# Disable password-based authentication.

PasswordAuthentication no

# Disable X11 forwarding.

X11Forwarding no

# Do not print motd to avoid eventual issues for clients.

PrintMotd no

# Do not print the date and time of the last user login.

PrintLastLog no

# Use TPC keepalives for detecting dead connections.

TCPKeepAlive yes

# Use the internal SFTP so we can also easily utilise chroot.

Subsystem sftp internal-sftp

# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be

# used just for session stuff.

UsePAM yes

# Specify a dedicated PID file for the backup SSH.

# Users logging-in are forced to use the SFTP server.

ForceCommand internal-sftp

# Chroot logged-in users to their home directories.

ChrootDirectory %h

# Do not allow any TCP forwarding.

AllowTCPForwarding no

# Only allow the members of this group to log-in into this instance of OpenSSH

# server.

AllowGroups backup

    """

    Tests if all the necessary packages have been installed.

    """

    assert host.package('slapd').is_installed

    assert host.package('python-ldap').is_installed

def test_ldap_user_group(host):

    """

    Tests if LDAP server user is part of group that allows it to traverse TLS

    private keys directory.

    """

    assert "ssl-cert" in host.user('openldap').groups

def test_ldap_server_service_sockets_and_ports(host):

    """

    Tests if LDAP server has been configured to listen on correct sockets.

    """

    assert host.socket('tcp://389').is_listening

    assert host.socket('tcp://636').is_listening

def test_ldap_server_service(host):

    """

    Tests if the LDAP service is enabled and running.

    """

    service = host.service('slapd')

    assert service.is_enabled

    assert service.is_running

def test_syslog_configuration(host):

    """

    Tests if syslog configuration file has been deployed, and log file was

    created correctly (and is being logged to).

    """

    config = host.file('/etc/rsyslog.d/slapd.conf')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    "legacyauth"; -- Allow legacy authentication and SSL

};

-- Disable account creation by default, for security

-- For more information see http://prosody.im/doc/creating_accounts

allow_registration = false;

-- These are the SSL/TLS-related settings. If you don't want

-- to use SSL/TLS, you may comment or remove this

ssl = {

  key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";

  certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";

}

-- Ports on which to have direct TLS/SSL.

legacy_ssl_ports = { 5223 }

-- Force clients to use encrypted connection.

c2s_require_encryption = true

-- Disable certificate validation for server-to-server connections.

s2s_secure_auth = false

-- Path to Prosody's PID file.

-- Authentication backend.

authentication = "ldap"

ldap_server = "{{ xmpp_ldap_server }}"

ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"

ldap_password = "{{ xmpp_ldap_password }}"

ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"

ldap_scope = "onelevel"

ldap_tls = true

ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"

-- Storage backend.

storage = "internal"

-- Logging configuration.

log = {

  info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging

  error = "/var/log/prosody/prosody.err";

  "*syslog";

}

-- Domains which should be handled by Prosody, with dedicated MUC and file

-- proxying components.

{% for domain in xmpp_domains -%}