@%@UCRWARNING=#% @%@
#%
#%               ejabberd configuration file
#%
#%'


# LDAP filter:
#{ldap_filter, "(&(&(objectClass=univentionXMPPAccount)(xmppEnabled=TRUE))(xmppDomain=<the_domain>))"}.
@!@
# LDAP filter depends on the domain being served:
domains=configRegistry.get('xmpp/domains','').split();
for domain in domains:
    print 'host_config:'
	print '  "%s":\n' % domain
	# NOTE that LDAP's boolean attribute matches case-sensitive: TRUE and FALSE have to be uppercase.
	# NOTE Object class is only needed to disambiguate from groups (which can hold an xmppEnabled attribute too)
	print '    ldap_filter: "(&(objectClass=univentionXMPPAccount)(xmppEnabled=TRUE)(xmppDomain=%s))"' % domain
	# TODO include admins here: they should be coupled to the given domain, not the host. Currently not done.
@!@

#
# hosts: Domains served by ejabberd.
# You can define one or several, for example:
# hosts:
#   - "server1"
#   - "server2"
#
@!@
# maintained by listener: the domains this host serves.
# we use the space character to delimit them in the UCR variable.
print 'hosts:\n'
for domain in domains:
	print '  - "%s"\n' % domain
@!@
access: 
  announce: 
    admin: allow
  c2s: 
    blocked: deny
    all: allow
  c2s_shaper: 
    admin: none
    all: normal
  configure: 
    admin: allow
  local: 
    local: allow
  max_user_offline_messages: 
    admin: 5000
    all: 100
  max_user_sessions: 
    all: 10
  muc: 
    all: allow
  muc_admin: 
    admin: allow
  muc_create: 
    local: allow
  pubsub_createnode: 
    local: allow
  register: 
    all: allow
  s2s_shaper: 
    all: fast
acl: 
  local: 
    user_regexp: 
      - ""
auth_method: ldap
language: "@%@plucs/language@%@"

ldap_base: "@%@ldap/hostdn@%@"
print 'ldap_password: "%s"' % open('/etc/machine.secret').read(50)
ldap_port: @%@plucs/ldap/port@%@
ldap_rootdn: "@%@ldap/hostdn@%@"
@!@
servers=configRegistry.get('ldap/server/addition','').split()
master=configRegistry.get('ldap/server/name','')
if len(servers) == 0 or servers[0] != master:
	servers = [master,] + servers
# TODO remove duplicates
print 'ldap_servers:\n'
print '  - "%s"' % '"  - "'.join(servers)
# These variables only if TLS is enabled
if configRegistry.is_true('plucs/ldap/tls'):
	print 'ldap_encrypt: tls'
	print 'ldap_tls_verify: hard'
	print 'ldap_tls_cacertfile: \"/var/run/ejabberd/certs/cacert.pem\"'
	# host certs come directly from the UCS domain CA
	print 'ldap_tls_depth: 1'
else:
	print 'ldap_encrypt: none'
@!@

ldap_uids: 
  "uid": "%u"
listen: 
  - 
    ip: "::"
    port: 5222
@!@
if configRegistry.is_true('plucs/s2s'):
    print '    module: ejabberd_c2s\n'
    print '    shaper: c2s_shaper\ņ'
    print '    access: c2s\n'
    print '    max_stanza_size: 65536\n'
if configRegistry.is_true('plucs/tls'):
    print '    starttls: true\n'
    print '    certfile: \"/var/run/ejabberd/certs/cacert.pem\"
@!@
loglevel: 4
max_fsm_queue: 1000
modules: 
  mod_adhoc: []
  mod_announce: 
    access: announce
  mod_caps: []
  mod_configure: []
  mod_disco: []
  mod_irc: []
  mod_http_bind: []
  mod_last: []
  mod_muc: 
    access: muc
    access_create: muc_create
    access_persistent: muc_create
    access_admin: muc_admin
  mod_offline: 
    access_max_user_messages: max_user_offline_messages
  mod_ping: []
  mod_privacy: []
  mod_private: []
  mod_pubsub: 
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: true
    last_item_cache: false
    plugins: 
      - "flat"
      - "hometree"
      - "pep"
  mod_roster: []
  mod_shared_roster_ldap: 
    ldap_rfilter: "(objectClass=univentionXMPPGroup)"
    ldap_ufilter: "(&(objectClass=univentionXMPPAccount)(uid=%u))"
    ldap_gfilter: "(&(objectClass=univentionXMPPGroup)(cn=%g))"
    ldap_filter: "(xmppEnabled=TRUE)"
    ldap_groupattr: "cn"
    ldap_memberattr: "memberUid"
    ldap_memberattr_format: "%u"
    ldap_useruid: "uid"
    ldap_user_cache_validity: 30
    ldap_group_cache_validity: 30
    ldap_groupdesc: "@%@plucs/grouplabel@%@"
    ldap_userdesc: "@%@plucs/userlabel@%@"
  mod_stats: []
  mod_time: []
  mod_vcard: []
  mod_vcard_ldap: 
    ldap_vcard_map: 
      "NICKNAME": 
        "%s": 
          - "uid"
      "FN": 
        "%s %s": 
          - "givenName"
          - "sn"
      "LAST": 
        "%s": 
          - "sn"
      "FIRST": 
        "%s": 
          - "givenName"
      "ORGNAME": 
        "%s": 
          - "o"
      "LOCALITY": 
        "%s": 
          - "l"
      "STREET": 
        "%s": 
          - "street"
      "PCODE": 
        "%s": 
          - "postalCode"
      "DESC": 
        "%s": 
          - "description"
      "TEL": 
        "%s": 
          - "telephoneNumber"
      "EMAIL": 
        "%s": 
          - "mailPrimaryAddress"
      "BDAY": 
        "%s": 
          - "univentionBirthday"
      "PHOTO": 
        "%s": 
          - "jpegPhoto"
    ldap_search_fields: 
      "User": "%u"
      "Name": "givenName"
      "Family Name": "sn"
      "Email": "mail"
      "Birthday": "univentionBirthday"
    ldap_search_reported: 
      "Full Name": "FN"
      "Nickname": "NICKNAME"
      "Birthday": "BDAY"
  mod_version: []

# s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
# You must specify a certificate file when you allow STARTTLS.
@!@
s2stls = 'false'
# backwards compatibility: allow 'true' to mean 'optional'
if configRegistry.is_true('plucs/s2s/tls'):
	s2stls = 'optional'
else:
	val=configRegistry.get('plucs/s2s/tls')
	if val in ('optional','required','required_trusted'):
		s2stls = val
print 's2s_use_starttls: %s' % s2stls
@!@
s2s_certfile: "@%@plucs/s2s/certfile@%@"
shaper: 
  normal: 1000
  fast: 50000