mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2025-12-31 01:10:20 -06:00
Adds deployment doc for external idp setup
This commit is contained in:
Jan Müller
131
docs/ocis/deployment/ocis_external_konnectd.md
Normal file
131
docs/ocis/deployment/ocis_external_konnectd.md
Normal file
@@ -0,0 +1,131 @@
|
||||
---
|
||||
title: "ocis with konnectd on external node deployment scenario"
|
||||
date: 2020-10-12T14:39:00+01:00
|
||||
weight: 26
|
||||
geekdocRepo: https://github.com/owncloud/ocis
|
||||
geekdocEditPath: edit/master/docs/ocis/deployment
|
||||
geekdocFilePath: ocis_external_konnectd.md
|
||||
---
|
||||
|
||||
{{< toc >}}
|
||||
|
||||
|
||||
# ocis with konnectd on external node deployment scenario
|
||||
|
||||
This scenario shows how to setup ocis with konnectd as idp running on a separate node. Both node are having separate domains pointing on the servers.
|
||||
|
||||
# ocis traefik deployment scenario
|
||||
|
||||
## Overview
|
||||
ocis and konnectd running on linux nodes behind traefik as reverse proxy
|
||||
* Cloudflare DNS is resolving the domains
|
||||
* Letsencrypt provides ssl certificates for the domains
|
||||
* Traefik docker container terminates ssl and forwards http requests to the services
|
||||
|
||||
## Nodes
|
||||
|
||||
### Requirements for both nodes
|
||||
* Server running Ubuntu 20.04 is public availible with an static ip address
|
||||
* An A-record for domain is pointing on the servers ip address
|
||||
* Create user `$sudo adduser username`
|
||||
* Add user to sudo group `$sudo usermod -aG sudo username`
|
||||
* Add users pub key to `~/.ssh/authorized_keys`
|
||||
* Setup sshd to forbid root access and permit authorisation only by ssh key
|
||||
* Install docker `$sudo apt install docker.io`
|
||||
* Add user to docker group `$sudo usermod -aG docker username`
|
||||
* Install docker-compose via `$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose` (docker compose version 1.27.4 as of today)
|
||||
* Make docker-compose executable `$ sudo chmod +x /usr/local/bin/docker-compose`
|
||||
* Environment variables for OCIS Stack are provided by .env file
|
||||
* Change in both `.env` files
|
||||
|
||||
```
|
||||
OCIS_DOMAIN=ocis.domain.com
|
||||
IDP_DOMAIN=idp.domain.com
|
||||
```
|
||||
|
||||
|
||||
### Stack
|
||||
On both nodes, a traefik dokcer container is terminating ssl and forwards the http requests to the services. The nodes are named according to their services.
|
||||
|
||||
### Config
|
||||
|
||||
#### Repository structure
|
||||
|
||||
```
|
||||
ocis_external_konnectd # rootfolder
|
||||
└───ocisnode
|
||||
│ │ docker-compose.yml
|
||||
│ │ .env
|
||||
│
|
||||
└───idpnode
|
||||
│ docker-compose.yml
|
||||
│ .env
|
||||
└───config
|
||||
│ identifier-registration.yml
|
||||
```
|
||||
|
||||
Both subfolders contain the dockr-compose files including additionaly conf files if required. The content of both folders has to be deployed on each node.
|
||||
|
||||
#### Traefik
|
||||
|
||||
Traefik is set up similar to the traefik example on both nodes.
|
||||
The certificate resolvers are named similar to their services and behave exactly like in the other examples.
|
||||
|
||||
#### Konnectd
|
||||
|
||||
Konnectd as Openid provider needs the redirect url's to point to ocis.
|
||||
```
|
||||
---
|
||||
# OpenID Connect client registry.
|
||||
clients:
|
||||
- id: phoenix
|
||||
name: OCIS
|
||||
application_type: web
|
||||
insecure: yes
|
||||
trusted: yes
|
||||
redirect_uris:
|
||||
- http://ocis.domain.com/
|
||||
- https://ocis.domain.com/
|
||||
- http://ocis.domain.com/oidc-callback.html
|
||||
- https://ocis.domain.com/oidc-callback.html
|
||||
- http://ocis.domain.com/oidc-silent-redirect.html
|
||||
- https://ocis.domain.com/oidc-silent-redirect.html
|
||||
origins:
|
||||
- http://ocis.domain.com
|
||||
- https://ocis.domain.com
|
||||
```
|
||||
|
||||
Behind traefik, http is used to communicate between the services. Setting KONNECTD_TLS enforces it.
|
||||
|
||||
```
|
||||
KONNECTD_TLS: '0'
|
||||
```
|
||||
|
||||
In order to resolve users from glauth service on ocis node, Konnectd needs ldap settings to work properly.
|
||||
|
||||
```
|
||||
LDAP_URI: ldap://${OCIS_DOMAIN}:9125
|
||||
LDAP_BINDDN: cn=konnectd,ou=sysusers,dc=example,dc=org
|
||||
LDAP_BINDPW: konnectd
|
||||
LDAP_BASEDN: ou=users,dc=example,dc=org
|
||||
LDAP_SCOPE: sub
|
||||
LDAP_LOGIN_ATTRIBUTE: cn
|
||||
LDAP_EMAIL_ATTRIBUTE: mail
|
||||
LDAP_NAME_ATTRIBUTE=: n
|
||||
LDAP_UUID_ATTRIBUTE: uid
|
||||
LDAP_UUID_ATTRIBUTE_TYPE: text
|
||||
LDAP_FILTER: (objectClass=posixaccount)
|
||||
```
|
||||
|
||||
#### ocis
|
||||
|
||||
On the ocis node, the setting is following a standard scenario, except, that port 9125 needs to be exposed for the idp node to resolve ldap querries from Konnectd.
|
||||
|
||||
```
|
||||
ocis:
|
||||
...
|
||||
ports:
|
||||
- 9200:9200
|
||||
- 9125:9125
|
||||
...
|
||||
```
|
||||
Reference in New Issue
Block a user