commit f302f8a

Author: Ralf Haferkamp <[email protected]> Date: Fri Apr 29 13:13:15 2022 +0200 [docs-only] Adjust idm docs after it's now running by default (#3608) * Add libregraph/idm and remove accounts and glauth Also add the reva authproviders * Adjust idm docs after it's now running by default * Apply suggestions from code review Co-authored-by: Michael Barz <[email protected]> * Update docs/extensions/idm/configuration_hints.md Co-authored-by: Martin <[email protected]> Co-authored-by: Michael Barz <[email protected]> Co-authored-by: Martin <[email protected]>
owncloud · Apr 29, 2022 · c5f34c2 · c5f34c2
1 parent 97bb7df
commit c5f34c2
Show file tree

Hide file tree

Showing 13 changed files with 73 additions and 60 deletions.
diff --git a/extensions/idm/_index.md b/extensions/idm/_index.md
@@ -10,6 +10,20 @@ geekdocCollapseSection: true
 
 ## Abstract
 
+The IDM service provides a minimal LDAP Service (based on https://github.com/libregraph/idm) for oCIS. It is started as part of
+the default configuration and serves as a central place for storing user and group information.
+
+It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a "real" LDAP server
+or to switch to an external Identity Management Solution.
+
+IDM listens on port 9325 by default. In the default configuration it only accepts TLS protected connections (LDAPS). The BaseDN
+of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user 
+(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`). Any other authenticated user has read-only access. IDM stores its data in a
+[boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory.
+
+Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE).
+Also IDM currently does not do any Schema Verification (e.g. structural vs. auxiliary Objectclasses, require and option Attributes,
+Syntax Checks, ...). So it's not meant as a general purpose LDAP server.
 
 ## Table of Contents
 

diff --git a/extensions/idm/configuration_hints.md b/extensions/idm/configuration_hints.md
@@ -0,0 +1,49 @@
+---
+title: Configuration Hints
+date: 2022-04-27:00:00+00:00
+weight: 20
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/extensions/idm
+geekdocFilePath: configuration_hints.md
+geekdocCollapseSection: true
+---
+
+## TLS Server Certificates
+By default IDM generates a self-signed certificate and key on first startup to be
+able to provide TLS protected services. The certificate is stored in
+`idm/ldap.crt` inside the oCIS base data directory. The key is in
+`idm/ldap.key` in the same directory. You can use a custom server
+certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`.
+
+## Default / Demo Users
+On startup IDM creates a set of default services users that are needed
+internally to provide access to IDM to other oCIS services. These users are stored
+in a separate subtree. The base DN of that subtree is:
+`ou=sysusers,o=libregraph-idm`. The service users are:
+
+* `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write
+  access to the LDAP tree. It is used by the Graph service to lookup, create, delete and
+  modify users and groups.
+* `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to
+  perform user lookups for authentication.
+* `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services
+  `user`, `group` and `auth-basic`.
+
+IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users)
+upon startup. 
+
+## Access via LDAP command line tools
+For testing purposes it is sometimes helpful to query IDM using the ldap
+command line clients. To e.g. list all users, this command can be used:
+
+```
+ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```
+
+When using the default configuration with the self-signed server certificate
+you might need to switch off the Certificate Validation using `LDAPTL_REQCERT` env
+variable:
+
+```
+LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```
diff --git a/extensions/idm/setup.md b/extensions/idm/setup.md
diff --git a/grpc_apis/ocis/messages/accounts/v0/grpc.md b/grpc_apis/ocis/messages/accounts/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.accounts.v0"
 url: /grpc_apis/ocis_messages_accounts_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/settings/v0/grpc.md b/grpc_apis/ocis/messages/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.settings.v0"
 url: /grpc_apis/ocis_messages_settings_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/store/v0/grpc.md b/grpc_apis/ocis/messages/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.store.v0"
 url: /grpc_apis/ocis_messages_store_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/messages/thumbnails/v0/grpc.md b/grpc_apis/ocis/messages/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.messages.thumbnails.v0"
 url: /grpc_apis/ocis_messages_thumbnails_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/accounts/v0/grpc.md b/grpc_apis/ocis/services/accounts/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.accounts.v0"
 url: /grpc_apis/ocis_services_accounts_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/settings/v0/grpc.md b/grpc_apis/ocis/services/settings/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.settings.v0"
 url: /grpc_apis/ocis_services_settings_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/store/v0/grpc.md b/grpc_apis/ocis/services/store/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.store.v0"
 url: /grpc_apis/ocis_services_store_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/grpc_apis/ocis/services/thumbnails/v0/grpc.md b/grpc_apis/ocis/services/thumbnails/v0/grpc.md
@@ -1,7 +1,7 @@
 ---
 title: "ocis.services.thumbnails.v0"
 url: /grpc_apis/ocis_services_thumbnails_v0
-date: 2022-04-29T10:37:33Z
+date: 2022-04-29T11:14:30Z
 weight: 50
 geekdocRepo: https://github.com/owncloud/ocis
 ---

diff --git a/ocis/getting-started/demo-users.md b/ocis/getting-started/demo-users.md
@@ -11,7 +11,7 @@ oCIS has the option to create demo users during the first startup. These enable
 
 {{< hint info >}}
 To create the demo users, run the initial setup step with an additional environment variable.
-`ACCOUNTS_DEMO_USERS_AND_GROUPS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively.
+`IDM_CREATE_DEMO_USERS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively.
 {{< /hint >}}
 
 Following users are available in the demo set:

diff --git a/ocis/static/ocis-services-communication.drawio.svg b/ocis/static/ocis-services-communication.drawio.svg