From f245ee3471577e8a1c8b4a9faef1da2ac409f99a Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 27 Apr 2022 11:52:05 +0200 Subject: [PATCH 1/4] Add libregraph/idm and remove accounts and glauth Also add the reva authproviders --- docs/ocis/static/ocis-services-communication.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ocis/static/ocis-services-communication.drawio.svg b/docs/ocis/static/ocis-services-communication.drawio.svg index 809ba40251c..06d30268e8c 100644 --- a/docs/ocis/static/ocis-services-communication.drawio.svg +++ b/docs/ocis/static/ocis-services-communication.drawio.svg @@ -1,4 +1,4 @@ -
proxy
proxy
web
web
grpc
grpc
grpc
grpc
ocs
ocs
grpc
grpc
ocdav
ocdav
grpc
grpc
grpc
grpc
ocs
ocs
settings
settings
grpc
grpc
accounts
accounts
ldap
ldap
idp
idp
grpc
grpc
glauth
glauth
nats
nats
grpc
grpc
graph
graph
http
http
graph-explorer
graph-explorer
grpc
grpc
webdav
webdav
grpc
grpc
thumbnails
thumbnails
grpc
grpc
gateway
gateway
grpc
grpc
storage registry
storage registry
grpc
grpc
storage provider
storage provider
share storage provider
share storage provid...
public storage provider
public storage provi...
user provider
user provider
group provider
group provider
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
Storage
Storage
Reva
Reva
oCIS
oCIS
http
httpText is not SVG - cannot display \ No newline at end of file +
public share auth provider
public share auth pr...
machine auth provider
machine auth provider
proxy
proxy
web
web
grpc
grpc
grpc
grpc
ocs
ocs
grpc
grpc
ocdav
ocdav
grpc
grpc
ocs
ocs
grpc
grpc
settings
settings
LDAP
LDAP
idp
idp
nats
nats
grpc
grpc
LDAP
LDAP
graph
graph
http
http
graph-explorer
graph-explorer
grpc
grpc
webdav
webdav
grpc
grpc
thumbnails
thumbnails
gateway
gateway
grpc
grpc
storage registry
storage registry
grpc
grpc
storage provider
storage provider
share storage provider
share storage provid...
public storage provider
public storage provi...
user provider
user provider
group provider
group provider
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http

http
http
http
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
Storage
Storage
Reva
Reva
oCIS
oCIS
http
http
libregraph/idm
libregraph/idm
oidc authprovider
oidc authprovider
LDAP
LDAP
basic auth provider
basic auth provider
grpc
grpc
grpc
grpcText is not SVG - cannot display \ No newline at end of file From 5967f7cb7b47eb59bfe32a6b7b5154069a658871 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Wed, 27 Apr 2022 17:52:45 +0200 Subject: [PATCH 2/4] Adjust idm docs after it's now running by default --- docs/extensions/idm/_index.md | 14 ++++++ docs/extensions/idm/configuration_hints.md | 49 +++++++++++++++++++++ docs/extensions/idm/setup.md | 50 ---------------------- docs/ocis/getting-started/demo-users.md | 2 +- 4 files changed, 64 insertions(+), 51 deletions(-) create mode 100644 docs/extensions/idm/configuration_hints.md delete mode 100644 docs/extensions/idm/setup.md diff --git a/docs/extensions/idm/_index.md b/docs/extensions/idm/_index.md index 19306118e67..6314ec13750 100644 --- a/docs/extensions/idm/_index.md +++ b/docs/extensions/idm/_index.md @@ -10,6 +10,20 @@ geekdocCollapseSection: true ## Abstract +The IDM service provides a minimal LDAP Service (based on https://github.com/libregraph/idm) for oCIS. It is started as part of +the default configuration and serves as a central place for storing user and group informationn. + +It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a "real" LDAP server +or to switch to an external Identity Management Solution. + +IDM listens on port 9325 by default. In the default configuration it only accepts TLS protected connections (LDAPS). The BaseDN +of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user +(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`) any other authenticated user has read-only access. IDM stores its data in a +[boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory. + +Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE). +Also IDM currently does not do any Schema Verification (e.g. structural vs. auxillary Objectclasses, require and option Attributes, +Syntax Checks, ...). So it's not meant as a general purpose LDAP server. ## Table of Contents diff --git a/docs/extensions/idm/configuration_hints.md b/docs/extensions/idm/configuration_hints.md new file mode 100644 index 00000000000..0b2e5bd4242 --- /dev/null +++ b/docs/extensions/idm/configuration_hints.md @@ -0,0 +1,49 @@ +--- +title: Configuration Hints +date: 2022-04-27:00:00+00:00 +weight: 20 +geekdocRepo: https://github.com/owncloud/ocis +geekdocEditPath: edit/master/docs/extensions/idm +geekdocFilePath: configuration_hints.md +geekdocCollapseSection: true +--- + +## TLS Server Certificates +By default IDM generates a self-signed certificate and key on startup to be +able to provide TLS protected services. The certificate is stored in +`idm/ldap.crt` inside the oCIS base data directory. The key is in +`idm/ldap.key` in the same directory. You configure custom a custom server +certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`. + +## Default / Demo Users +On startup IDM creates a set of default services users, that are needed +internally to provide other oCIS service access to IDM. These users are stored +in a separate subtree. The base DN of that subtree is: +`ou=sysusers,o=libregraph-idm`. The service users are: + +* `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write + access to the LDAP tree. It is used by the Graph service to lookup, create, delete + modify users and groups. +* `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to + perform user lookups for authentication. +* `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services + "user, group and auth-basic. + +IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users) +upon startup. + +## Access via LDAP command line tools +For testing purposes it is sometimes helpful to query IDM using the ldap +command line clients. To e.g. list all user can use this command: + +``` +ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson +``` + +When using the default configuration with the self-signed server certificate +you might need to switch of Certificate Validation the `LDAPTL_REQCERT` env +variable: + +``` +LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson +``` diff --git a/docs/extensions/idm/setup.md b/docs/extensions/idm/setup.md deleted file mode 100644 index 6d434dd605b..00000000000 --- a/docs/extensions/idm/setup.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Service Setup -date: 2022-03-22T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/extensions/idm -geekdocFilePath: setup.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -## Using ocis with libregraph/idm - -Currently, oCIS still runs the accounts and glauth services to manage users. Until the default is switched -to libregraph/idm, oCIS has to be started with a custom configuration in order to use libregraph/idm as -the users and groups backend (this setup also disables the glauth and accounts service): - - -``` -export GRAPH_IDENTITY_BACKEND=ldap -export LDAP_URI=ldaps://localhost:9235 -export LDAP_INSECURE="true" -export LDAP_USER_BASE_DN="ou=users,o=libregraph-idm" -export LDAP_USER_SCHEMA_ID="ownclouduuid" -export LDAP_USER_SCHEMA_MAIL="mail" -export LDAP_USER_SCHEMA_USERNAME="uid" -export LDAP_USER_OBJECTCLASS="inetOrgPerson" -export LDAP_GROUP_BASE_DN="ou=groups,o=libregraph-idm" -export LDAP_GROUP_SCHEMA_ID="ownclouduuid" -export LDAP_GROUP_SCHEMA_MAIL="mail" -export LDAP_GROUP_SCHEMA_GROUPNAME="cn" -export LDAP_GROUP_SCHEMA_MEMBER="member" -export LDAP_GROUP_OBJECTCLASS="groupOfNames" -export GRAPH_LDAP_BIND_DN="uid=libregraph,ou=sysusers,o=libregraph-idm" -export GRAPH_LDAP_BIND_PASSWORD=idm -export GRAPH_LDAP_SERVER_WRITE_ENABLED="true" -export IDP_INSECURE="true" -export IDP_LDAP_BIND_DN="uid=idp,ou=sysusers,o=libregraph-idm" -export IDP_LDAP_BIND_PASSWORD="idp" -export IDP_LDAP_LOGIN_ATTRIBUTE=uid -export PROXY_ACCOUNT_BACKEND_TYPE=cs3 -export OCS_ACCOUNT_BACKEND_TYPE=cs3 -export STORAGE_LDAP_BIND_DN="uid=reva,ou=sysusers,o=libregraph-idm" -export STORAGE_LDAP_BIND_PASSWORD=reva -export OCIS_RUN_EXTENSIONS=settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats,idm,ocdav -export OCIS_INSECURE=true -bin/ocis server -``` - diff --git a/docs/ocis/getting-started/demo-users.md b/docs/ocis/getting-started/demo-users.md index 5eba9483f56..15179f98bd4 100644 --- a/docs/ocis/getting-started/demo-users.md +++ b/docs/ocis/getting-started/demo-users.md @@ -11,7 +11,7 @@ oCIS has the option to create demo users during the first startup. These enable {{< hint info >}} To create the demo users, run the initial setup step with an additional environment variable. -`ACCOUNTS_DEMO_USERS_AND_GROUPS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively. +`IDM_CREATE_DEMO_USERS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively. {{< /hint >}} Following users are available in the demo set: From 7079a9d3bc14aa903d99936467d442e485973566 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Fri, 29 Apr 2022 12:51:17 +0200 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Michael Barz --- docs/extensions/idm/_index.md | 6 +++--- docs/extensions/idm/configuration_hints.md | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/extensions/idm/_index.md b/docs/extensions/idm/_index.md index 6314ec13750..9f926ade2bf 100644 --- a/docs/extensions/idm/_index.md +++ b/docs/extensions/idm/_index.md @@ -11,18 +11,18 @@ geekdocCollapseSection: true ## Abstract The IDM service provides a minimal LDAP Service (based on https://github.com/libregraph/idm) for oCIS. It is started as part of -the default configuration and serves as a central place for storing user and group informationn. +the default configuration and serves as a central place for storing user and group information. It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a "real" LDAP server or to switch to an external Identity Management Solution. IDM listens on port 9325 by default. In the default configuration it only accepts TLS protected connections (LDAPS). The BaseDN of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user -(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`) any other authenticated user has read-only access. IDM stores its data in a +(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`). Any other authenticated user has read-only access. IDM stores its data in a [boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory. Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE). -Also IDM currently does not do any Schema Verification (e.g. structural vs. auxillary Objectclasses, require and option Attributes, +Also IDM currently does not do any Schema Verification (e.g. structural vs. auxiliary Objectclasses, require and option Attributes, Syntax Checks, ...). So it's not meant as a general purpose LDAP server. ## Table of Contents diff --git a/docs/extensions/idm/configuration_hints.md b/docs/extensions/idm/configuration_hints.md index 0b2e5bd4242..28c59a916ed 100644 --- a/docs/extensions/idm/configuration_hints.md +++ b/docs/extensions/idm/configuration_hints.md @@ -12,36 +12,36 @@ geekdocCollapseSection: true By default IDM generates a self-signed certificate and key on startup to be able to provide TLS protected services. The certificate is stored in `idm/ldap.crt` inside the oCIS base data directory. The key is in -`idm/ldap.key` in the same directory. You configure custom a custom server +`idm/ldap.key` in the same directory. You can use a custom server certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`. ## Default / Demo Users -On startup IDM creates a set of default services users, that are needed -internally to provide other oCIS service access to IDM. These users are stored +On startup IDM creates a set of default services users that are needed +internally to provide access to IDM to other oCIS services. These users are stored in a separate subtree. The base DN of that subtree is: `ou=sysusers,o=libregraph-idm`. The service users are: * `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write - access to the LDAP tree. It is used by the Graph service to lookup, create, delete + access to the LDAP tree. It is used by the Graph service to lookup, create, delete and modify users and groups. * `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to perform user lookups for authentication. * `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services - "user, group and auth-basic. + `user`, `group` and `auth-basic`. IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users) upon startup. ## Access via LDAP command line tools For testing purposes it is sometimes helpful to query IDM using the ldap -command line clients. To e.g. list all user can use this command: +command line clients. To e.g. list all users, this command can be used: ``` ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson ``` When using the default configuration with the self-signed server certificate -you might need to switch of Certificate Validation the `LDAPTL_REQCERT` env +you might need to switch off the Certificate Validation using `LDAPTL_REQCERT` env variable: ``` From 31e1f4077ff8c4a1003b74111d8bb4bcc1c00316 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Fri, 29 Apr 2022 13:02:37 +0200 Subject: [PATCH 4/4] Update docs/extensions/idm/configuration_hints.md Co-authored-by: Martin --- docs/extensions/idm/configuration_hints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/extensions/idm/configuration_hints.md b/docs/extensions/idm/configuration_hints.md index 28c59a916ed..67c61efced2 100644 --- a/docs/extensions/idm/configuration_hints.md +++ b/docs/extensions/idm/configuration_hints.md @@ -9,7 +9,7 @@ geekdocCollapseSection: true --- ## TLS Server Certificates -By default IDM generates a self-signed certificate and key on startup to be +By default IDM generates a self-signed certificate and key on first startup to be able to provide TLS protected services. The certificate is stored in `idm/ldap.crt` inside the oCIS base data directory. The key is in `idm/ldap.key` in the same directory. You can use a custom server