From 8ec167d792bfee55e3679d4825a916532a4fbcae Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 23 Feb 2023 14:02:18 +0100 Subject: [PATCH] ocis_ldap example: Switch to newer ldap server image Switch away from the unmaintained osixia image to the more uptodate bitnami image. Also update the owncloud schema to include the latest changes Fixes #5636 --- .../config/ldap/docker-entrypoint-override.sh | 9 +++++ .../ocis_ldap/config/ldap/ldif/10_base.ldif | 13 +++++++ .../ocis_ldap/config/ldap/ldif/20_users.ldif | 14 +++----- .../ocis_ldap/config/ldap/ldif/30_groups.ldif | 20 +++++------ .../ldap/schemas/10_owncloud_schema.ldif | 35 +++++++++++++++++++ .../examples/ocis_ldap/docker-compose.yml | 29 ++++++++------- 6 files changed, 87 insertions(+), 33 deletions(-) create mode 100644 deployments/examples/ocis_ldap/config/ldap/docker-entrypoint-override.sh create mode 100644 deployments/examples/ocis_ldap/config/ldap/ldif/10_base.ldif create mode 100644 deployments/examples/ocis_ldap/config/ldap/schemas/10_owncloud_schema.ldif diff --git a/deployments/examples/ocis_ldap/config/ldap/docker-entrypoint-override.sh b/deployments/examples/ocis_ldap/config/ldap/docker-entrypoint-override.sh new file mode 100644 index 000000000..db871b65a --- /dev/null +++ b/deployments/examples/ocis_ldap/config/ldap/docker-entrypoint-override.sh @@ -0,0 +1,9 @@ +#!/bin/bash +printenv + +if [ ! -f /opt/bitnami/openldap/certs/openldap.key ] +then + openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/certs/openldap.key -out /opt/bitnami/openldap/certs/openldap.crt -sha256 -days 365 -batch -nodes +fi +# run original docker-entrypoint +/opt/bitnami/scripts/openldap/entrypoint.sh "$@" diff --git a/deployments/examples/ocis_ldap/config/ldap/ldif/10_base.ldif b/deployments/examples/ocis_ldap/config/ldap/ldif/10_base.ldif new file mode 100644 index 000000000..8459afb3b --- /dev/null +++ b/deployments/examples/ocis_ldap/config/ldap/ldif/10_base.ldif @@ -0,0 +1,13 @@ +dn: dc=owncloud,dc=com +objectClass: organization +objectClass: dcObject +dc: owncloud +o: ownCloud + +dn: ou=users,dc=owncloud,dc=com +objectClass: organizationalUnit +ou: users + +dn: ou=groups,dc=owncloud,dc=com +objectClass: organizationalUnit +ou: groups diff --git a/deployments/examples/ocis_ldap/config/ldap/ldif/20_users.ldif b/deployments/examples/ocis_ldap/config/ldap/ldif/20_users.ldif index 42c8ebd26..8d6679cb9 100644 --- a/deployments/examples/ocis_ldap/config/ldap/ldif/20_users.ldif +++ b/deployments/examples/ocis_ldap/config/ldap/ldif/20_users.ldif @@ -1,7 +1,3 @@ -dn: ou=users,dc=owncloud,dc=com -objectClass: organizationalUnit -ou: users - # Start dn with uid (user identifier / login), not cn (Firstname + Surname) dn: uid=einstein,ou=users,dc=owncloud,dc=com objectClass: inetOrgPerson @@ -20,7 +16,7 @@ mail: einstein@example.org uidNumber: 20000 gidNumber: 30000 homeDirectory: /home/einstein -ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx +ownCloudUUID: 4c510ada-c86b-4815-8820-42cdf82c3d51 userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ== dn: uid=marie,ou=users,dc=owncloud,dc=com @@ -40,7 +36,7 @@ mail: marie@example.org uidNumber: 20001 gidNumber: 30000 homeDirectory: /home/marie -ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj +ownCloudUUID: f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ== dn: uid=richard,ou=users,dc=owncloud,dc=com @@ -60,7 +56,7 @@ mail: richard@example.org uidNumber: 20002 gidNumber: 30000 homeDirectory: /home/richard -ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj +ownCloudUUID: 932b4540-8d16-481e-8ef4-588e4b6b151c userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ== dn: uid=moss,ou=users,dc=owncloud,dc=com @@ -80,7 +76,7 @@ mail: moss@example.org uidNumber: 20003 gidNumber: 30000 homeDirectory: /home/moss -ownCloudUUID:: MDU4YmZmOTUtNjcwOC00ZmU1LTkxZTQtOWVhM2QzNzc1ODhi +ownCloudUUID: 058bff95-6708-4fe5-91e4-9ea3d377588b userPassword:: e1NTSEF9N0hEdTRoMkFDVExFWWt4U0RtSDZVQjhmUlpKRExDZDc= dn: uid=admin,ou=users,dc=owncloud,dc=com @@ -100,5 +96,5 @@ mail: admin@example.org uidNumber: 20004 gidNumber: 30000 homeDirectory: /home/admin -ownCloudUUID:: ZGRjMjAwNGMtMDk3Ny0xMWViLTlkM2YtYTc5Mzg4OGNkMGY4 +ownCloudUUID: ddc2004c-0977-11eb-9d3f-a793888cd0f8 userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo= diff --git a/deployments/examples/ocis_ldap/config/ldap/ldif/30_groups.ldif b/deployments/examples/ocis_ldap/config/ldap/ldif/30_groups.ldif index a43edf133..9a43b5046 100644 --- a/deployments/examples/ocis_ldap/config/ldap/ldif/30_groups.ldif +++ b/deployments/examples/ocis_ldap/config/ldap/ldif/30_groups.ldif @@ -1,14 +1,10 @@ -dn: ou=groups,dc=owncloud,dc=com -objectClass: organizationalUnit -ou: groups - dn: cn=users,ou=groups,dc=owncloud,dc=com objectClass: groupOfNames objectClass: ownCloud objectClass: top cn: users description: Users -ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh +ownCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa member: uid=einstein,ou=users,dc=owncloud,dc=com member: uid=marie,ou=users,dc=owncloud,dc=com member: uid=richard,ou=users,dc=owncloud,dc=com @@ -21,7 +17,7 @@ objectClass: ownCloud objectClass: top cn: sailing-lovers description: Sailing lovers -ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw +ownCloudUUID: 6040aa17-9c64-4fef-9bd0-77234d71bad0 member: uid=einstein,ou=users,dc=owncloud,dc=com dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com @@ -30,7 +26,7 @@ objectClass: ownCloud objectClass: top cn: violin-haters description: Violin haters -ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm +ownCloudUUID: dd58e5ec-842e-498b-8800-61f2ec6f911f member: uid=einstein,ou=users,dc=owncloud,dc=com dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com @@ -39,7 +35,7 @@ objectClass: ownCloud objectClass: top cn: radium-lovers description: Radium lovers -ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh +ownCloudUUID: 7b87fd49-286e-4a5f-bafd-c535d5dd997a member: uid=marie,ou=users,dc=owncloud,dc=com dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com @@ -48,7 +44,7 @@ objectClass: ownCloud objectClass: top cn: polonium-lovers description: Polonium lovers -ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm +ownCloudUUID: cedc21aa-4072-4614-8676-fa9165f598ff member: uid=marie,ou=users,dc=owncloud,dc=com dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com @@ -57,7 +53,7 @@ objectClass: ownCloud objectClass: top cn: quantum-lovers description: Quantum lovers -ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh +ownCloudUUID: a1726108-01f8-4c30-88df-2b1a9d1cba1a member: uid=richard,ou=users,dc=owncloud,dc=com dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com @@ -66,7 +62,7 @@ objectClass: ownCloud objectClass: top cn: philosophy-haters description: Philosophy haters -ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk +ownCloudUUID: 167cbee2-0518-455a-bfb2-031fe0621e5d member: uid=richard,ou=users,dc=owncloud,dc=com dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com @@ -75,7 +71,7 @@ objectClass: ownCloud objectClass: top cn: physics-lovers description: Physics lovers -ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl +ownCloudUUID: 262982c1-2362-4afa-bfdf-8cbfef64a06e member: uid=einstein,ou=users,dc=owncloud,dc=com member: uid=marie,ou=users,dc=owncloud,dc=com member: uid=richard,ou=users,dc=owncloud,dc=com diff --git a/deployments/examples/ocis_ldap/config/ldap/schemas/10_owncloud_schema.ldif b/deployments/examples/ocis_ldap/config/ldap/schemas/10_owncloud_schema.ldif new file mode 100644 index 000000000..a1d2ae9b6 --- /dev/null +++ b/deployments/examples/ocis_ldap/config/ldap/schemas/10_owncloud_schema.ldif @@ -0,0 +1,35 @@ +# This LDIF files describes the ownCloud schema and can be used to +# add three optional attributes: ownCloudQuota, ownCloudUUID and ownCloudUserEnabled +# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups +dn: cn=owncloud,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: owncloud +olcObjectIdentifier: ownCloudOid 1.3.6.1.4.1.39430 +olcAttributeTypes: ( ownCloudOid:1.1.1 NAME 'ownCloudQuota' + DESC 'User Quota (e.g. 2 GB)' + EQUALITY caseExactMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( ownCloudOid:1.1.2 NAME 'ownCloudUUID' + DESC 'A non-reassignable and persistent account ID)' + EQUALITY uuidMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE ) +olcAttributeTypes: ( ownCloudOid:1.1.3 NAME 'oCExternalIdentity' + DESC 'A triple separated by "$" representing the objectIdentity resource type of the Graph API ( signInType $ issuer $ issuerAssignedId )' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( ownCloudOid:1.1.4 NAME 'ownCloudUserEnabled' + DESC 'A boolean value indicating if ownCloudUser is enabled' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE) +olcObjectClasses: ( ownCloudOid:1.2.1 NAME 'ownCloud' + DESC 'ownCloud LDAP Schema' + AUXILIARY + MAY ( ownCloudQuota $ ownCloudUUID ) ) +olcObjectClasses: ( ownCloudOid:1.2.2 NAME 'ownCloudUser' + DESC 'ownCloud User LDAP Schema' + SUP ownCloud + AUXILIARY + MAY ( ocExternalIdentity $ ownCloudUserEnabled ) ) diff --git a/deployments/examples/ocis_ldap/docker-compose.yml b/deployments/examples/ocis_ldap/docker-compose.yml index c21030f4f..3d9cb21d1 100644 --- a/deployments/examples/ocis_ldap/docker-compose.yml +++ b/deployments/examples/ocis_ldap/docker-compose.yml @@ -60,7 +60,7 @@ services: command: [ "-c", "ocis init || true; ocis server" ] environment: # users/gropups from ldap - LDAP_URI: ldaps://ldap-server + LDAP_URI: ldaps://ldap-server:1636 LDAP_INSECURE: "true" LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com" LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} @@ -72,7 +72,6 @@ services: LDAP_USER_OBJECTCLASS: "inetOrgPerson" LDAP_LOGIN_ATTRIBUTES: "uid" OCIS_ADMIN_USER_ID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8" - IDP_LDAP_URI: ldap://ldap-server IDP_LDAP_LOGIN_ATTRIBUTE: "uid" IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid" IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary @@ -105,22 +104,27 @@ services: restart: always ldap-server: - image: osixia/openldap:latest + image: bitnami/openldap:2.6 networks: ocis-net: - command: --copy-service --loglevel debug + entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ] environment: + BITNAMI_DEBUG: true LDAP_TLS_VERIFY_CLIENT: never - LDAP_DOMAIN: owncloud.com - LDAP_ORGANISATION: ownCloud + LDAP_ENABLE_TLS: "yes" + LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/openldap.crt + LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/openldap.crt + LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/openldap.key + LDAP_ROOT: "dc=owncloud,dc=com" LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} - LDAP_RFC2307BIS_SCHEMA: "true" - LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" ports: - - "127.0.0.1:389:389" - - "127.0.0.1:636:636" + - "127.0.0.1:389:1389" + - "127.0.0.1:636:1636" volumes: - - ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom + - ./config/ldap/ldif:/ldifs + - ./config/ldap/schemas:/schemas + - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh + - ldap-certs:/opt/bitnami/openldap/certs logging: driver: ${LOG_DRIVER:-local} restart: always @@ -130,7 +134,7 @@ services: networks: ocis-net: environment: - PHPLDAPADMIN_LDAP_HOSTS: ldap-server + PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap-server': [{'server': [{'port': 1389}]}]}]" PHPLDAPADMIN_HTTPS: "false" labels: - "traefik.enable=true" @@ -145,6 +149,7 @@ services: volumes: certs: + ldap-certs: ocis-config: ocis-data: