Merge branch 'master' into ocis-init

docs/extensions/idm/_index.md

@@ -10,6 +10,20 @@ geekdocCollapseSection: true
 
 ## Abstract
 
+The IDM service provides a minimal LDAP Service (based on https://github.com/libregraph/idm) for oCIS. It is started as part of
+the default configuration and serves as a central place for storing user and group information.
+
+It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a "real" LDAP server
+or to switch to an external Identity Management Solution.
+
+IDM listens on port 9325 by default. In the default configuration it only accepts TLS protected connections (LDAPS). The BaseDN
+of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user 
+(DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`). Any other authenticated user has read-only access. IDM stores its data in a
+[boltdb](https://github.com/etcd-io/bbolt) file `idm/ocis.boltdb` inside the oCIS base data directory.
+
+Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE).
+Also IDM currently does not do any Schema Verification (e.g. structural vs. auxiliary Objectclasses, require and option Attributes,
+Syntax Checks, ...). So it's not meant as a general purpose LDAP server.
 
 ## Table of Contents
 

docs/extensions/idm/configuration_hints.md

@@ -0,0 +1,49 @@
+---
+title: Configuration Hints
+date: 2022-04-27:00:00+00:00
+weight: 20
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/extensions/idm
+geekdocFilePath: configuration_hints.md
+geekdocCollapseSection: true
+---
+
+## TLS Server Certificates
+By default IDM generates a self-signed certificate and key on first startup to be
+able to provide TLS protected services. The certificate is stored in
+`idm/ldap.crt` inside the oCIS base data directory. The key is in
+`idm/ldap.key` in the same directory. You can use a custom server
+certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`.
+
+## Default / Demo Users
+On startup IDM creates a set of default services users that are needed
+internally to provide access to IDM to other oCIS services. These users are stored
+in a separate subtree. The base DN of that subtree is:
+`ou=sysusers,o=libregraph-idm`. The service users are:
+
+* `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write
+  access to the LDAP tree. It is used by the Graph service to lookup, create, delete and
+  modify users and groups.
+* `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to
+  perform user lookups for authentication.
+* `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services
+  `user`, `group` and `auth-basic`.
+
+IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users)
+upon startup. 
+
+## Access via LDAP command line tools
+For testing purposes it is sometimes helpful to query IDM using the ldap
+command line clients. To e.g. list all users, this command can be used:
+
+```
+ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```
+
+When using the default configuration with the self-signed server certificate
+you might need to switch off the Certificate Validation using `LDAPTL_REQCERT` env
+variable:
+
+```
+LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson
+```

docs/extensions/idm/setup.md

@@ -1,50 +0,0 @@
----
-title: Service Setup
-date: 2022-03-22T00:00:00+00:00
-weight: 20
-geekdocRepo: https://github.com/owncloud/ocis
-geekdocEditPath: edit/master/docs/extensions/idm
-geekdocFilePath: setup.md
-geekdocCollapseSection: true
----
-
-{{< toc >}}
-
-## Using ocis with libregraph/idm
-
-Currently, oCIS still runs the accounts and glauth services to manage users. Until the default is switched
-to libregraph/idm, oCIS has to be started with a custom configuration in order to use libregraph/idm as
-the users and groups backend (this setup also disables the glauth and accounts service):
-
-
-```
-export GRAPH_IDENTITY_BACKEND=ldap
-export LDAP_URI=ldaps://localhost:9235
-export LDAP_INSECURE="true"
-export LDAP_USER_BASE_DN="ou=users,o=libregraph-idm"
-export LDAP_USER_SCHEMA_ID="ownclouduuid"
-export LDAP_USER_SCHEMA_MAIL="mail"
-export LDAP_USER_SCHEMA_USERNAME="uid"
-export LDAP_USER_OBJECTCLASS="inetOrgPerson"
-export LDAP_GROUP_BASE_DN="ou=groups,o=libregraph-idm"
-export LDAP_GROUP_SCHEMA_ID="ownclouduuid"
-export LDAP_GROUP_SCHEMA_MAIL="mail"
-export LDAP_GROUP_SCHEMA_GROUPNAME="cn"
-export LDAP_GROUP_SCHEMA_MEMBER="member"
-export LDAP_GROUP_OBJECTCLASS="groupOfNames"
-export GRAPH_LDAP_BIND_DN="uid=libregraph,ou=sysusers,o=libregraph-idm"
-export GRAPH_LDAP_BIND_PASSWORD=idm
-export GRAPH_LDAP_SERVER_WRITE_ENABLED="true"
-export IDP_INSECURE="true"
-export IDP_LDAP_BIND_DN="uid=idp,ou=sysusers,o=libregraph-idm"
-export IDP_LDAP_BIND_PASSWORD="idp"
-export IDP_LDAP_LOGIN_ATTRIBUTE=uid
-export PROXY_ACCOUNT_BACKEND_TYPE=cs3
-export OCS_ACCOUNT_BACKEND_TYPE=cs3
-export STORAGE_LDAP_BIND_DN="uid=reva,ou=sysusers,o=libregraph-idm"
-export STORAGE_LDAP_BIND_PASSWORD=reva
-export OCIS_RUN_EXTENSIONS=settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,idp,nats,idm,ocdav
-export OCIS_INSECURE=true
-ocis init
-bin/ocis server
-```