |
|     msisdn: "(|(telephoneNumber=+%3pid)(mobile=+%3pid)(homePhone=+%3pid)(otherTelephone=+%3pid)(otherMobile=+%3pid)(otherHomePhone=+%3pid))"
 | |
| 
 | |
| 
 | |
| 
 | |
| forward:
 | |
| 
 | |
|   # List of forwarders to use to try to match a 3PID.
 | |
|   #
 | |
|   # Each server will be tried in the given order, going to the next if no binding was found or an error occurred.
 | |
|   # These are the current root Identity Servers of the Matrix network.
 | |
|   servers:
 | |
|     - "https://matrix.org"
 | |
|     - "https://vector.im"
 |