ldap_server_config:

    domain: "example.com"

    organization: "Example Corporation"

    log_level: 256

    tls_certificate: ~/tls/ldap.example.com_ldap.pem

    tls_key: ~/tls/ldap.example.com_ldap.key

    ssf: 128

  ldap_permissions:

    - filter: '(olcSuffix=dc=example,dc=com)'

      rules:

        - >

          to *

          by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

          by * break

        - >

          to attrs=userPassword,shadowLastChange

          by self write

          by anonymous auth

          by dn="cn=admin,dc=example,dc=com" write

          by * none

        - >

          to dn.base=""

          by * read

        - >

          to *

          by self write

          by dn="cn=admin,dc=example,dc=com" write

          by users read

          by * none

  ldap_entries:

    - dn: ou=people,dc=example,dc=com

      objectClass: organizationalUnit

      ou: people

    - dn: ou=groups,dc=example,dc=com

      objectClass: organizationalUnit

      ou: groups

    - dn: uid=john,dc=example,dc=com

      objectClass:

        - inetOrgPerson

        - simpleSecurityObject

      userPassword: somepassword

      uid: john

      cn: John Doe

      sn: Doe

destination machine.

The role implements the following:

* Sets-up the Prosody apt repository.

* Deploys XMPP TLS private key and certificate.

* Installs Prosody.

* Configures Prosody.

* Configures firewall to allow incoming connections to the XMPP server.

Prosody is configured as follows:

* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.

* Self-registration is not allowed.

* TLS is configured. Legacy TLS is available on port 5223.

* Client-to-server communication requires encryption (TLS).

* Authentication is done via LDAP. For setting the LDAP TLS truststore, see

  :ref:`LDAP Client <ldap_client>`.

* Internal storage is used.

* For each domain specified, a dedicated conference/multi-user chat (MUC)

  service is set-up, with FQDN set to ``conference.DOMAIN``.

* For each domain specified, a dedicated file proxy service will be set-up, with

  FQDN set to ``proxy.DOMAIN``.

Parameters

~~~~~~~~~~

  List of Prosody users that should be granted administrator privileges over

  Prosody. Each item is a string with value equal to XMPP user ID

  (i.e. ``john.doe@example.com``).

  Path to file on Ansible host that contains the private key used for TLS for

  XMPP service. The file will be copied to directory ``/etc/ssl/private/``.

  Path to file on Ansible host that contains the X.509 certificate used for TLS

  for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.

  List of domains that are served by this Prosody instance. Each item is a

  string specifying a domain.

  Fully qualified domain name, hostname, or IP address of the LDAP server used

  for user authentication and listing.

  Distinguished name of LDAP user used for authenticating to the LDAP

  server. This user is used for looking-up the users available on the

  server. Users themselves authenticate via their own account.

  Password used for authenticating to the LDAP server.

  LDAP filter used for obtaining a list of users available on the Prosody

  server. Two special strings can be used for specifying the user and domain,

  ``$user``, and ``$host`` within. These will be replaced with real values in

  the filter every time a user is looked-up.

  Scope for performing the LDAP search for obtaining a list of users available

  on the Prosody server.

  Specifies whether to use STARTTLS extension when connecting to the LDAP server

  or not.

  Base DN under which the lists of users available on the Prosody should be

  looked-up.

Examples

~~~~~~~~

Here is an example configuration for setting-up XMPP server using Prosody:

.. code-block:: yaml

  ---

    - john.doe@example.com

  # These are default key and certificate that generated during Prosody

  # installation.

    - example.com

  # This would require that the memberof overlay is available on LDAP server

  # side.

Mail Server

-----------

The ``mail_server`` role can be used for setting-up a complete mail server

solution, which includes both SMTP and IMAP service, on destination machine.

Postfix is used SMTP, while Dovecot is used for IMAP.

The role implements the following:

* Installs rsync.

* Deploys IMAP/SMTP TLS private keys and certificates.

* Installs and configures Dovecot, Postfix, ClamAV, and ClamAV Milter.

* Purges Exim4 configuration (just in case).

* Installs SWAKS (utility for testing SMTP servers).

* Sets-up the necessary directories and files under Postfix chroot.

* Configures firewall to allow incoming connections to the mail server. This

  includes set-up of redirection from TCP port 26 to TCP port 25 (alternate SMTP

  to work around common network blocks).

Deployed services are configured as follows:

* Both Postfix and Dovecot look-up available domains, users, and aliases in

  LDAP.

* Incoming and outgoing mail is scanned with ClamAV (via ClamAV

  Milter). Infected mails are rejected.

* Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``

  format.

* TLS is required for user log-ins for both SMTP and IMAP.

* RBL's are used for combating spam (if any is specified in configuration, see

  below).

Both Postfix and Dovecot expect a specific directory structure in LDAP when

doing look-ups:

* Postfix will log-in to LDAP as user

  ``cn=postfix,ou=services,MAIL_LDAP_ROOT_DN``.

* Dovecot will log-in to LDAP as user

  ``cn=dovecot,ou=services,MAIL_LDAP_ROOT_DN``.

* Domain entries need to be available as

  ``dc=DOMAIN,ou=domains,ou=mail,ou=services,MAIL_LDAP_ROOT_DN``.

* Alias entries need to be available as

  ``cn=ALIAS,ou=aliases,ou=mail,ou=services,MAIL_LDAP_ROOT_DN``.

* User entries are read from sub-tree (first-level only)

  ``ou=people,MAIL_LDAP_ROOT_DN``. Query filter used for finding users is

  ``(&(mail=%s)(memberOf=cn=mail,ou=groups,MAIL_LDAP_ROOT_DN))``. This allows

---

- name: Install Python apt bindings

  apt: name=python-apt

- name: Add Prosody repository apt key

  apt_key:

    data: "{{ lookup('file', 'prosody-debian-packages.gpg') }}"

    state: present

- name: Add Prosody repository

  apt_repository: repo="deb http://packages.prosody.im/debian jessie main" state=present

- name: Install Lua Sec library (needed for TLS)

  apt: name=lua-sec state=installed

- name: Install Lua LDAP library

  apt: name=lua-ldap state=installed

- name: Install Prosody

  apt: name=prosody state=installed

- name: Allow Prosody user to traverse the directory with TLS private keys

  user: name=prosody append=yes groups=ssl-cert

- name: Deploy XMPP TLS private key

        mode=640 owner=root group=prosody

  notify:

    - Restart Prosody

- name: Deploy XMPP TLS certificate

        mode=644 owner=root group=root

  notify:

    - Restart Prosody

- name: Set-up directory for storing additional Prosody modules

  file: path=/usr/local/lib/prosody/modules/ state=directory mode=755 owner=root group=root

- name: Deploy the Prosody mod_auth_ldap module

  get_url: url=https://prosody-modules.googlecode.com/hg/mod_auth_ldap/mod_auth_ldap.lua

           dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua

- name: Set-up file permissions for the Prosody mod_auth_ldap module

  file: dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua owner=root group=root mode=644

- name: Deploy Prosody configuration file

  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua

  notify:

    - Restart Prosody

- name: Enable and start Prosody service

  service: name=prosody enabled=yes state=started

- name: Deploy firewall configuration for XMPP server

  copy: src="ferm_xmpp.conf" dest="/etc/ferm/conf.d/30-xmpp.conf" owner=root group=root mode=640

  notify:

    - Restart ferm

-- Additional paths to search for modules.

plugin_paths = { "/usr/local/lib/prosody/modules/" }

-- List of server administrators.

-- List of modules to load on startup.

modules_enabled = {

  -- Generally required

    "roster"; -- Allow users to have a roster. Recommended ;)

    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.

    "tls"; -- Add support for secure TLS on c2s/s2s connections

    "dialback"; -- s2s dialback support

    "disco"; -- Service discovery

    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

  -- Not essential, but recommended

    "private"; -- Private XML storage (for room bookmarks, etc.)

    "vcard"; -- Allow users to set vCards

  -- Nice to have

    "version"; -- Replies to server version requests

    "uptime"; -- Report how long server has been running

    "time"; -- Let others know the time here on this server

    "ping"; -- Replies to XMPP pings with pongs

    "pep"; -- Enables users to publish their mood, activity, playing music and more

    "register"; -- Allow users to register on this server using a client and change passwords

  -- Admin interfaces

    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands

  -- Other specific functionality

    "announce"; -- Send announcement to all online users

    "legacyauth"; -- Allow legacy authentication and SSL

};

-- Disable account creation by default, for security

-- For more information see http://prosody.im/doc/creating_accounts

allow_registration = false;

-- These are the SSL/TLS-related settings. If you don't want

-- to use SSL/TLS, you may comment or remove this

ssl = {

}

-- Ports on which to have direct TLS/SSL.

legacy_ssl_ports = { 5223 }

-- Force clients to use encrypted connection.

c2s_require_encryption = true

-- Disable certificate validation for server-to-server connections.

s2s_secure_auth = false

-- Path to Prosody's PID file.

pidfile = "/var/run/prosody/prosody.pid"

-- Authentication backend.

authentication = "ldap"

-- Storage backend.

storage = "internal"

-- Logging configuration.

log = {

  info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging

  error = "/var/log/prosody/prosody.err";

  "*syslog";

}

-- Domains which should be handled by Prosody, with dedicated MUC and file

-- proxying components.

VirtualHost "{{ domain }}"

Component "conference.{{ domain }}" "muc"

  restrict_room_creation = "local"

Component "proxy.{{ domain }}" "proxy65"

  proxy65_acl = { "{{ domain }}" }

{% endfor -%}

---

ldap_client_config:

  - comment: Set the base DN

    option: BASE

    value: "{{ testsite_ldap_base }}"

  - comment: Set the default URI

    option: URI

    value: ldapi:///

  - comment: Set the default bind DN

    option: BINDDN

    value: cn=admin,{{ testsite_ldap_base }}

  - comment: Set the LDAP TLS truststore

    option: TLS_CACERT

    value: /etc/ssl/certs/ca.pem

local_mail_aliases:

  root: "root john.doe@{{ testsite_domain }}"

smtp_relay_host: mail.{{ testsite_domain }}

smtp_relay_truststore: /etc/ssl/certs/ca.pem

  - john.doe@{{ testsite_domain }}

  - "{{ testsite_domain }}"

---

- hosts: xmpp

  remote_user: ansible

  sudo: yes

  roles:

    - common

    - ldap_client

    - mail_forwarder