# Use TPC keepalives for detecting dead connections.

TCPKeepAlive yes

# Use the internal SFTP so we can also easily utilise chroot.

Subsystem sftp internal-sftp

# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be

# used just for session stuff.

UsePAM yes

# Specify a dedicated PID file for the backup SSH.

# Users logging-in are forced to use the SFTP server.

ForceCommand internal-sftp

# Chroot logged-in users to their home directories.

ChrootDirectory %h

# Do not allow any TCP forwarding.

AllowTCPForwarding no

# Only allow the members of this group to log-in into this instance of OpenSSH

# server.

    """

    assert "ssl-cert" in host.user('openldap').groups

def test_ldap_server_service_sockets_and_ports(host):

    """

    Tests if LDAP server has been configured to listen on correct sockets.

    """

    assert host.socket('tcp://389').is_listening

    assert host.socket('tcp://636').is_listening

def test_ldap_server_service(host):

    """

    Tests if the LDAP service is enabled and running.

    """

    service = host.service('slapd')

    assert service.is_enabled

    assert service.is_running

}

-- Ports on which to have direct TLS/SSL.

legacy_ssl_ports = { 5223 }

-- Force clients to use encrypted connection.

c2s_require_encryption = true

-- Disable certificate validation for server-to-server connections.

s2s_secure_auth = false

-- Path to Prosody's PID file.

-- Authentication backend.

authentication = "ldap"

ldap_server = "{{ xmpp_ldap_server }}"

ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"

ldap_password = "{{ xmpp_ldap_password }}"

ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"

ldap_scope = "onelevel"

ldap_tls = true

ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"

-- Storage backend.