This is an attempt at documenting every property used by Openfire. Please keep this list in alphabetical order, for easier searching.
A comma seperated list of usernames allowed to log into the admin console.
A comma seperated list of full JID's allowed to log into the admin console. The JIDs may belong to remote users.
The port number the admon console listens on (not encrpyted). Disable by using \-1.
The port number the admin console listens on (encrypted). Disable by using \-1.
The class name of the database connection provider
minimum database connections
maximum database connections TODO
database connection timeout
SQL command to test whether a connection is fine
true / false - test connection before using it
|database.defaultProvider.testAfterUse||true / false - test connection after using it|
|database.defaultProvider.checkOpenConnection||TODO - is it still valid?|
|database.defaultProvider.openConnectionTimeLimit||TODO - is it still valid?|
a directory administrator's DN. All directory operations will be performed with this account. The admin must be able to perform searches and load user records. The user does not need to be able to make changes to the directory, as Openfire treats the directory as read-only. If this property is not set, an anonymous login to the server will be attempted. If you do not allow anonymous searches to your LDAP server, you must set this.
the password for the directory administrator.
a second DN in the directory can optionally be set. If set, the alternate base DN will be used for authentication and loading single users, but will not be used to display a list of users (due to technical limitations).
Enable LDAP authentication cache, if using the LdapAuth provider
Cache size (in bytes) for LDAP authentication cache
a value of "true" indicates that LDAP referrals should be automatically followed. If this property is not set or is set to "false", the referral policy used is left up to to the provider. A referral is an entity that is used to redirect a client's request to another server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client has requested can be found at another location (or locations), possibly at another server or several servers.
the starting DN that searches for users will performed with. The entire subtree under the base DN will be searched for user accounts. This is required for all LDAP setups.
If Openfire should sort the LDAP results itself set to true. If the ldap server can do it, set to false.
a value of "false" disables LDAP connection pooling.
a value of "true" if debugging should be turned on. When on, trace information about buffers sent and received by the LDAP provider is written to System.out
the field name that holds the user's email address. If this property is not set, the default value is mail. Active Directory users should use the the default value mail.
the field name that holds the description a group. If this property is not set, the default value is description.
the field name that holds the members in a group. If this property is not set, the default value is member.
the field name that the groupname lookups will be performed on. If this property is not set, the default value is cn.This is required if you wish to use groups from LDAP.
the search filter that should be used when loading groups.
LDAP server host; e.g. localhost or machine.example.com, etc. It is possible to use many LDAP servers but all of them should share the same configuration (e.g. SSL, baseDN, admin account, etc). To specify many LDAP servers use the comma or the white space character as delimiter. Obviously, this is required for LDAP setups.
the name of the class that should be used as an initial context factory. if this value is not specified, "com.sun.jndi.ldap.LdapCtxFactory" will be used instead. Most users will not need to set this value.
the field name that holds the user's name. If this property is not set, the default value is cn. Active Directory users should use the default value displayName.
LDAP server port number.
a value of "true" means that users are stored within the group by their user name alone. A value of "false" means that users are stored by their entire DN within the group. If this property is not set, the default value is false. Note: the posix mode must be set correctly for your server in order for group integration to work. This is required if you wish to use groups from LDAP.
a value of "true" to enable SSL connections to your LDAP server. If you enable SSL connections, the LDAP server port number most likely should be changed to 636.
the LDAP fields that will be used for user searches. If this property is not set, the username, name, and email fields will be searched. An example value for this field is "Username/uid,Name/cname". That searches the uid and cname fields in the directory and labels them as "Username" and "Name" in the search UI. You can add as many fields as you'd like using comma-delimited "DisplayName/Field" pairs. You should ensure that any fields used for searching are properly indexed so that searches return quickly.
the search filter that should be used when loading users.
The default search will be for users that have the attribute specified by ldap.usernameField.
the field name that the username lookups will be performed on. If this property is not set, the default value is uid. Active Directory users should try the default value sAMAccountName.
The literal mapping between ldap fields and the XML to go in the vcard
Turn on debug logging
The format used for debug logging
The maximum size of the debug log
The directory all log files will go into
The format used for the error log
The maximum size of the error log
The format used for the info log
The maximum size of the info log
The format used for the warn log
The maximum size of the warn log
The locale (language settings)
An ip address to bind to. Generally only useful on multi-homed systems.
The class name of the AuthProvider (Authentication)
The class name of the UserProvider
The class name of the GroupProvider
The class name of the VcardProvider
Configure which authorization mechanisms Openfire allows (DIGEST-MD5 PLAIN CRAM-MD5). Java's CRAM-MD5 implementation and Cryus SASL's implementation differ slightly. Multiple values are seperated by commas.
True if Openfire has been configured. False only after an initial install before configuring.
Cache expiration time for name in milleseconds.
|see How to configure Openfire's caches|
Cache size for name in bytes
|see How to configure Openfire's caches|
The timezone for your locale
http://www.igniterealtime.org/issues/browse/JM-711]) Internal DNS that allows to specify target IP addresses and ports to use for domains. Sample values for the property (make sure to insert no space characters!):
|flash.crossdomain.enabled||Boolean for if the flash cross domain server is enabled (new in OF 3.6.5)||true|
|flash.crossdomain.port||Integer for the port number to listen on for crossdomain requests (new in OF 3.6.5)||5229|
|hazelcast.config.xml.filename||Name of the Hazelcast configuration file. By overriding this value you can easily install a custom cluster configuration file in the Hazelcast plugin /classes/ directory, or in the classpath of your own custom plugin.||hazelcast-cache-config.xml|
|hazelcast.max.execution.seconds||Maximum time to wait when running a synchronous task across members of the cluster.||30|
|hazelcast.startup.delay.seconds||Number of seconds to wait before launching the Hazelcast plugin. This allows Openfire to deploy any other plugins before initializing the cluster caches, etc.||5|
|hazelcast.startup.retry.count||Number of times to retry initialization if the cluster fails to start on the first attempt.||1|
|hazelcast.startup.retry.seconds||Number of seconds to wait between subsequent attempts to start the cluster.||10|
|ldap.override.avatar||When enabled allows users to changer/add an avatar openfire servers bound to LDAP that do not have an LDAP defined avatar. The Property Values are true or false.||true|
Enable debugging for mail.
The SMTP Hostname to use
The SMTP Password to use when using SMTP Auth
The port to use for SMTP
Enable SSL for smtp
The SMTP Username to use when using SMTP Auth
The value "false" if the Openfire media proxy should not be enabled. The media proxy allows Jingle clients to communicate when peer to peer connections fail (such as when behind a strict firewall).
true (a null value means true)
The maximum amount of time (in milleseconds) to wait before a media proxy session is closed when there is no activity.
The minimum port value that the media proxy will use for UDP client connections. The port range must be large enough to handle as many client connections as will occur.
The maximum port value that the media proxy will use for UDP client connections. The port range must be large enough to handle as many client connections as will occur.
|passwordKey||Key used to decrypt Blowfish encrypted passwords in 'ofUser.encryptedPassword' (when user.usePlainPassword is set to false)||randomly generated when detected as null|
Enables the ability to upload plugins from the admin interface.
Allow inband registration
Allow inband password changes
Enable routing of messages to base JID to every client logged in with the same base JID (different resources) and the same (highest) priority
Enable or disable the RSS feed in the admin console http://www.igniterealtime.org/issues/browse/JM-1172
|session.stalled.cap||If there are more than this number of bytes waiting to be written to a connection session, then it's assumed that the session has stalled and it will be closed||5242880 - i.e. 5 MB|
If true, send a shutdown message to all connected users before terminating the server
Keep track of the last time we checked for updates. Don't edit this value.
Sets the host of the proxy to use to connect to jivesoftware.org or 'null' if no proxy is used.
Sets the port of the proxy to use to connect to jivesoftware.org or \-1 if no proxy is being used.
|user.usePlainPassword||Sets wether the password for users is stored in the database in plaintext format in the ofUser.plainPassword column, or encrypted using the Blowfish algorithm in the ofUser.encryptedPassword column, using the key found in the "passwordKey" property.||false|
Turn on packet auditing
A comma seperated list of users to ignore when auditing packets
If true, audit ip packets
The directory to put the audit file in
If true, audit message packets
If true, audit presence packets
True if anonymous authentication is allowed
Number of failed authentication attempts allowed.
Time in millesconds to disconnect an idle client. Use -1 to disable.
6 * 60 * 1000 (thanks Keehong)
A comma seperated list of IP addresses clients are allowed to log in from
Enables the roster for clients. If false, it is not possible to retrieve users rosters or broadcast presence packets to roster contacts.
If true, validate the hostname in the stream header sent by clients.
The name of the server
Permission policy for creating rooms. Set to false to allow anyone to create rooms, true to restrict to jids listed in xmpp.muc.create.jid. Note: The meaning is reversed:-)
List of JIDs that are allowed to create a MUC room.
Checks if the room may be included in search results.
Set this to false to disable MUC / conference. Requires server restart. (looks like it doesnt work on 3.6.4 - wroot)
The maximum number of chat history messages stored for the room.
Set history strategy type. Valid values: defaulType, none, all, number
Host name of MUC service. Requires server restart.
|xmpp.muc.skipInvite||(3.7.0+) Disable the auto invitation of newly added members to a MUC chatroom's access control list.||false|
Load the list of JIDs that are system admins of the MUC service.
The number of messages to log on each run of the logging process.
The number of milliseconds to elapse between logging of room conversations.
The number of milliseconds a user must be idle before he/she gets kicked from all the rooms.
The number of milliseconds before clearing of idle chat users.
The server will unload from memory persistent rooms that have been empty for 30 (default) days. The room will still exist in the database and users may still join. The only consequence is that it won't appear in the discovery list. This option is valid for prior 3.6.0 versions only. As 3.6.0 has introduced multiple conference services.
How many messages to store before bouncing or dropping as per xmpp.offline.type
|100 * 1024 messages?|
Controls the strategy for handling messages to offline users:
- bounce: All messages are bounced to the sender.
- drop: All messages are silently dropped.
- store: All messages are stored
- store_and_bounce: Messages are stored up to the storage limit, and then bounced.
- store_and_drop: Messages are stored up to the storage limit, and then silently dropped.
since 3.5.2 / JM-1350: XMLLightweightParser allows N Bytes of buffered data before closing a potential dangerous connection to avoid an Out-Of-Memory error.
Some servers are setup to use DNS SRV records. In that case, their domain may not the actual server address. For example, the DNS SRV record for igniterealtime.org could point to a server at xmpp.igniterealtime.org. This will affect non XMPP traffic like the file proxy transfer service, since the proxy service can't give out the normal XMPP domain name and have that work.
|xmpp.pubsub.create.anyone||Determines if anyone can create nodes|
|xmpp.pubsub.create.jid||List of JID's of those that are allowed to create nodes|
since 3.5.0 / JM-1262: Disable pubsub by setting this value to false
|xmpp.pubsub.multiple-subscriptions||Turns the ability to have multiple subscriptions to a node on/off||true|
|xmpp.pubsub.root.creator||Specifies the JID of the root node creator|
|xmpp.pubsub.root.nodeID||Specifies the id of the root collection node|
|xmpp.pubsub.service||The pubsub service name||pubsub|
|xmpp.pubsub.sysadmin.jid||Sets the specified JID's as pubsub admins|
|xmpp.pubsub.flush.timer||The time delay (in seconds) between flushing of the published items cache to persistent storage.||120 (seconds)|
|xmpp.pubsub.flush.max||The maximum number of items the published items cache will hold before it flushes itelf to persistent storage.||1000|
|xmpp.pubsub.fetch.max||The maximum number of items that a get items operations on a node will return. Openfire doesn't support Result Sets in pubsub yet, so making this number too large will cause memory and performance issues.||2000|
|xmpp.pubsub.purge.timer||The time delay (in seconds) to purge stale data from the database.||300 (seconds)|
The location Openfire is installed in
Where to look for the native library path for NativeAuthProvider
What the default line seperator is.
Only used for OS detection in Mac OS
The directory the plugins live in
The OS Name (eg "Windows 2000").
Automatically set by Java
The place to look for ServerStarter.
The location where Openfire is installed in
For plugins (gateway), see http://www.igniterealtime.org/community/docs/DOC-1002
|log.httpbind.enabled||Print all packets which were sent or received via http-bind to STOUT.||false|
|xmpp.httpbind.client.idle||Seconds a session has to be idle to be closed||30|
|xmpp.httpbind.client.requests.max||the number of simultaneous requests allowable.||2|
|xmpp.httpbind.client.requests.wait||the longest time (in seconds) that Openfire is allowed to wait before responding to any request during the session.||0x7fffffff|
|xmpp.httpbind.client.requests.polling||the maximum allowable period over which a client can send empty requests to the server.||5|