Example deployment using a cs3 user backend connected to ldap

This bypasses the accounts-service Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>
2026-04-30 07:49:41 -05:00 · 2020-12-10 16:42:38 +01:00
parent 92a1bc8fb6
commit c8668e8cb1
9 changed files with 471 additions and 0 deletions
@@ -0,0 +1,26 @@
+# If you're on a internet facing server please comment out following line.
+# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
+INSECURE=true
+
+### Traefik settings ###
+# Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test"
+TRAEFIK_DOMAIN=
+# Basic authentication for the dashboard. Defaults to user "admin" and password "admin"
+TRAEFIK_BASIC_AUTH_USERS=
+# Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server
+TRAEFIK_ACME_MAIL=
+
+### oCIS settings ###
+# oCIS version. Defaults to "latest"
+OCIS_DOCKER_TAG=
+# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
+OCIS_DOMAIN=
+
+
+### LDAP server settings ###
+# Password of LDAP user "cn=admin,dc=owncloud,dc=test". Defaults to "admin"
+LDAP_ADMIN_PASSWORD=
+
+### LDAP manager settings ###
+# Domain of LDAP manager. Defaults to "ldap.owncloud.test"
+LDAP_MANAGER_DOMAIN=
@@ -0,0 +1,6 @@
+---
+document this deployment example in docs/ocis/deployment/cs3_users_ocis.md
+---
+
+Please refer to [our documentation](https://owncloud.github.io/ocis/deployment/cs3_users_ocis/)
+for instructions on how to deploy this scenario.
@@ -0,0 +1,9 @@
+# This LDIF files describes the ownCloud schema and can be used to
+# add two optional attributes: ownCloudQuota and ownCloudUUID
+# The ownCloudUUID is used to store a unique, non-reassignable, persistent identifier for users and groups
+dn: cn=owncloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: owncloud
+olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.1 NAME 'ownCloudQuota' DESC 'User Quota (e.g. 2 GB)' EQUALITY caseExactMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.39430.1.1.2 NAME 'ownCloudUUID' DESC 'A non-reassignable and persistent account ID)' EQUALITY uuidMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.4.1.39430.1.2.1 NAME 'ownCloud' DESC 'ownCloud LDAP Schema' AUXILIARY MAY ( ownCloudQuota $ ownCloudUUID ) )
@@ -0,0 +1,64 @@
+dn: ou=users,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: users
+
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=einstein,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: einstein
+givenName: Albert
+sn: Einstein
+cn: Albert Einstein
+displayName: Albert Einstein
+description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics).
+mail: einstein@example.org
+uidNumber: 20000
+gidNumber: 30000
+homeDirectory: /home/einstein
+ownCloudUUID:: NGM1MTBhZGEtYzg2Yi00ODE1LTg4MjAtNDJjZGY4MmMzZDUx
+userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==
+
+dn: uid=marie,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: marie
+givenName: Marie
+sn: Curie
+cn: Marie Curie
+displayName: Marie Skłodowska Curie
+description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
+mail: marie@example.org
+uidNumber: 20001
+gidNumber: 30000
+homeDirectory: /home/marie
+ownCloudUUID:: ZjdmYmY4YzgtMTM5Yi00Mzc2LWIzMDctY2YwYThjMmQwZDlj
+userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==
+
+dn: uid=richard,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloud
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: richard
+givenName: Richard
+sn: Feynman
+cn: Richard Feynman
+displayName: Richard Phillips Feynman
+description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model.
+mail: richard@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/richard
+ownCloudUUID:: OTMyYjQ1NDAtOGQxNi00ODFlLThlZjQtNTg4ZTRiNmIxNTFj
+userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==
@@ -0,0 +1,95 @@
+dn: ou=groups,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: cn=users,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: users
+description: Users
+gidNumber: 30000
+ownCloudUUID:: NTA5YTlkY2QtYmIzNy00ZjRmLWEwMWEtMTlkY2EyN2Q5Y2Zh
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: sailing-lovers
+description: Sailing lovers
+gidNumber: 30001
+ownCloudUUID:: NjA0MGFhMTctOWM2NC00ZmVmLTliZDAtNzcyMzRkNzFiYWQw
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: violin-haters
+description: Violin haters
+gidNumber: 30002
+ownCloudUUID:: ZGQ1OGU1ZWMtODQyZS00OThiLTg4MDAtNjFmMmVjNmY5MTFm
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: radium-lovers
+description: Radium lovers
+gidNumber: 30003
+ownCloudUUID:: N2I4N2ZkNDktMjg2ZS00YTVmLWJhZmQtYzUzNWQ1ZGQ5OTdh
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: polonium-lovers
+description: Polonium lovers
+gidNumber: 30004
+ownCloudUUID:: Y2VkYzIxYWEtNDA3Mi00NjE0LTg2NzYtZmE5MTY1ZjU5OGZm
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: quantum-lovers
+description: Quantum lovers
+gidNumber: 30005
+ownCloudUUID:: YTE3MjYxMDgtMDFmOC00YzMwLTg4ZGYtMmIxYTlkMWNiYTFh
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: philosophy-haters
+description: Philosophy haters
+gidNumber: 30006
+ownCloudUUID:: MTY3Y2JlZTItMDUxOC00NTVhLWJmYjItMDMxZmUwNjIxZTVk
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfUniqueNames
+objectClass: posixGroup
+objectClass: ownCloud
+objectClass: top
+cn: physics-lovers
+description: Physics lovers
+gidNumber: 30007
+ownCloudUUID:: MjYyOTgyYzEtMjM2Mi00YWZhLWJmZGYtOGNiZmVmNjRhMDZl
+uniqueMember: uid=einstein,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=marie,ou=users,dc=owncloud,dc=com
+uniqueMember: uid=richard,ou=users,dc=owncloud,dc=com
@@ -0,0 +1 @@
+identifier-registration.yaml
@@ -0,0 +1,41 @@
+---
+
+# OpenID Connect client registry.
+clients:
+  - id: phoenix
+    name: OCIS
+    application_type: web
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - https://ocis.owncloud.test/
+      - https://ocis.owncloud.test/oidc-callback.html
+      - https://ocis.owncloud.test/oidc-silent-redirect.html
+    origins:
+      - https://ocis.owncloud.test
+
+  - id: ocis-explorer.js
+    name: oCIS Graph Explorer
+    trusted: yes
+    insecure: yes
+
+  - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
+    secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
+    name: ownCloud desktop app
+    application_type: native
+    insecure: true
+
+  - id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
+    secret: dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD
+    name: ownCloud Android app
+    application_type: native
+    redirect_uris:
+      - oc://android.owncloud.com
+
+  - id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
+    secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
+    name: ownCloud iOS app
+    application_type: native
+    redirect_uris:
+      - oc://ios.owncloud.com
+      - oc.ios://ios.owncloud.com
@@ -0,0 +1,82 @@
+{
+  "HTTP": {
+    "Namespace": "com.owncloud"
+  },
+  "policy_selector": {
+    "static": {
+      "policy": "ocis"
+    }
+  },
+  "policies": [
+    {
+      "name": "ocis",
+      "routes": [
+        {
+          "endpoint": "/",
+          "backend": "http://localhost:9100"
+        },
+        {
+          "endpoint": "/.well-known/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/konnect/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "endpoint": "/signin/",
+          "backend": "http://localhost:9130"
+        },
+        {
+          "type": "regex",
+          "endpoint": "/ocs/v[12].php/cloud/user/signing-key",
+          "backend": "http://localhost:9110"
+        },
+        {
+          "endpoint": "/ocs/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/remote.php/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/dav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/webdav/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/status.php",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/index.php/",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/data",
+          "backend": "http://localhost:9140"
+        },
+        {
+          "endpoint": "/api/v0/settings",
+          "backend":  "http://localhost:9190"
+        },
+        {
+          "endpoint": "/settings.js",
+          "backend":  "http://localhost:9190"
+	},
+	{
+          "endpoint": "/api/v0/greet",
+          "backend": "http://localhost:9105"
+        },
+        {
+          "endpoint": "/hello.js",
+          "backend": "http://localhost:9105"
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,147 @@
+---
+version: "3.7"
+
+services:
+  traefik:
+    image: "traefik:v2.3"
+    networks:
+      default:
+        aliases:
+          - ${OCIS_DOMAIN:-ocis.owncloud.test}
+    command:
+      #- "--log.level=DEBUG"
+      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-'example@example.org'}"
+      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
+      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
+      - "--api.dashboard=true"
+      - "--entryPoints.http.address=:80"
+      - "--entryPoints.https.address=:443"
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--providers.docker.exposedByDefault=false"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "certs:/certs"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=http"
+      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$apr1$4vqie50r$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+    restart: always
+
+  ocis:
+    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
+    entrypoint:
+      - /bin/sh
+      - -c
+      - | # as long as https://github.com/owncloud/product/issues/15 is open we need this step to template konnectd config
+        cp /config/identifier-registration.dist.yaml /config/identifier-registration.yaml
+        sed -i 's/ocis.owncloud.test/${OCIS_DOMAIN:-ocis.owncloud.test}/g' /config/identifier-registration.yaml
+        ocis server
+    depends_on:
+      - ldap-server
+    environment:
+      # CS3 users frpm ldap specific config
+      PROXY_CONFIG_FILE: "/config/proxy-config.json"
+      LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
+      LDAP_URI: ldap://ldap-server:389
+      LDAP_BINDDN: "cn=admin,dc=owncloud,dc=test"
+      LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_BASEDN: "dc=owncloud,dc=test"
+      LDAP_LOGIN_ATTRIBUTE: uid
+      LDAP_UUID_ATTRIBUTE: "ownclouduuid"
+      LDAP_UUID_ATTRIBUTE_TYPE: binary
+      PROXY_ACCOUNT_BACKEND_TYPE: cs3
+      STORAGE_LDAP_HOSTNAME: ldap-server
+      STORAGE_LDAP_PORT: 636
+      STORAGE_LDAP_BASE_DN: "dc=owncloud,dc=test"
+      STORAGE_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=test"
+      STORAGE_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      STORAGE_LDAP_LOGINFILTER: '(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(uid={{login}})(mail={{login}})))'
+      STORAGE_LDAP_USERFILTER: '(&(objectclass=inetOrgPerson)(objectclass=owncloud)(|(ownclouduuid={{.OpaqueId}})(uid={{.OpaqueId}})))'
+      STORAGE_LDAP_ATTRIBUTEFILTER: '(&(objectclass=owncloud)({{attr}}={{value}}))'
+      STORAGE_LDAP_FINDFILTER: '(&(objectclass=owncloud)(|(uid={{query}}*)(cn={{query}}*)(displayname={{query}}*)(mail={{query}}*)(description={{query}}*)))'
+      STORAGE_LDAP_GROUPFILTER: '(&(objectclass=groupOfUniqueNames)(objectclass=owncloud)(ownclouduuid={{.OpaqueId}}*))'
+      # General ocis config
+      OCIS_DOMAIN: ${OCIS_DOMAIN:-ocis.owncloud.test}
+      OCIS_LOG_LEVEL: error
+      # proxy config
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      PROXY_OIDC_INSECURE: "${INSECURE:-false}"
+      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      PROXY_TLS: "false"
+      # phoenix config
+      PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/.well-known/openid-configuration
+      PHOENIX_WEB_CONFIG_APPS: files,draw-io,markdown-editor,media-viewer
+      PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      # storage config
+      STORAGE_DATAGATEWAY_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/data
+      STORAGE_FRONTEND_PUBLIC_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}/
+      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      # idp config
+      KONNECTD_ISS: https://${OCIS_DOMAIN:-ocis.owncloud.test}
+      KONNECTD_TLS: 'false'
+    volumes:
+      - ./config/ocis:/config
+      - ocis-data:/var/tmp/ocis
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.entrypoints=http"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      - "traefik.http.middlewares.ocis-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.ocis.middlewares=ocis-https-redirect"
+      - "traefik.http.routers.ocis-secure.entrypoints=https"
+      - "traefik.http.routers.ocis-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
+      - "traefik.http.routers.ocis-secure.tls=true"
+      - "traefik.http.routers.ocis-secure.tls.certresolver=http"
+      - "traefik.http.routers.ocis-secure.service=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+    restart: always
+
+  ldap-server:
+    image: osixia/openldap:latest
+    command: --copy-service --loglevel debug
+    environment:
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_DOMAIN: owncloud.test
+      LDAP_ORGANISATION: ownCloud
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_RFC2307BIS_SCHEMA: "true"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
+    volumes:
+      - ./config/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
+    restart: always
+
+  ldap-manager:
+    image: osixia/phpldapadmin:0.9.0
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: ldap-server
+      PHPLDAPADMIN_HTTPS: "false"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=http"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)"
+      - "traefik.http.middlewares.ldap-manager-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.ldap-manager.middlewares=ldap-manager-https-redirect"
+      - "traefik.http.routers.ldap-manager-secure.entrypoints=https"
+      - "traefik.http.routers.ldap-manager-secure.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)"
+      - "traefik.http.routers.ldap-manager-secure.tls=true"
+      - "traefik.http.routers.ldap-manager-secure.tls.certresolver=http"
+      - "traefik.http.routers.ldap-manager-secure.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=80"
+    restart: always
+
+volumes:
+  certs:
+  ocis-data: