mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-02-12 15:09:13 -06:00
Adjust LDAP Schema for new name
This commit is contained in:
Ralf Haferkamp
@@ -0,0 +1,39 @@
|
||||
# This LDIF files describes the OpenCloud schema
|
||||
dn: cn=opencloud,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: opencloud
|
||||
olcObjectIdentifier: openCloudOid 1.3.6.1.4.1.63016
|
||||
# We'll use openCloudOid:1 subarc for LDAP related stuff
|
||||
# openCloudOid:1.1 for AttributeTypes and openCloudOid:1.2 for ObjectClasses
|
||||
olcAttributeTypes: ( openCloudOid:1.1.1 NAME 'openCloudUUID'
|
||||
DESC 'A non-reassignable and persistent account ID)'
|
||||
EQUALITY uuidMatch
|
||||
SUBSTR caseIgnoreSubstringsMatch
|
||||
SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
|
||||
olcAttributeTypes: ( openCloudOid:1.1.2 NAME 'openCloudExternalIdentity'
|
||||
DESC 'A triple separated by "$" representing the objectIdentity resource type of the Graph API ( signInType $ issuer $ issuerAssignedId )'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SUBSTR caseIgnoreSubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
olcAttributeTypes: ( openCloudOid:1.1.3 NAME 'openCloudUserEnabled'
|
||||
DESC 'A boolean value indicating if the user is enabled'
|
||||
EQUALITY booleanMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
|
||||
olcAttributeTypes: ( openCloudOid:1.1.4 NAME 'openCloudUserType'
|
||||
DESC 'User type (e.g. Member or Guest)'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
|
||||
olcAttributeTypes: ( openCloudOid:1.1.5 NAME 'openCloudLastSignInTimestamp'
|
||||
DESC 'The timestamp of the last sign-in'
|
||||
EQUALITY generalizedTimeMatch
|
||||
ORDERING generalizedTimeOrderingMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
|
||||
olcObjectClasses: ( openCloudOid:1.2.1 NAME 'openCloudObject'
|
||||
DESC 'OpenCloud base objectclass'
|
||||
AUXILIARY
|
||||
MAY ( openCloudUUID ) )
|
||||
olcObjectClasses: ( openCloudOid:1.2.2 NAME 'openCloudUser'
|
||||
DESC 'OpenCloud User objectclass'
|
||||
SUP openCloudObject
|
||||
AUXILIARY
|
||||
MAY ( openCloudExternalIdentity $ openCloudUserEnabled $ openCloudUserType $ openCloudLastSignInTimestamp) )
|
||||
@@ -14,7 +14,7 @@ const (
|
||||
UIDNumber = "uidnumber"
|
||||
GIDNumber = "gidnumber"
|
||||
Groups = "groups"
|
||||
OwncloudUUID = "ownclouduuid"
|
||||
OpenCloudUUID = "openclouduuid"
|
||||
OpenCloudRoutingPolicy = "opencloud.routing.policy"
|
||||
)
|
||||
|
||||
|
||||
@@ -70,7 +70,7 @@ type LDAPProvider struct {
|
||||
GroupBaseDN string `yaml:"group_base_dn" env:"OC_LDAP_GROUP_BASE_DN;AUTH_BASIC_LDAP_GROUP_BASE_DN" desc:"Search base DN for looking up LDAP groups." introductionVersion:"pre5.0"`
|
||||
UserScope string `yaml:"user_scope" env:"OC_LDAP_USER_SCOPE;AUTH_BASIC_LDAP_USER_SCOPE" desc:"LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
GroupScope string `yaml:"group_scope" env:"OC_LDAP_GROUP_SCOPE;AUTH_BASIC_LDAP_GROUP_SCOPE" desc:"LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;AUTH_BASIC_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;AUTH_BASIC_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'." introductionVersion:"pre5.0"`
|
||||
GroupFilter string `yaml:"group_filter" env:"OC_LDAP_GROUP_FILTER;AUTH_BASIC_LDAP_GROUP_FILTER" desc:"LDAP filter to add to the default filters for group searches." introductionVersion:"pre5.0"`
|
||||
UserObjectClass string `yaml:"user_object_class" env:"OC_LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS" desc:"The object class to use for users in the default user search filter ('inetOrgPerson')." introductionVersion:"pre5.0"`
|
||||
GroupObjectClass string `yaml:"group_object_class" env:"OC_LDAP_GROUP_OBJECTCLASS;AUTH_BASIC_LDAP_GROUP_OBJECTCLASS" desc:"The object class to use for groups in the default group search filter ('groupOfNames')." introductionVersion:"pre5.0"`
|
||||
|
||||
@@ -55,14 +55,14 @@ func DefaultConfig() *config.Config {
|
||||
LdapDisabledUsersGroupDN: "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm",
|
||||
IDP: "https://localhost:9200",
|
||||
UserSchema: config.LDAPUserSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openCloudUUID",
|
||||
Mail: "mail",
|
||||
DisplayName: "displayname",
|
||||
Username: "uid",
|
||||
Enabled: "ownCloudUserEnabled",
|
||||
Enabled: "openCloudUserEnabled",
|
||||
},
|
||||
GroupSchema: config.LDAPGroupSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openCloudUUID",
|
||||
Mail: "mail",
|
||||
DisplayName: "cn",
|
||||
Groupname: "cn",
|
||||
|
||||
@@ -64,14 +64,14 @@ type LDAP struct {
|
||||
|
||||
UserBaseDN string `yaml:"user_base_dn" env:"OC_LDAP_USER_BASE_DN;GRAPH_LDAP_USER_BASE_DN" desc:"Search base DN for looking up LDAP users." introductionVersion:"pre5.0"`
|
||||
UserSearchScope string `yaml:"user_search_scope" env:"OC_LDAP_USER_SCOPE;GRAPH_LDAP_USER_SCOPE" desc:"LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;GRAPH_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;GRAPH_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'." introductionVersion:"pre5.0"`
|
||||
UserObjectClass string `yaml:"user_objectclass" env:"OC_LDAP_USER_OBJECTCLASS;GRAPH_LDAP_USER_OBJECTCLASS" desc:"The object class to use for users in the default user search filter ('inetOrgPerson')." introductionVersion:"pre5.0"`
|
||||
UserEmailAttribute string `yaml:"user_mail_attribute" env:"OC_LDAP_USER_SCHEMA_MAIL;GRAPH_LDAP_USER_EMAIL_ATTRIBUTE" desc:"LDAP Attribute to use for the email address of users." introductionVersion:"pre5.0"`
|
||||
UserDisplayNameAttribute string `yaml:"user_displayname_attribute" env:"OC_LDAP_USER_SCHEMA_DISPLAYNAME;LDAP_USER_SCHEMA_DISPLAY_NAME;GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE" desc:"LDAP Attribute to use for the display name of users." introductionVersion:"pre5.0" deprecationVersion:"7.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency" deprecationReplacement:"OC_LDAP_USER_SCHEMA_DISPLAYNAME"`
|
||||
UserNameAttribute string `yaml:"user_name_attribute" env:"OC_LDAP_USER_SCHEMA_USERNAME;GRAPH_LDAP_USER_NAME_ATTRIBUTE" desc:"LDAP Attribute to use for username of users." introductionVersion:"pre5.0"`
|
||||
UserIDAttribute string `yaml:"user_id_attribute" env:"OC_LDAP_USER_SCHEMA_ID;GRAPH_LDAP_USER_UID_ATTRIBUTE" desc:"LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID." introductionVersion:"pre5.0"`
|
||||
UserIDIsOctetString bool `yaml:"user_id_is_octet_string" env:"OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING" desc:"Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's." introductionVersion:"pre5.0"`
|
||||
UserTypeAttribute string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'." introductionVersion:"pre5.0"`
|
||||
UserTypeAttribute string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'." introductionVersion:"pre5.0"`
|
||||
UserEnabledAttribute string `yaml:"user_enabled_attribute" env:"OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"pre5.0"`
|
||||
DisableUserMechanism string `yaml:"disable_user_mechanism" env:"OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'." introductionVersion:"pre5.0"`
|
||||
LdapDisabledUsersGroupDN string `yaml:"ldap_disabled_users_group_dn" env:"OC_LDAP_DISABLED_USERS_GROUP_DN;GRAPH_DISABLED_USERS_GROUP_DN" desc:"The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'." introductionVersion:"pre5.0"`
|
||||
|
||||
@@ -95,9 +95,9 @@ func DefaultConfig() *config.Config {
|
||||
UserNameAttribute: "uid",
|
||||
// FIXME: switch this to some more widely available attribute by default
|
||||
// ideally this needs to be constant for the lifetime of a users
|
||||
UserIDAttribute: "owncloudUUID",
|
||||
UserTypeAttribute: "ownCloudUserType",
|
||||
UserEnabledAttribute: "ownCloudUserEnabled",
|
||||
UserIDAttribute: "openCloudUUID",
|
||||
UserTypeAttribute: "openCloudUserType",
|
||||
UserEnabledAttribute: "openCloudUserEnabled",
|
||||
DisableUserMechanism: "attribute",
|
||||
LdapDisabledUsersGroupDN: "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm",
|
||||
GroupBaseDN: "ou=groups,o=libregraph-idm",
|
||||
@@ -106,7 +106,7 @@ func DefaultConfig() *config.Config {
|
||||
GroupObjectClass: "groupOfNames",
|
||||
GroupNameAttribute: "cn",
|
||||
GroupMemberAttribute: "member",
|
||||
GroupIDAttribute: "owncloudUUID",
|
||||
GroupIDAttribute: "openCloudUUID",
|
||||
EducationResourcesEnabled: false,
|
||||
},
|
||||
},
|
||||
|
||||
@@ -24,8 +24,8 @@ import (
|
||||
const (
|
||||
givenNameAttribute = "givenname"
|
||||
surNameAttribute = "sn"
|
||||
identitiesAttribute = "oCExternalIdentity"
|
||||
lastSignAttribute = "oCLastSignInTimestamp"
|
||||
identitiesAttribute = "openCloudExternalIdentity"
|
||||
lastSignAttribute = "openCloudLastSignInTimestamp"
|
||||
ldapDateFormat = "20060102150405Z0700"
|
||||
)
|
||||
|
||||
@@ -884,7 +884,7 @@ func (i *LDAP) userToLDAPAttrValues(user libregraph.User) (map[string][]string,
|
||||
i.userAttributeMap.displayName: {user.GetDisplayName()},
|
||||
i.userAttributeMap.userName: {user.GetOnPremisesSamAccountName()},
|
||||
i.userAttributeMap.mail: {user.GetMail()},
|
||||
"objectClass": {"inetOrgPerson", "organizationalPerson", "person", "top", "ownCloudUser"},
|
||||
"objectClass": {"inetOrgPerson", "organizationalPerson", "person", "top", "openCloudUser"},
|
||||
"cn": {user.GetOnPremisesSamAccountName()},
|
||||
i.userAttributeMap.userType: {user.GetUserType()},
|
||||
}
|
||||
|
||||
@@ -5,8 +5,8 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
libregraph "github.com/owncloud/libre-graph-api-go"
|
||||
"github.com/opencloud-eu/opencloud/services/graph/pkg/identity/mocks"
|
||||
libregraph "github.com/owncloud/libre-graph-api-go"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/mock"
|
||||
)
|
||||
@@ -20,7 +20,7 @@ var eduUserAttrs = []string{
|
||||
"givenname",
|
||||
"userEnabledAttribute",
|
||||
"userTypeAttribute",
|
||||
"oCExternalIdentity",
|
||||
"openCloudExternalIdentity",
|
||||
"userClass",
|
||||
"ocMemberOfSchool",
|
||||
}
|
||||
@@ -32,7 +32,7 @@ var eduUserEntry = ldap.NewEntry("uid=user,ou=people,dc=test",
|
||||
"mail": {"user@example"},
|
||||
"entryuuid": {"abcd-defg"},
|
||||
"userClass": {"student"},
|
||||
"oCExternalIdentity": {
|
||||
"openCloudExternalIdentity": {
|
||||
"$ http://idp $ testuser",
|
||||
"xxx $ http://idpnew $ xxxxx-xxxxx-xxxxx",
|
||||
},
|
||||
@@ -46,7 +46,7 @@ var renamedEduUserEntry = ldap.NewEntry("uid=newtestuser,ou=people,dc=test",
|
||||
"mail": {"user@example"},
|
||||
"entryuuid": {"abcd-defg"},
|
||||
"userClass": {"student"},
|
||||
"oCExternalIdentity": {
|
||||
"openCloudExternalIdentity": {
|
||||
"$ http://idp $ testuser",
|
||||
"xxx $ http://idpnew $ xxxxx-xxxxx-xxxxx",
|
||||
},
|
||||
@@ -61,7 +61,7 @@ var eduUserEntryWithSchool = ldap.NewEntry("uid=user,ou=people,dc=test",
|
||||
"entryuuid": {"abcd-defg"},
|
||||
"userClass": {"student"},
|
||||
"ocMemberOfSchool": {"abcd-defg"},
|
||||
"oCExternalIdentity": {
|
||||
"openCloudExternalIdentity": {
|
||||
"$ http://idp $ testuser",
|
||||
"xxx $ http://idpnew $ xxxxx-xxxxx-xxxxx",
|
||||
},
|
||||
|
||||
@@ -448,8 +448,8 @@ func (i *LDAP) groupToLDAPAttrValues(group libregraph.Group) (map[string][]strin
|
||||
}
|
||||
|
||||
if !i.useServerUUID {
|
||||
attrs["owncloudUUID"] = []string{uuid.Must(uuid.NewV4()).String()}
|
||||
attrs["objectClass"] = append(attrs["objectClass"], "owncloud")
|
||||
attrs["openCloudUUID"] = []string{uuid.Must(uuid.NewV4()).String()}
|
||||
attrs["objectClass"] = append(attrs["objectClass"], "openCloudObject")
|
||||
}
|
||||
return attrs, nil
|
||||
}
|
||||
|
||||
@@ -72,7 +72,7 @@ var invalidUserEntry = ldap.NewEntry("uid=user",
|
||||
|
||||
var logger = log.NewLogger(log.Level("debug"))
|
||||
|
||||
var ldapUserAttributes = []string{"displayname", "entryUUID", "mail", "uid", "sn", "givenname", "userEnabledAttribute", "userTypeAttribute", "oCExternalIdentity", "oCLastSignInTimestamp"}
|
||||
var ldapUserAttributes = []string{"displayname", "entryUUID", "mail", "uid", "sn", "givenname", "userEnabledAttribute", "userTypeAttribute", "openCloudExternalIdentity", "openCloudLastSignInTimestamp"}
|
||||
|
||||
func TestNewLDAPBackend(t *testing.T) {
|
||||
l := &mocks.Client{}
|
||||
@@ -123,7 +123,7 @@ func TestCreateUser(t *testing.T) {
|
||||
ar.Attribute(lconfig.UserEnabledAttribute, []string{"TRUE"})
|
||||
ar.Attribute(lconfig.UserTypeAttribute, []string{"Member"})
|
||||
ar.Attribute("cn", []string{userName})
|
||||
ar.Attribute("objectClass", []string{"inetOrgPerson", "organizationalPerson", "person", "top", "ownCloudUser"})
|
||||
ar.Attribute("objectClass", []string{"inetOrgPerson", "organizationalPerson", "person", "top", "openCloudUser"})
|
||||
|
||||
l := &mocks.Client{}
|
||||
l.On("Search", mock.Anything).
|
||||
|
||||
@@ -68,10 +68,10 @@ var _ = Describe("Users changing their own password", func() {
|
||||
UserDisplayNameAttribute: "displayName",
|
||||
UserNameAttribute: "uid",
|
||||
UserEmailAttribute: "mail",
|
||||
UserIDAttribute: "ownclouduuid",
|
||||
UserIDAttribute: "openCloudUUID",
|
||||
UserSearchScope: "sub",
|
||||
GroupNameAttribute: "cn",
|
||||
GroupIDAttribute: "ownclouduuid",
|
||||
GroupIDAttribute: "openCloudUUID",
|
||||
GroupSearchScope: "sub",
|
||||
}
|
||||
loggger := log.NewLogger()
|
||||
|
||||
@@ -70,7 +70,7 @@ type LDAPDriver struct {
|
||||
UserScope string `yaml:"user_scope" env:"OC_LDAP_USER_SCOPE;GROUPS_LDAP_USER_SCOPE" desc:"LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
GroupScope string `yaml:"group_scope" env:"OC_LDAP_GROUP_SCOPE;GROUPS_LDAP_GROUP_SCOPE" desc:"LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
GroupSubstringFilterType string `yaml:"group_substring_filter_type" env:"LDAP_GROUP_SUBSTRING_FILTER_TYPE;GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE" desc:"Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches" introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;GROUPS_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;GROUPS_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'." introductionVersion:"pre5.0"`
|
||||
GroupFilter string `yaml:"group_filter" env:"OC_LDAP_GROUP_FILTER;GROUPS_LDAP_GROUP_FILTER" desc:"LDAP filter to add to the default filters for group searches." introductionVersion:"pre5.0"`
|
||||
UserObjectClass string `yaml:"user_object_class" env:"OC_LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS" desc:"The object class to use for users in the default user search filter ('inetOrgPerson')." introductionVersion:"pre5.0"`
|
||||
GroupObjectClass string `yaml:"group_object_class" env:"OC_LDAP_GROUP_OBJECTCLASS;GROUPS_LDAP_GROUP_OBJECTCLASS" desc:"The object class to use for groups in the default group search filter ('groupOfNames')." introductionVersion:"pre5.0"`
|
||||
|
||||
@@ -53,13 +53,13 @@ func DefaultConfig() *config.Config {
|
||||
BindDN: "uid=reva,ou=sysusers,o=libregraph-idm",
|
||||
IDP: "https://localhost:9200",
|
||||
UserSchema: config.LDAPUserSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openCloudUUID",
|
||||
Mail: "mail",
|
||||
DisplayName: "displayname",
|
||||
Username: "uid",
|
||||
},
|
||||
GroupSchema: config.LDAPGroupSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openCloudUUID",
|
||||
Mail: "mail",
|
||||
DisplayName: "cn",
|
||||
Groupname: "cn",
|
||||
|
||||
@@ -19,8 +19,8 @@ ou: groups
|
||||
dn: uid=admin,ou=users,o=libregraph-idm
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: ownCloudUser
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudUser
|
||||
objectClass: openCloudObject
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: admin
|
||||
@@ -30,8 +30,8 @@ cn: admin
|
||||
displayName: Admin
|
||||
description: An admin for this OpenCloud instance.
|
||||
mail: admin@example.org
|
||||
ownCloudUUID: {{ .ID }}
|
||||
oCExternalIdentity: $ {{ .Issuer }} $ {{ .ID }}
|
||||
openCloudUUID: {{ .ID }}
|
||||
openCloudExternalIdentity: $ {{ .Issuer }} $ {{ .ID }}
|
||||
{{ else -}}
|
||||
dn: uid={{ .Name }},ou=sysusers,o=libregraph-idm
|
||||
objectClass: account
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
dn: uid=alan,ou=users,o=libregraph-idm
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: ownCloudUser
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudUser
|
||||
objectClass: openCloudObject
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: alan
|
||||
@@ -12,16 +12,16 @@ cn: alan
|
||||
displayName: Alan Turing
|
||||
description: An English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical computer science, providing a formalisation of the concepts of algorithm and computation with the Turing machine.
|
||||
mail: alan@example.org
|
||||
ownCloudUserEnabled: TRUE
|
||||
ownCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
|
||||
oCExternalIdentity: $ {{.}} $ b1f74ec4-dd7e-11ef-a543-03775734d0f7
|
||||
openCloudUserEnabled: TRUE
|
||||
openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
|
||||
openCloudExternalIdentity: $ {{.}} $ b1f74ec4-dd7e-11ef-a543-03775734d0f7
|
||||
userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
|
||||
|
||||
dn: uid=mary,ou=users,o=libregraph-idm
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: ownCloudUser
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudUser
|
||||
objectClass: openCloudObject
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: mary
|
||||
@@ -31,16 +31,16 @@ cn: mary
|
||||
displayName: Mary Kenneth Keller
|
||||
description: Mary Kenneth Keller of the Sisters of Charity of the Blessed Virgin Mary was a pioneer in computer science.
|
||||
mail: mary@example.org
|
||||
ownCloudUserEnabled: TRUE
|
||||
ownCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
|
||||
oCExternalIdentity: $ {{.}} $ 056fc874-dd7f-11ef-ba84-af6fca4b7289
|
||||
openCloudUserEnabled: TRUE
|
||||
openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
|
||||
openCloudExternalIdentity: $ {{.}} $ 056fc874-dd7f-11ef-ba84-af6fca4b7289
|
||||
userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
|
||||
|
||||
dn: uid=margaret,ou=users,o=libregraph-idm
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: ownCloudUser
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudUser
|
||||
objectClass: openCloudObject
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: margaret
|
||||
@@ -50,16 +50,16 @@ cn: margaret
|
||||
displayName: Margaret Hamilton
|
||||
description: A director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program.
|
||||
mail: margaret@example.org
|
||||
ownCloudUserEnabled: TRUE
|
||||
ownCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
|
||||
oCExternalIdentity: $ {{.}} $ 801abee4-dd7f-11ef-a324-83f55a754b62
|
||||
openCloudUserEnabled: TRUE
|
||||
openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
|
||||
openCloudExternalIdentity: $ {{.}} $ 801abee4-dd7f-11ef-a324-83f55a754b62
|
||||
userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
|
||||
|
||||
dn: uid=dennis,ou=users,o=libregraph-idm
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: ownCloudUser
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudUser
|
||||
objectClass: openCloudObject
|
||||
objectClass: person
|
||||
objectClass: top
|
||||
uid: dennis
|
||||
@@ -69,18 +69,18 @@ cn: dennis
|
||||
displayName: Dennis Ritchie
|
||||
description: American computer scientist. He created the C programming language and the Unix operating system and B language with long-time colleague Ken Thompson.
|
||||
mail: dennis@example.org
|
||||
ownCloudUserEnabled: TRUE
|
||||
ownCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
|
||||
oCExternalIdentity: $ {{.}} $ cd88bf9a-dd7f-11ef-a609-7f78deb2345f
|
||||
openCloudUserEnabled: TRUE
|
||||
openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
|
||||
openCloudExternalIdentity: $ {{.}} $ cd88bf9a-dd7f-11ef-a609-7f78deb2345f
|
||||
userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MSxwPTE2JGg1NUxqckhWVjdEdXVzTkxjbXRoa0EkMzZ3aGZSMjdyTDFOYXQxa0xTajdrVGFubTBnb3VKRGZ0ck9DTStuRHo5cw==
|
||||
|
||||
dn: cn=users,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: users
|
||||
description: Users
|
||||
ownCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa
|
||||
openCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa
|
||||
member: uid=alan,ou=users,o=libregraph-idm
|
||||
member: uid=mary,ou=users,o=libregraph-idm
|
||||
member: uid=margaret,ou=users,o=libregraph-idm
|
||||
@@ -89,65 +89,65 @@ member: uid=admin,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=chess-lovers,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: sailing-lovers
|
||||
description: Chess lovers
|
||||
ownCloudUUID: 9d31ec04-dd80-11ef-ac47-a38ba68cc36d
|
||||
openCloudUUID: 9d31ec04-dd80-11ef-ac47-a38ba68cc36d
|
||||
member: uid=alan,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=violin-haters,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: violin-haters
|
||||
description: Violin haters
|
||||
ownCloudUUID: d901562a-dd80-11ef-a510-fba1ed43fb21
|
||||
openCloudUUID: d901562a-dd80-11ef-a510-fba1ed43fb21
|
||||
member: uid=alan,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=bible-readers,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: bible-readers
|
||||
description: Bible readers
|
||||
ownCloudUUID: 2fc6ba22-dd81-11ef-89e6-e3eff494a998
|
||||
openCloudUUID: 2fc6ba22-dd81-11ef-89e6-e3eff494a998
|
||||
member: uid=mary,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=apollos,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: apollos
|
||||
description: Contributors to the Appollo mission
|
||||
ownCloudUUID: 6f9bab36-dd94-11ef-a252-dbbdd20299dd
|
||||
openCloudUUID: 6f9bab36-dd94-11ef-a252-dbbdd20299dd
|
||||
member: uid=margaret,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=unix-lovers,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: unix-lovers
|
||||
description: Unix lovers
|
||||
ownCloudUUID: 75bc3882-dd94-11ef-ad60-335f3df6cef3
|
||||
openCloudUUID: 75bc3882-dd94-11ef-ad60-335f3df6cef3
|
||||
member: uid=dennis,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=basic-haters,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: basic-haters
|
||||
description: Haters of the Basic programming language
|
||||
ownCloudUUID: a4eb2c12-dd94-11ef-9ebe-eb96f938d517
|
||||
openCloudUUID: a4eb2c12-dd94-11ef-9ebe-eb96f938d517
|
||||
member: uid=dennis,ou=users,o=libregraph-idm
|
||||
|
||||
dn: cn=programmers,ou=groups,o=libregraph-idm
|
||||
objectClass: groupOfNames
|
||||
objectClass: ownCloud
|
||||
objectClass: openCloudObject
|
||||
objectClass: top
|
||||
cn: programmers
|
||||
description: Computer Programmer
|
||||
ownCloudUUID: ce4aa240-dd94-11ef-82b8-4f4828849072
|
||||
openCloudUUID: ce4aa240-dd94-11ef-82b8-4f4828849072
|
||||
member: uid=alan,ou=users,o=libregraph-idm
|
||||
member: uid=margaret,ou=users,o=libregraph-idm
|
||||
member: uid=dennis,ou=users,o=libregraph-idm
|
||||
|
||||
@@ -210,7 +210,6 @@ func (b *CS3Backend) DestroySession(_ context.Context, sessionRef *string) error
|
||||
// for the user specified by the userID.
|
||||
func (b *CS3Backend) UserClaims(_ string, _ map[string]bool) map[string]interface{} {
|
||||
return nil
|
||||
// TODO should we return the "ownclouduuid" as a claim? there is also "LibgreGraph.UUID" / lico.ScopeUniqueUserID
|
||||
}
|
||||
|
||||
// ScopesSupported implements the Backend interface, providing supported scopes
|
||||
|
||||
@@ -49,7 +49,7 @@ type Ldap struct {
|
||||
UUIDAttributeType string `yaml:"uuid_attribute_type" env:"IDP_LDAP_UUID_ATTRIBUTE_TYPE" desc:"LDAP User uuid attribute type like 'text'." introductionVersion:"pre5.0"`
|
||||
|
||||
UserEnabledAttribute string `yaml:"user_enabled_attribute" env:"OC_LDAP_USER_ENABLED_ATTRIBUTE;IDP_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled." introductionVersion:"pre5.0"`
|
||||
Filter string `yaml:"filter" env:"OC_LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'." introductionVersion:"pre5.0"`
|
||||
Filter string `yaml:"filter" env:"OC_LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'." introductionVersion:"pre5.0"`
|
||||
ObjectClass string `yaml:"objectclass" env:"OC_LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS" desc:"LDAP User ObjectClass like 'inetOrgPerson'." introductionVersion:"pre5.0"`
|
||||
}
|
||||
|
||||
|
||||
@@ -120,11 +120,11 @@ func DefaultConfig() *config.Config {
|
||||
LoginAttribute: "uid",
|
||||
EmailAttribute: "mail",
|
||||
NameAttribute: "displayName",
|
||||
UUIDAttribute: "ownCloudUUID",
|
||||
UUIDAttribute: "openCloudUUID",
|
||||
UUIDAttributeType: "text",
|
||||
Filter: "",
|
||||
ObjectClass: "inetOrgPerson",
|
||||
UserEnabledAttribute: "ownCloudUserEnabled",
|
||||
UserEnabledAttribute: "openCloudUserEnabled",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@@ -146,7 +146,7 @@ var _ = Describe("Authenticating requests", Label("Authentication"), func() {
|
||||
testHandler := handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
Expect(oidc.FromContext(r.Context())).To(Equal(map[string]interface{}{
|
||||
"email": "testuser@example.com",
|
||||
"ownclouduuid": "OpaqueId",
|
||||
"openclouduuid": "OpaqueId",
|
||||
"iss": "IdpId",
|
||||
"preferred_username": "testuser",
|
||||
}))
|
||||
|
||||
@@ -45,7 +45,7 @@ func (m BasicAuthenticator) Authenticate(r *http.Request) (*http.Request, bool)
|
||||
oidc.Iss: user.Id.Idp,
|
||||
oidc.PreferredUsername: user.Username,
|
||||
oidc.Email: user.Mail,
|
||||
oidc.OwncloudUUID: user.Id.OpaqueId,
|
||||
oidc.OpenCloudUUID: user.Id.OpaqueId,
|
||||
}
|
||||
|
||||
if m.UserCS3Claim == "userid" {
|
||||
|
||||
@@ -61,7 +61,7 @@ var _ = Describe("Authenticating requests", Label("BasicAuthenticator"), func()
|
||||
Expect(claims[oidc.Iss]).To(Equal("IdpId"))
|
||||
Expect(claims[oidc.PreferredUsername]).To(Equal("testuser"))
|
||||
Expect(claims[oidc.Email]).To(Equal("testuser@example.com"))
|
||||
Expect(claims[oidc.OwncloudUUID]).To(Equal("OpaqueId"))
|
||||
Expect(claims[oidc.OpenCloudUUID]).To(Equal("OpaqueId"))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
@@ -72,13 +72,13 @@ type LDAPDriver struct {
|
||||
UserScope string `yaml:"user_scope" env:"OC_LDAP_USER_SCOPE;USERS_LDAP_USER_SCOPE" desc:"LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
GroupScope string `yaml:"group_scope" env:"OC_LDAP_GROUP_SCOPE;USERS_LDAP_GROUP_SCOPE" desc:"LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'." introductionVersion:"pre5.0"`
|
||||
UserSubstringFilterType string `yaml:"user_substring_filter_type" env:"LDAP_USER_SUBSTRING_FILTER_TYPE;USERS_LDAP_USER_SUBSTRING_FILTER_TYPE" desc:"Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches" introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;USERS_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'." introductionVersion:"pre5.0"`
|
||||
UserFilter string `yaml:"user_filter" env:"OC_LDAP_USER_FILTER;USERS_LDAP_USER_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'." introductionVersion:"pre5.0"`
|
||||
GroupFilter string `yaml:"group_filter" env:"OC_LDAP_GROUP_FILTER;USERS_LDAP_GROUP_FILTER" desc:"LDAP filter to add to the default filters for group searches." introductionVersion:"pre5.0"`
|
||||
UserObjectClass string `yaml:"user_object_class" env:"OC_LDAP_USER_OBJECTCLASS;USERS_LDAP_USER_OBJECTCLASS" desc:"The object class to use for users in the default user search filter like 'inetOrgPerson'." introductionVersion:"pre5.0"`
|
||||
GroupObjectClass string `yaml:"group_object_class" env:"OC_LDAP_GROUP_OBJECTCLASS;USERS_LDAP_GROUP_OBJECTCLASS" desc:"The object class to use for groups in the default group search filter like 'groupOfNames'." introductionVersion:"pre5.0"`
|
||||
IDP string `yaml:"idp" env:"OC_URL;OC_OIDC_ISSUER;USERS_IDP_URL" desc:"The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider." introductionVersion:"pre5.0"`
|
||||
DisableUserMechanism string `yaml:"disable_user_mechanism" env:"OC_LDAP_DISABLE_USER_MECHANISM;USERS_LDAP_DISABLE_USER_MECHANISM" desc:"An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed." introductionVersion:"pre5.0"`
|
||||
UserTypeAttribute string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;USERS_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'." introductionVersion:"pre5.0"`
|
||||
UserTypeAttribute string `yaml:"user_type_attribute" env:"OC_LDAP_USER_SCHEMA_USER_TYPE;USERS_LDAP_USER_TYPE_ATTRIBUTE" desc:"LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'." introductionVersion:"pre5.0"`
|
||||
LdapDisabledUsersGroupDN string `yaml:"ldap_disabled_users_group_dn" env:"OC_LDAP_DISABLED_USERS_GROUP_DN;USERS_LDAP_DISABLED_USERS_GROUP_DN" desc:"The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'." introductionVersion:"pre5.0"`
|
||||
UserSchema LDAPUserSchema `yaml:"user_schema"`
|
||||
GroupSchema LDAPGroupSchema `yaml:"group_schema"`
|
||||
|
||||
@@ -53,17 +53,17 @@ func DefaultConfig() *config.Config {
|
||||
BindDN: "uid=reva,ou=sysusers,o=libregraph-idm",
|
||||
DisableUserMechanism: "attribute",
|
||||
LdapDisabledUsersGroupDN: "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm",
|
||||
UserTypeAttribute: "ownCloudUserType",
|
||||
UserTypeAttribute: "openCloudUserType",
|
||||
IDP: "https://localhost:9200",
|
||||
UserSchema: config.LDAPUserSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openclouduuid",
|
||||
Mail: "mail",
|
||||
DisplayName: "displayname",
|
||||
Username: "uid",
|
||||
Enabled: "ownCloudUserEnabled",
|
||||
Enabled: "openclouduserenabled",
|
||||
},
|
||||
GroupSchema: config.LDAPGroupSchema{
|
||||
ID: "ownclouduuid",
|
||||
ID: "openclouduuid",
|
||||
Mail: "mail",
|
||||
DisplayName: "cn",
|
||||
Groupname: "cn",
|
||||
|
||||
@@ -445,8 +445,8 @@ trait Provisioning {
|
||||
$entry['uidNumber'] = $uidNumber;
|
||||
|
||||
if (!OcHelper::isTestingOnReva()) {
|
||||
$entry['objectclass'][] = 'ownCloud';
|
||||
$entry['ownCloudUUID'] = WebDavHelper::generateUUIDv4();
|
||||
$entry['objectclass'][] = 'openCloudObject';
|
||||
$entry['openCloudUUID'] = WebDavHelper::generateUUIDv4();
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -490,8 +490,8 @@ trait Provisioning {
|
||||
$entry['member'] = "";
|
||||
}
|
||||
if (!OcHelper::isTestingOnReva()) {
|
||||
$entry['objectclass'][] = 'ownCloud';
|
||||
$entry['ownCloudUUID'] = WebDavHelper::generateUUIDv4();
|
||||
$entry['objectclass'][] = 'openCloudObject';
|
||||
$entry['openCloudUUID'] = WebDavHelper::generateUUIDv4();
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user