Mercurial > prosody-modules
annotate mod_lib_ldap/README.md @ 6257:fa45ae704b79
mod_cloud_notify: Update Readme
diff --git a/mod_cloud_notify/README.md b/mod_cloud_notify/README.md
--- a/mod_cloud_notify/README.md
+++ b/mod_cloud_notify/README.md
@@ -1,109 +1,106 @@
----
-labels:
-- 'Stage-Beta'
-summary: 'XEP-0357: Cloud push notifications'
----
+# Introduction
-Introduction
-============
+This module enables support for sending "push notifications" to clients
+that need it, typically those running on certain mobile devices.
-This module enables support for sending "push notifications" to clients that
-need it, typically those running on certain mobile devices.
+As well as this module, your client must support push notifications (the
+apps that need it generally do, of course) and the app developer's push
+gateway must be reachable from your Prosody server (this happens over a
+normal XMPP server-to-server 's2s' connection).
-As well as this module, your client must support push notifications (the apps
-that need it generally do, of course) and the app developer's push gateway
-must be reachable from your Prosody server (this happens over a normal XMPP
-server-to-server 's2s' connection).
-
-Details
-=======
+# Details
Some platforms, notably Apple's iOS and many versions of Android, impose
-limits that prevent applications from running or accessing the network in the
-background. This makes it difficult or impossible for an XMPP application to
-remain reliably connected to a server to receive messages.
-
-In order for messaging and other apps to receive notifications, the OS vendors
-run proprietary servers that their OS maintains a permanent connection to in
-the background. Then they provide APIs to application developers that allow
-sending notifications to specific devices via those servers.
+limits that prevent applications from running or accessing the network
+in the background. This makes it difficult or impossible for an XMPP
+application to remain reliably connected to a server to receive
+messages.
-When you connect to your server with an app that requires push notifications,
-it will use this module to set up a "push registration". When you receive
-a message but your device is not connected to the server, this module will
-generate a notification and send it to the push gateway operated by your
-application's developers). Their gateway will then connect to your device's
-OS vendor and ask them to forward the notification to your device. When your
-device receives the notification, it will display it or wake up the app so it
-can connect to XMPP and receive any pending messages.
+In order for messaging and other apps to receive notifications, the OS
+vendors run proprietary servers that their OS maintains a permanent
+connection to in the background. Then they provide APIs to application
+developers that allow sending notifications to specific devices via
+those servers.
-This protocol is described for developers in [XEP-0357: Push Notifications].
+When you connect to your server with an app that requires push
+notifications, it will use this module to set up a "push registration".
+When you receive a message but your device is not connected to the
+server, this module will generate a notification and send it to the push
+gateway operated by your application's developers). Their gateway will
+then connect to your device's OS vendor and ask them to forward the
+notification to your device. When your device receives the notification,
+it will display it or wake up the app so it can connect to XMPP and
+receive any pending messages.
-For this module to work reliably, you must have [mod_smacks], [mod_mam] and
-[mod_carbons] also enabled on your server.
+This protocol is described for developers in \[XEP-0357: Push
+Notifications\].
+
+For this module to work reliably, you must have \[mod_smacks\],
+\[mod_mam\] and \[mod_carbons\] also enabled on your server.
-Some clients, notably Siskin and Snikket iOS need some additional extensions
-that are not currently defined in a standard XEP. To support these clients,
-see [mod_cloud_notify_extensions].
+Some clients, notably Siskin and Snikket iOS need some additional
+extensions that are not currently defined in a standard XEP. To support
+these clients, see \[mod_cloud_notify_extensions\].
-Configuration
-=============
+# Configuration
- Option Default Description
- ------------------------------------ ----------------- -------------------------------------------------------------------------------------------------------------------
- `push_notification_important_body` `New Message!` The body text to use when the stanza is important (see above), no message body is sent if this is empty
- `push_max_errors` `16` How much persistent push errors are tolerated before notifications for the identifier in question are disabled
- `push_max_devices` `5` The number of allowed devices per user (the oldest devices are automatically removed if this threshold is reached)
- `push_max_hibernation_timeout` `259200` (72h) Number of seconds to extend the smacks timeout if no push was triggered yet (default: 72 hours)
- `push_notification_with_body` (\*) `false` Whether or not to send the real message body to remote pubsub node. Without end-to-end encryption, enabling this may expose your message contents to your client developers and OS vendor. Not recommended.
- `push_notification_with_sender` (\*) `false` Whether or not to send the real message sender to remote pubsub node. Enabling this may expose your contacts to your client developers and OS vendor. Not recommended.
+ Option Default Description
+ -------------------------------------- ---------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ `push_notification_important_body` `New Message!` The body text to use when the stanza is important (see above), no message body is sent if this is empty
+ `push_max_errors` `16` How much persistent push errors are tolerated before notifications for the identifier in question are disabled
+ `push_max_devices` `5` The number of allowed devices per user (the oldest devices are automatically removed if this threshold is reached)
+ `push_max_hibernation_timeout` `259200` (72h) Number of seconds to extend the smacks timeout if no push was triggered yet (default: 72 hours)
+ `push_notification_with_body` (\*) `false` Whether or not to send the real message body to remote pubsub node. Without end-to-end encryption, enabling this may expose your message contents to your client developers and OS vendor. Not recommended.
+ `push_notification_with_sender` (\*) `false` Whether or not to send the real message sender to remote pubsub node. Enabling this may expose your contacts to your client developers and OS vendor. Not recommended.
-(\*) There are privacy implications for enabling these options.
+(\*) There are privacy implications for enabling these options.[^1]
-Internal design notes
-=====================
+# Internal design notes
-App servers are notified about offline messages, messages stored by [mod_mam]
-or messages waiting in the smacks queue.
-The business rules outlined [here](//mail.jabber.org/pipermail/standards/2016-February/030925.html) are all honored[^2].
+App servers are notified about offline messages, messages stored by
+\[mod_mam\] or messages waiting in the smacks queue. The business rules
+outlined
+[here](//mail.jabber.org/pipermail/standards/2016-February/030925.html)
+are all honored[^2].
-To cooperate with [mod_smacks] this module consumes some events:
-`smacks-ack-delayed`, `smacks-hibernation-start` and `smacks-hibernation-end`.
-These events allow this module to send out notifications for messages received
-while the session is hibernated by [mod_smacks] or even when smacks
-acknowledgements for messages are delayed by a certain amount of seconds
-configurable with the [mod_smacks] setting `smacks_max_ack_delay`.
+To cooperate with \[mod_smacks\] this module consumes some events:
+`smacks-ack-delayed`, `smacks-hibernation-start` and
+`smacks-hibernation-end`. These events allow this module to send out
+notifications for messages received while the session is hibernated by
+\[mod_smacks\] or even when smacks acknowledgements for messages are
+delayed by a certain amount of seconds configurable with the
+\[mod_smacks\] setting `smacks_max_ack_delay`.
-The `smacks_max_ack_delay` setting allows to send out notifications to clients
-which aren't already in smacks hibernation state (because the read timeout or
-connection close didn't already happen) but also aren't responding to acknowledgement
-request in a timely manner. This setting thus allows conversations to be smoother
-under such circumstances.
+The `smacks_max_ack_delay` setting allows to send out notifications to
+clients which aren't already in smacks hibernation state (because the
+read timeout or connection close didn't already happen) but also aren't
+responding to acknowledgement request in a timely manner. This setting
+thus allows conversations to be smoother under such circumstances.
-The new event `cloud-notify-ping` can be used by any module to send out a cloud
-notification to either all registered endpoints for the given user or only the endpoints
-given in the event data.
+The new event `cloud-notify-ping` can be used by any module to send out
+a cloud notification to either all registered endpoints for the given
+user or only the endpoints given in the event data.
-The config setting `push_notification_important_body` can be used to specify an alternative
-body text to send to the remote pubsub node if the stanza is encrypted or has a body.
-This way the real contents of the message aren't revealed to the push appserver but it
-can still see that the push is important.
-This is used by Chatsecure on iOS to send out high priority pushes in those cases for example.
+The config setting `push_notification_important_body` can be used to
+specify an alternative body text to send to the remote pubsub node if
+the stanza is encrypted or has a body. This way the real contents of the
+message aren't revealed to the push appserver but it can still see that
+the push is important. This is used by Chatsecure on iOS to send out
+high priority pushes in those cases for example.
-Compatibility
-=============
-
-**Note:** This module should be used with Lua 5.2 and higher. Using it with
-Lua 5.1 may cause push notifications to not be sent to some clients.
+# Compatibility
------- -----------------------------------------------------------------------------
- trunk Works
- 0.12 Works
- 0.11 Works
- 0.10 Works
- 0.9 Support dropped, use last supported version [675726ab06d3](//hg.prosody.im/prosody-modules/raw-file/675726ab06d3/mod_cloud_notify/mod_cloud_notify.lua)
------- -----------------------------------------------------------------------------
+**Note:** This module should be used with Lua 5.2 and higher. Using it
+with Lua 5.1 may cause push notifications to not be sent to some
+clients.
+ ------- -----------------------------------------------------------------
+ trunk Works as of 25-06-13
+ 13 Works
+ 0.12 Works
+ ------- -----------------------------------------------------------------
-[^1]: The service which is expected to forward notifications to something like Google Cloud Messaging or Apple Notification Service
-[^2]: [business_rules.markdown](//hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.markdown)
+[^1]: The service which is expected to forward notifications to
+ something like Google Cloud Messaging or Apple Notification Service
+
+[^2]: [business_rules.md](//hg.prosody.im/prosody-modules/file/tip/mod_cloud_notify/business_rules.md)
| author | Menel <menel@snikket.de> |
|---|---|
| date | Fri, 13 Jun 2025 10:36:52 +0200 |
| parents | 71538875be48 |
| children |
| rev | line source |
|---|---|
| 809 | 1 # LDAP plugin suite for Prosody |
| 2 | |
| 3 The LDAP plugin suite includes an authentication plugin (mod\_auth\_ldap2) and storage plugin | |
| 4 (mod\_storage\_ldap) to query against an LDAP server. It also provides a plugin library (mod\_lib\_ldap) | |
| 5 for accessing an LDAP server to make writing other LDAP-based plugins easier in the future. | |
| 6 | |
| 7 # LDAP Authentication | |
| 8 | |
|
1643
71538875be48
mod_lib_ldap: Update README to clarify discussion of auth / TLS... and discourage disabling TLS.
Paul Aurich <paul@darkrain42.org>
parents:
1466
diff
changeset
|
9 **NOTE**: LDAP authentication currently only works with plaintext auth (as opposed to DIGEST-MD5 or SCRAM) |
|
71538875be48
mod_lib_ldap: Update README to clarify discussion of auth / TLS... and discourage disabling TLS.
Paul Aurich <paul@darkrain42.org>
parents:
1466
diff
changeset
|
10 If this isn't ok with you, don't use it! (Or better yet, fix it =) ) |
| 809 | 11 |
|
1643
71538875be48
mod_lib_ldap: Update README to clarify discussion of auth / TLS... and discourage disabling TLS.
Paul Aurich <paul@darkrain42.org>
parents:
1466
diff
changeset
|
12 With that note in mind, if you need to allow (XMPP) clients to connect to your server without TLS and |
|
71538875be48
mod_lib_ldap: Update README to clarify discussion of auth / TLS... and discourage disabling TLS.
Paul Aurich <paul@darkrain42.org>
parents:
1466
diff
changeset
|
13 want to use this module, you need to set 'allow\_unencrypted\_plain\_auth' to true in your |
|
71538875be48
mod_lib_ldap: Update README to clarify discussion of auth / TLS... and discourage disabling TLS.
Paul Aurich <paul@darkrain42.org>
parents:
1466
diff
changeset
|
14 configuration. You probably don't actually want to do this, though. |
| 809 | 15 |
|
862
675945ea2ed6
Change hoelzro's mod_auth_ldap to mod_auth_ldap2
Rob Hoelz <rob@hoelz.ro>
parents:
809
diff
changeset
|
16 To enable LDAP authentication, set 'authentication' to 'ldap2' in your configuration file. |
| 809 | 17 See also http://prosody.im/doc/authentication. |
| 18 | |
| 19 # LDAP Storage | |
| 20 | |
| 21 LDAP storage is currently read-only, and it only supports rosters and vCards. | |
| 22 | |
| 23 To enable LDAP storage, set 'storage' to 'ldap' in your configuration file. | |
| 24 See also http://prosody.im/doc/storage. | |
| 25 | |
| 26 # LDAP Configuration | |
| 27 | |
| 28 All of the LDAP-specific configuration for the plugin set goes into an 'ldap' section | |
| 29 in the configuration. You must set the 'hostname' field in the 'ldap' section to | |
| 30 your LDAP server's location (a custom port is also accepted, so I guess it's not strictly | |
| 31 a hostname). The 'bind\_dn' and 'bind\_password' are optional if you want to bind as | |
| 32 a specific DN. There should be an example configuration included with this README, so | |
| 33 feel free to consult that. | |
| 34 | |
| 35 ## The user section | |
| 36 | |
| 37 The user section must contain the following keys: | |
| 38 | |
| 39 * basedn - The base DN against which to base your LDAP queries for users. | |
| 40 * filter - An LDAP filter expression that matches users. | |
| 41 * usernamefield - The name of the attribute in an LDAP entry that contains the username. | |
| 42 * namefield - The name of the attribute in an LDAP entry that contains the user's real name. | |
| 43 | |
| 44 ## The groups section | |
| 45 | |
| 46 The LDAP plugin suite has support for grouping (ala mod\_groups), which can be enabled via the groups | |
| 47 section in the ldap section of the configuration file. Currently, you must have at least one group. | |
| 48 The groups section must contain the following keys: | |
| 49 | |
| 50 * basedn - The base DN against which to base your LDAP queries for groups. | |
| 51 * memberfield - The name of the attribute in an LDAP entry that contains a list of a group's members. The contents of this field | |
| 52 must match usernamefield in the user section. | |
| 53 * namefield - The name of the attribute in an LDAP entry that contains the group's name. | |
| 54 | |
| 55 The groups section must contain at least one entry in its array section. Each entry must be a table, with the following keys: | |
| 56 | |
| 57 * name - The name of the group that will be presented in the roster. | |
| 58 * $namefield (whatever namefield is set to is the name) - An attribute pair to match this group against. | |
| 59 * admin (optional) - whether or not this group's members are admins. | |
| 60 | |
| 61 ## The vcard\_format section | |
| 62 | |
| 63 The vcard\_format section is used to generate a vCard given an LDAP entry. See http://xmpp.org/extensions/xep-0054.html for | |
| 64 more information. The JABBERID field is automatically populated. | |
| 65 | |
| 66 The key/value pairs in this table fall into three categories: | |
| 67 | |
| 68 ### Simple pairs | |
| 69 | |
| 70 Some values in the vcard\_format table are simple key-value pairs, where the key corresponds to a vCard | |
| 71 entry, and the value corresponds to the attribute name in the LDAP entry for the user. The fields that | |
| 72 be configured this way are: | |
| 73 | |
| 74 * displayname - corresponds to FN | |
| 75 * nickname - corresponds to NICKNAME | |
| 76 * birthday - corresponds to BDAY | |
| 77 * mailer - corresponds to MAILER | |
| 78 * timezone - corresponds to TZ | |
| 79 * title - corresponds to TITLE | |
| 80 * role - corresponds to ROLE | |
| 81 * note - corresponds to NOTE | |
| 82 * rev - corresponds to REV | |
| 83 * sortstring - corresponds to SORT-STRING | |
| 84 * uid - corresponds to UID | |
| 85 * url - corresponds to URL | |
| 86 * description - corresponds to DESC | |
| 87 | |
| 88 ### Single-level fields | |
| 89 | |
| 90 These pairs have a table as their values, and the table itself has a series of key value pairs that are translated | |
| 91 similarly to simple pairs. The fields that are configured this way are: | |
| 92 | |
| 93 * name - corresponds to N | |
| 94 * family - corresponds to FAMILY | |
| 95 * given - corresponds toGIVEN | |
| 96 * middle - corresponds toMIDDLE | |
| 97 * prefix - corresponds toPREFIX | |
| 98 * suffix - corresponds toSUFFIX | |
| 99 * photo - corresponds to PHOTO | |
| 100 * type - corresponds to TYPE | |
| 101 * binval - corresponds to BINVAL | |
| 102 * extval - corresponds to EXTVAL | |
| 103 * geo - corresponds to GEO | |
| 104 * lat - corresponds to LAT | |
| 105 * lon - corresponds to LON | |
| 106 * logo - corresponds to LOGO | |
| 107 * type - corresponds to TYPE | |
| 108 * binval - corresponds to BINVAL | |
| 109 * extval - corresponds to EXTVAL | |
| 110 * org - corresponds to ORG | |
| 111 * orgname - corresponds to ORGNAME | |
| 112 * orgunit - corresponds to ORGUNIT | |
| 113 * sound - corresponds to SOUND | |
| 114 * phonetic - corresponds to PHONETIC | |
| 115 * binval - corresponds to BINVAL | |
| 116 * extval - corresponds to EXTVAL | |
| 117 * key - corresponds to KEY | |
| 118 * type - corresponds to TYPE | |
| 119 * cred - corresponds to CRED | |
| 120 | |
| 121 ### Multi-level fields | |
| 122 | |
| 123 These pairs have a table as their values, and each table itself has tables as its values. The nested tables have | |
| 124 the same key-value pairs you're used to, the only difference being that values may have a boolean as their type, which | |
| 125 converts them into an empty XML tag. I recommend looking at the example configuration for clarification. | |
| 126 | |
| 127 * address - ADR | |
| 128 * telephone - TEL | |
| 129 * email - EMAIL | |
| 130 | |
|
1466
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
131 For example, to get something like this in your vCard: |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
132 |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
133 <TEL> |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
134 <WORK /> |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
135 <VOICE /> |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
136 <NUMBER>555-555-5555</NUMBER> |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
137 </TEL> |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
138 |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
139 Your configuration for `telephone` will probably look something like this: |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
140 |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
141 telephone = { |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
142 work = { |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
143 voice = true, |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
144 number = 'telephoneNumber', |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
145 }, |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
146 } |
|
9da03e45c6be
Update LDAP docs for telephone and similar fields
Rob Hoelz <rob@hoelz.ro>
parents:
1224
diff
changeset
|
147 |
| 809 | 148 ### Unsupported vCard fields |
| 149 | |
| 150 * LABEL | |
| 151 * AGENT | |
| 152 * CATEGORIES | |
| 153 * PRODID | |
| 154 * CLASS | |
| 155 | |
| 156 ### Example Configuration | |
| 157 | |
| 158 You can find an example configuration in the dev directory underneath the | |
| 159 directory that this file is located in. | |
| 160 | |
| 161 # Missing Features | |
| 162 | |
| 163 This set of plugins is missing a few features, some of which are really just ideas: | |
| 164 | |
| 165 * Implement non-plaintext authentication. | |
| 166 * Use proper LDAP binding (LuaLDAP must be patched with http://prosody.im/patches/lualdap.patch, though) | |
| 167 * Non-hardcoded LDAP groups (derive groups from LDAP queries) | |
| 168 * LDAP-based MUCs (like a private MUC per group, or something) | |
| 169 * This suite of plugins was developed with a POSIX-style setup in mind; YMMV. Patches to work with other setups are welcome! | |
| 1224 | 170 * Add ability for users to change their vCard/passwords/etc from within Prosody |
