fix: fix group creation in multi-instance ocis

Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com>
2026-04-25 17:25:21 +02:00 · 2026-01-22 13:54:38 +01:00
parent a62ad99903
commit 563bbf28c0
10 changed files with 285 additions and 234 deletions
--- a/deployments/examples/ocis_multi/docker-compose.yml
+++ b/deployments/examples/ocis_multi/docker-compose.yml
@@ -89,7 +89,8 @@ services:
      OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
      OCIS_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com"
-      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfNames"
+      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=groups-ec730a6c-1b63-4b45-b83b-9e2311afdf85,ou=groups,dc=owncloud,dc=com"
      OCIS_LDAP_GROUP_OBJECTCLASS: "owncloudGroup"
      OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com"
      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
      LDAP_LOGIN_ATTRIBUTES: "uid"
@@ -106,6 +107,7 @@ services:
      OCIS_LDAP_GROUP_FILTER: "(&(objectclass=owncloud)(ownCloudMemberOf=ec730a6c-1b63-4b45-b83b-9e2311afdf85))"
      OCIS_LDAP_USER_MEMBER_ATTRIBUTE: "owncloudMemberOf"
      OCIS_LDAP_USER_GUEST_ATTRIBUTE: "ownCloudGuestOf"
      OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE: "owncloudMemberOf"
      OCIS_LDAP_PRECISE_SEARCH_ATTRIBUTE: "cn"
      OCIS_LDAP_INSTANCE_MAPPER_ENABLED: true
      OCIS_LDAP_INSTANCE_MAPPER_BASE_DN: "dc=owncloud,dc=com"
@@ -117,8 +119,9 @@ services:
      OCIS_MULTI_INSTANCE_GUEST_ROLE: "user-light"
      OCIS_LDAP_CROSS_INSTANCE_REFERENCE_TEMPLATE: "{{.Username}}@{{.Instancename}}.owncloud.test"
      OCIS_LDAP_INSTANCE_URL_TEMPLATE: "https://{{.Instancename}}.owncloud.test"
-      # Workaround needed to show external users - can be removed once fixed
+      # FIXME: sync groups properly to keycloak and remove the next line
-      OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES: mail
+      PROXY_AUTOPROVISION_CLAIM_GROUPS: ""
      # specific for deployment example
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: ownCloudRole
    volumes:
      - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
--- a/docs/helpers/env_vars.yaml
+++ b/docs/helpers/env_vars.yaml
@@ -7882,12 +7882,12 @@ OCDAV_WEBDAV_NAMESPACE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_ADMIN_USER_ID:
-  name: OCIS_ADMIN_USER_ID;IDM_ADMIN_USER_ID
+  name: OCIS_ADMIN_USER_ID;STORAGE_USERS_PURGE_TRASH_BIN_USER_ID
  defaultValue: ""
  type: string
-  description: ID of the user that should receive admin privileges. Consider that
+  description: ID of the user who collects all necessary information for deletion.
-    the UUID can be encoded in some LDAP deployment configurations like in .ldif files.
+    Consider that the UUID can be encoded in some LDAP deployment configurations like
-    These need to be decoded beforehand.
+    in .ldif files. These need to be decoded beforehand.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
@@ -7903,7 +7903,7 @@ OCIS_ASSET_THEMES_PATH:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_ASYNC_UPLOADS:
-  name: OCIS_ASYNC_UPLOADS;SEARCH_EVENTS_ASYNC_UPLOADS
+  name: OCIS_ASYNC_UPLOADS
  defaultValue: "true"
  type: bool
  description: Enable asynchronous file uploads.
@@ -7912,28 +7912,28 @@ OCIS_ASYNC_UPLOADS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_AUTH_PASSWORD:
-  name: OCIS_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD
+  name: OCIS_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD
  defaultValue: ""
  type: string
-  description: The password to authenticate with the store. Only applies when store
+  description: The password to authenticate with the cache store. Only applies when
-    type 'nats-js-kv' is configured.
+    store type 'nats-js-kv' is configured.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_AUTH_USERNAME:
-  name: OCIS_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME
+  name: OCIS_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME
  defaultValue: ""
  type: string
-  description: The username to authenticate with the store. Only applies when store
+  description: The username to authenticate with the cache store. Only applies when
-    type 'nats-js-kv' is configured.
+    store type 'nats-js-kv' is configured.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_DATABASE:
  name: OCIS_CACHE_DATABASE
-  defaultValue: cache-userinfo
+  defaultValue: ids-storage-users
  type: string
  description: The database name the configured store should use.
  introductionVersion: pre5.0
@@ -7941,43 +7941,46 @@ OCIS_CACHE_DATABASE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_DISABLE_PERSISTENCE:
-  name: OCIS_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE
+  name: OCIS_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE
-  defaultValue: "true"
+  defaultValue: "false"
  type: bool
-  description: Disables persistence of the store. Only applies when store type 'nats-js-kv'
+  description: Disables persistence of the cache. Only applies when store type 'nats-js-kv'
-    is configured. Defaults to true.
+    is configured. Defaults to false.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_STORE:
-  name: OCIS_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE
+  name: OCIS_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE
-  defaultValue: nats-js-kv
+  defaultValue: memory
  type: string
-  description: 'The type of the signing key store. Supported values are: ''redis-sentinel''
+  description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'',
-    and ''nats-js-kv''. See the text description for details.'
+    ''nats-js-kv'', ''noop''. See the text description for details.'
-  introductionVersion: "5.0"
+  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_STORE_NODES:
-  name: OCIS_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES
+  name: OCIS_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES
  defaultValue: '[127.0.0.1:9233]'
  type: '[]string'
-  description: A list of nodes to access the configured store. Note that the behaviour
+  description: A list of nodes to access the configured store. This has no effect
-    how nodes are used is dependent on the library of the configured store. See the
+    when 'memory' store is configured. Note that the behaviour how nodes are used
-    Environment Variable Types description for more details.
+    is dependent on the library of the configured store. See the Environment Variable
-  introductionVersion: "5.0"
+    Types description for more details.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CACHE_TTL:
-  name: OCIS_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL
+  name: OCIS_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL
-  defaultValue: 12h0m0s
+  defaultValue: 24m0s
  type: Duration
-  description: Default time to live for signing keys. See the Environment Variable
+  description: Default time to live for user info in the user info cache. Only applied
-    Types description for more details.
+    when access tokens have no expiration. Defaults to 300s which is derived from
-  introductionVersion: "5.0"
+    the underlaying package though not explicitly set as default. See the Environment
    Variable Types description for more details.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
@@ -8019,8 +8022,8 @@ OCIS_CLAIM_MANAGED_SPACES_REGEXP:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CORS_ALLOW_CREDENTIALS:
-  name: OCIS_CORS_ALLOW_CREDENTIALS;WEBDAV_CORS_ALLOW_CREDENTIALS
+  name: OCIS_CORS_ALLOW_CREDENTIALS;STORAGE_USERS_CORS_ALLOW_CREDENTIALS
-  defaultValue: "true"
+  defaultValue: "false"
  type: bool
  description: 'Allow credentials for CORS.See following chapter for more details:
    *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.'
@@ -8029,9 +8032,10 @@ OCIS_CORS_ALLOW_CREDENTIALS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CORS_ALLOW_HEADERS:
-  name: OCIS_CORS_ALLOW_HEADERS;WEBDAV_CORS_ALLOW_HEADERS
+  name: OCIS_CORS_ALLOW_HEADERS;STORAGE_USERS_CORS_ALLOW_HEADERS
-  defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id
+  defaultValue: '[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override
-    Cache-Control]'
+    Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length
    Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]'
  type: '[]string'
  description: 'A list of allowed CORS headers. See following chapter for more details:
    *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
@@ -8041,8 +8045,8 @@ OCIS_CORS_ALLOW_HEADERS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CORS_ALLOW_METHODS:
-  name: OCIS_CORS_ALLOW_METHODS;WEBDAV_CORS_ALLOW_METHODS
+  name: OCIS_CORS_ALLOW_METHODS;STORAGE_USERS_CORS_ALLOW_METHODS
-  defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]'
+  defaultValue: '[POST HEAD PATCH OPTIONS GET DELETE]'
  type: '[]string'
  description: 'A list of allowed CORS methods. See following chapter for more details:
    *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method.
@@ -8052,8 +8056,8 @@ OCIS_CORS_ALLOW_METHODS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_CORS_ALLOW_ORIGINS:
-  name: OCIS_CORS_ALLOW_ORIGINS;WEBDAV_CORS_ALLOW_ORIGINS
+  name: OCIS_CORS_ALLOW_ORIGINS;STORAGE_USERS_CORS_ALLOW_ORIGINS
-  defaultValue: '[*]'
+  defaultValue: '[https://localhost:9200]'
  type: '[]string'
  description: 'A list of allowed CORS origins. See following chapter for more details:
    *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.
@@ -8148,7 +8152,7 @@ OCIS_DISABLE_VERSIONING:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EDITION:
-  name: OCIS_EDITION;FRONTEND_EDITION
+  name: OCIS_EDITION;OCDAV_EDITION
  defaultValue: Community
  type: string
  description: Edition of oCIS. Used for branding purposes.
@@ -8166,36 +8170,34 @@ OCIS_EMAIL_TEMPLATE_PATH:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_ENABLE_OCM:
-  name: OCIS_ENABLE_OCM
+  name: OCIS_ENABLE_OCM;GRAPH_INCLUDE_OCM_SHAREES
  defaultValue: "false"
  type: bool
-  description: Include OCM sharees when listing sharees.
+  description: Include OCM sharees when listing users.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_AUTH_PASSWORD:
-  name: OCIS_EVENTS_AUTH_PASSWORD;POSTPROCESSING_EVENTS_AUTH_PASSWORD
+  name: OCIS_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD
  defaultValue: ""
  type: string
-  description: The password to authenticate with the events broker. The events broker
+  description: Password for the events broker.
    is the ocis service which receives and delivers events between the services.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_AUTH_USERNAME:
-  name: OCIS_EVENTS_AUTH_USERNAME;POSTPROCESSING_EVENTS_AUTH_USERNAME
+  name: OCIS_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME
  defaultValue: ""
  type: string
-  description: The username to authenticate with the events broker. The events broker
+  description: Username for the events broker.
    is the ocis service which receives and delivers events between the services.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_CLUSTER:
-  name: OCIS_EVENTS_CLUSTER;POSTPROCESSING_EVENTS_CLUSTER
+  name: OCIS_EVENTS_CLUSTER;SHARING_EVENTS_CLUSTER
  defaultValue: ocis-cluster
  type: string
  description: The clusterID of the event system. The event system is the message
@@ -8206,7 +8208,7 @@ OCIS_EVENTS_CLUSTER:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_ENABLE_TLS:
-  name: OCIS_EVENTS_ENABLE_TLS;POSTPROCESSING_EVENTS_ENABLE_TLS
+  name: OCIS_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS
  defaultValue: "false"
  type: bool
  description: Enable TLS for the connection to the events broker. The events broker
@@ -8216,7 +8218,7 @@ OCIS_EVENTS_ENABLE_TLS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_ENDPOINT:
-  name: OCIS_EVENTS_ENDPOINT;POSTPROCESSING_EVENTS_ENDPOINT
+  name: OCIS_EVENTS_ENDPOINT;SHARING_EVENTS_ENDPOINT
  defaultValue: 127.0.0.1:9233
  type: string
  description: The address of the event system. The event system is the message queuing
@@ -8226,11 +8228,11 @@ OCIS_EVENTS_ENDPOINT:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE:
-  name: OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE
+  name: OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE
  defaultValue: ""
  type: string
  description: The root CA certificate used to validate the server's TLS certificate.
-    If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.
+    If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
@@ -8268,7 +8270,7 @@ OCIS_GRPC_CLIENT_TLS_MODE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_GRPC_PROTOCOL:
-  name: OCIS_GRPC_PROTOCOL;AUTH_BEARER_GRPC_PROTOCOL
+  name: OCIS_GRPC_PROTOCOL;SHARING_GRPC_PROTOCOL
  defaultValue: ""
  type: string
  description: The transport protocol of the GRPC service.
@@ -8308,17 +8310,16 @@ OCIS_HTTP_TLS_KEY:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_INSECURE:
-  name: OCIS_INSECURE;POSTPROCESSING_EVENTS_TLS_INSECURE
+  name: OCIS_INSECURE;SHARING_EVENTS_TLS_INSECURE
  defaultValue: "false"
  type: bool
-  description: Whether the ocis server should skip the client certificate verification
+  description: Whether to verify the server TLS certificates.
    during the TLS handshake.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_JWT_SECRET:
-  name: OCIS_JWT_SECRET;AUTH_BEARER_JWT_SECRET
+  name: OCIS_JWT_SECRET;SHARING_JWT_SECRET
  defaultValue: ""
  type: string
  description: The secret to mint and validate jwt tokens.
@@ -8382,8 +8383,8 @@ OCIS_KEYCLOAK_USER_REALM:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_BIND_DN:
-  name: OCIS_LDAP_BIND_DN;IDP_LDAP_BIND_DN
+  name: OCIS_LDAP_BIND_DN;AUTH_BASIC_LDAP_BIND_DN
-  defaultValue: uid=idp,ou=sysusers,o=libregraph-idm
+  defaultValue: uid=reva,ou=sysusers,o=libregraph-idm
  type: string
  description: LDAP DN to use for simple bind authentication with the target LDAP
    server.
@@ -8392,7 +8393,7 @@ OCIS_LDAP_BIND_DN:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_BIND_PASSWORD:
-  name: OCIS_LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD
+  name: OCIS_LDAP_BIND_PASSWORD;AUTH_BASIC_LDAP_BIND_PASSWORD
  defaultValue: ""
  type: string
  description: Password to use for authenticating the 'bind_dn'.
@@ -8401,12 +8402,12 @@ OCIS_LDAP_BIND_PASSWORD:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_CACERT:
-  name: OCIS_LDAP_CACERT;IDP_LDAP_TLS_CACERT
+  name: OCIS_LDAP_CACERT;AUTH_BASIC_LDAP_CACERT
  defaultValue: /var/lib/ocis/idm/ldap.crt
  type: string
  description: Path/File name for the root CA certificate (in PEM format) used to
    validate TLS server certificates of the LDAP service. If not defined, the root
-    directory derives from $OCIS_BASE_DATA_PATH/idp.
+    directory derives from $OCIS_BASE_DATA_PATH/idm.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
@@ -8422,7 +8423,7 @@ OCIS_LDAP_CROSS_INSTANCE_REFERENCE_TEMPLATE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_DISABLE_USER_MECHANISM:
-  name: OCIS_LDAP_DISABLE_USER_MECHANISM;USERS_LDAP_DISABLE_USER_MECHANISM
+  name: OCIS_LDAP_DISABLE_USER_MECHANISM;AUTH_BASIC_DISABLE_USER_MECHANISM
  defaultValue: attribute
  type: string
  description: An option to control the behavior for disabling users. Valid options
@@ -8435,7 +8436,7 @@ OCIS_LDAP_DISABLE_USER_MECHANISM:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_DISABLED_USERS_GROUP_DN:
-  name: OCIS_LDAP_DISABLED_USERS_GROUP_DN;USERS_LDAP_DISABLED_USERS_GROUP_DN
+  name: OCIS_LDAP_DISABLED_USERS_GROUP_DN;AUTH_BASIC_DISABLED_USERS_GROUP_DN
  defaultValue: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
  type: string
  description: The distinguished name of the group to which added users will be classified
@@ -8444,8 +8445,18 @@ OCIS_LDAP_DISABLED_USERS_GROUP_DN:
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE:
  name: OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE
  defaultValue: ""
  type: string
  description: LDAP Attribute to signal which instance the group is belonging to.
    Requires OCIS_MULTI_INSTANCE_ENABLED.
  introductionVersion: 8.0.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_BASE_DN:
-  name: OCIS_LDAP_GROUP_BASE_DN;USERS_LDAP_GROUP_BASE_DN
+  name: OCIS_LDAP_GROUP_BASE_DN;AUTH_BASIC_LDAP_GROUP_BASE_DN
  defaultValue: ou=groups,o=libregraph-idm
  type: string
  description: Search base DN for looking up LDAP groups.
@@ -8454,7 +8465,7 @@ OCIS_LDAP_GROUP_BASE_DN:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_FILTER:
-  name: OCIS_LDAP_GROUP_FILTER;USERS_LDAP_GROUP_FILTER
+  name: OCIS_LDAP_GROUP_FILTER;AUTH_BASIC_LDAP_GROUP_FILTER
  defaultValue: ""
  type: string
  description: LDAP filter to add to the default filters for group searches.
@@ -8463,17 +8474,17 @@ OCIS_LDAP_GROUP_FILTER:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_OBJECTCLASS:
-  name: OCIS_LDAP_GROUP_OBJECTCLASS;USERS_LDAP_GROUP_OBJECTCLASS
+  name: OCIS_LDAP_GROUP_OBJECTCLASS;AUTH_BASIC_LDAP_GROUP_OBJECTCLASS
  defaultValue: groupOfNames
  type: string
  description: The object class to use for groups in the default group search filter
-    like 'groupOfNames'.
+    ('groupOfNames').
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME:
-  name: OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME;USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME
+  name: OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME;AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME
  defaultValue: cn
  type: string
  description: LDAP Attribute to use for the displayname of groups (often the same
@@ -8483,7 +8494,7 @@ OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_GROUPNAME:
-  name: OCIS_LDAP_GROUP_SCHEMA_GROUPNAME;USERS_LDAP_GROUP_SCHEMA_GROUPNAME
+  name: OCIS_LDAP_GROUP_SCHEMA_GROUPNAME;AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME
  defaultValue: cn
  type: string
  description: LDAP Attribute to use for the name of groups.
@@ -8492,28 +8503,28 @@ OCIS_LDAP_GROUP_SCHEMA_GROUPNAME:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_ID:
-  name: OCIS_LDAP_GROUP_SCHEMA_ID;USERS_LDAP_GROUP_SCHEMA_ID
+  name: OCIS_LDAP_GROUP_SCHEMA_ID;AUTH_BASIC_LDAP_GROUP_SCHEMA_ID
  defaultValue: ownclouduuid
  type: string
-  description: LDAP Attribute to use as the unique ID for groups. This should be a
+  description: LDAP Attribute to use as the unique id for groups. This should be a
-    stable globally unique ID like a UUID.
+    stable globally unique id (e.g. a UUID).
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING:
-  name: OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
+  name: OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
  defaultValue: "false"
  type: bool
  description: Set this to true if the defined 'id' attribute for groups is of the
    'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute
-    of Active Directory for the group ID's.
+    of Active Directory for the group IDs.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_MAIL:
-  name: OCIS_LDAP_GROUP_SCHEMA_MAIL;USERS_LDAP_GROUP_SCHEMA_MAIL
+  name: OCIS_LDAP_GROUP_SCHEMA_MAIL;AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL
  defaultValue: mail
  type: string
  description: LDAP Attribute to use for the email address of groups (can be empty).
@@ -8522,7 +8533,7 @@ OCIS_LDAP_GROUP_SCHEMA_MAIL:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCHEMA_MEMBER:
-  name: OCIS_LDAP_GROUP_SCHEMA_MEMBER;USERS_LDAP_GROUP_SCHEMA_MEMBER
+  name: OCIS_LDAP_GROUP_SCHEMA_MEMBER;AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER
  defaultValue: member
  type: string
  description: LDAP Attribute that is used for group members.
@@ -8531,7 +8542,7 @@ OCIS_LDAP_GROUP_SCHEMA_MEMBER:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_GROUP_SCOPE:
-  name: OCIS_LDAP_GROUP_SCOPE;USERS_LDAP_GROUP_SCOPE
+  name: OCIS_LDAP_GROUP_SCOPE;AUTH_BASIC_LDAP_GROUP_SCOPE
  defaultValue: sub
  type: string
  description: LDAP search scope to use when looking up groups. Supported values are
@@ -8541,7 +8552,7 @@ OCIS_LDAP_GROUP_SCOPE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_INSECURE:
-  name: OCIS_LDAP_INSECURE;IDP_INSECURE
+  name: OCIS_LDAP_INSECURE;AUTH_BASIC_LDAP_INSECURE
  defaultValue: "false"
  type: bool
  description: Disable TLS certificate validation for the LDAP connections. Do not
@@ -8609,7 +8620,7 @@ OCIS_LDAP_PRECISE_SEARCH_ATTRIBUTE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_SERVER_WRITE_ENABLED:
-  name: OCIS_LDAP_SERVER_WRITE_ENABLED;FRONTEND_LDAP_SERVER_WRITE_ENABLED
+  name: OCIS_LDAP_SERVER_WRITE_ENABLED;GRAPH_LDAP_SERVER_WRITE_ENABLED
  defaultValue: "true"
  type: bool
  description: Allow creating, modifying and deleting LDAP users via the GRAPH API.
@@ -8621,16 +8632,17 @@ OCIS_LDAP_SERVER_WRITE_ENABLED:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_URI:
-  name: OCIS_LDAP_URI;IDP_LDAP_URI
+  name: OCIS_LDAP_URI;AUTH_BASIC_LDAP_URI
  defaultValue: ldaps://localhost:9235
  type: string
-  description: Url of the LDAP service to use as IDP.
+  description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://'
    and 'ldap://'
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_BASE_DN:
-  name: OCIS_LDAP_USER_BASE_DN;IDP_LDAP_BASE_DN
+  name: OCIS_LDAP_USER_BASE_DN;AUTH_BASIC_LDAP_USER_BASE_DN
  defaultValue: ou=users,o=libregraph-idm
  type: string
  description: Search base DN for looking up LDAP users.
@@ -8639,16 +8651,16 @@ OCIS_LDAP_USER_BASE_DN:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_ENABLED_ATTRIBUTE:
-  name: OCIS_LDAP_USER_ENABLED_ATTRIBUTE;IDP_USER_ENABLED_ATTRIBUTE
+  name: OCIS_LDAP_USER_ENABLED_ATTRIBUTE;AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE
  defaultValue: ownCloudUserEnabled
  type: string
-  description: LDAP Attribute to use as a flag telling if the user is enabled or disabled.
+  description: LDAP attribute to use as a flag telling if the user is enabled or disabled.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_FILTER:
-  name: OCIS_LDAP_USER_FILTER;IDP_LDAP_FILTER
+  name: OCIS_LDAP_USER_FILTER;AUTH_BASIC_LDAP_USER_FILTER
  defaultValue: ""
  type: string
  description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
@@ -8677,23 +8689,24 @@ OCIS_LDAP_USER_MEMBER_ATTRIBUTE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_OBJECTCLASS:
-  name: OCIS_LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS
+  name: OCIS_LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS
  defaultValue: inetOrgPerson
  type: string
-  description: LDAP User ObjectClass like 'inetOrgPerson'.
+  description: The object class to use for users in the default user search filter
    ('inetOrgPerson').
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_DISPLAYNAME:
-  name: OCIS_LDAP_USER_SCHEMA_DISPLAYNAME;USERS_LDAP_USER_SCHEMA_DISPLAYNAME
+  name: OCIS_LDAP_USER_SCHEMA_DISPLAYNAME;AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME
  defaultValue: displayname
  type: string
  description: LDAP Attribute to use for the displayname of users.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
-  deprecationInfo: 'LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | '
+  deprecationInfo: 'LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | '
 OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID:
  name: OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID;GRAPH_LDAP_EXTERNAL_ID_ATTRIBUTE
  defaultValue: owncloudExternalID
@@ -8706,36 +8719,37 @@ OCIS_LDAP_USER_SCHEMA_EXTERNAL_ID:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_ID:
-  name: OCIS_LDAP_USER_SCHEMA_ID;IDP_LDAP_UUID_ATTRIBUTE
+  name: OCIS_LDAP_USER_SCHEMA_ID;AUTH_BASIC_LDAP_USER_SCHEMA_ID
-  defaultValue: ownCloudUUID
+  defaultValue: ownclouduuid
  type: string
-  description: LDAP User UUID attribute like 'uid'.
+  description: LDAP Attribute to use as the unique ID for users. This should be a
    stable globally unique ID like a UUID.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING:
-  name: OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
+  name: OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
  defaultValue: "false"
  type: bool
  description: Set this to true if the defined 'ID' attribute for users is of the
    'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute
-    of Active Directory for the user ID's.
+    of Active Directory for the user IDs.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_MAIL:
-  name: OCIS_LDAP_USER_SCHEMA_MAIL;IDP_LDAP_EMAIL_ATTRIBUTE
+  name: OCIS_LDAP_USER_SCHEMA_MAIL;AUTH_BASIC_LDAP_USER_SCHEMA_MAIL
  defaultValue: mail
  type: string
-  description: LDAP User email attribute like 'mail'.
+  description: LDAP Attribute to use for the email address of users.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_USER_TYPE:
-  name: OCIS_LDAP_USER_SCHEMA_USER_TYPE;USERS_LDAP_USER_TYPE_ATTRIBUTE
+  name: OCIS_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE
  defaultValue: ownCloudUserType
  type: string
  description: LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default
@@ -8745,26 +8759,26 @@ OCIS_LDAP_USER_SCHEMA_USER_TYPE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCHEMA_USERNAME:
-  name: OCIS_LDAP_USER_SCHEMA_USERNAME;IDP_LDAP_NAME_ATTRIBUTE
+  name: OCIS_LDAP_USER_SCHEMA_USERNAME;AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME
-  defaultValue: displayName
+  defaultValue: uid
  type: string
-  description: LDAP User name attribute like 'displayName'.
+  description: LDAP Attribute to use for username of users.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LDAP_USER_SCOPE:
-  name: OCIS_LDAP_USER_SCOPE;IDP_LDAP_SCOPE
+  name: OCIS_LDAP_USER_SCOPE;AUTH_BASIC_LDAP_USER_SCOPE
  defaultValue: sub
  type: string
-  description: LDAP search scope to use when looking up users. Supported scopes are
+  description: LDAP search scope to use when looking up users. Supported values are
    'base', 'one' and 'sub'.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LOG_COLOR:
-  name: OCIS_LOG_COLOR;WEBDAV_LOG_COLOR
+  name: OCIS_LOG_COLOR;SHARING_LOG_COLOR
  defaultValue: "false"
  type: bool
  description: Activates colorized log output.
@@ -8773,7 +8787,7 @@ OCIS_LOG_COLOR:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LOG_FILE:
-  name: OCIS_LOG_FILE;WEBDAV_LOG_FILE
+  name: OCIS_LOG_FILE;SHARING_LOG_FILE
  defaultValue: ""
  type: string
  description: The path to the log file. Activates logging to this file if set.
@@ -8782,7 +8796,7 @@ OCIS_LOG_FILE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LOG_LEVEL:
-  name: OCIS_LOG_LEVEL;WEBDAV_LOG_LEVEL
+  name: OCIS_LOG_LEVEL;SHARING_LOG_LEVEL
  defaultValue: ""
  type: string
  description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'',
@@ -8792,7 +8806,7 @@ OCIS_LOG_LEVEL:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_LOG_PRETTY:
-  name: OCIS_LOG_PRETTY;WEBDAV_LOG_PRETTY
+  name: OCIS_LOG_PRETTY;SHARING_LOG_PRETTY
  defaultValue: "false"
  type: bool
  description: Activates pretty log output.
@@ -8801,17 +8815,17 @@ OCIS_LOG_PRETTY:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_MACHINE_AUTH_API_KEY:
-  name: OCIS_MACHINE_AUTH_API_KEY;IDP_MACHINE_AUTH_API_KEY
+  name: OCIS_MACHINE_AUTH_API_KEY;STORAGE_USERS_MACHINE_AUTH_API_KEY
  defaultValue: ""
  type: string
  description: Machine auth API key used to validate internal requests necessary for
    the access to resources from other services.
-  introductionVersion: pre5.0
+  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_MAX_CONCURRENCY:
-  name: OCIS_MAX_CONCURRENCY;FRONTEND_MAX_CONCURRENCY
+  name: OCIS_MAX_CONCURRENCY;SHARING_USER_JSONCS3_MAX_CONCURRENCY
  defaultValue: "1"
  type: int
  description: Maximum number of concurrent go-routines. Higher values can potentially
@@ -8921,16 +8935,17 @@ OCIS_OIDC_CLIENT_ID:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_OIDC_ISSUER:
-  name: OCIS_URL;OCIS_OIDC_ISSUER;IDP_ISS
+  name: OCIS_URL;OCIS_OIDC_ISSUER;AUTH_BASIC_IDP_URL
  defaultValue: https://localhost:9200
  type: string
-  description: The OIDC issuer URL to use.
+  description: The identity provider value to set in the userids of the CS3 user objects
    for users returned by this user provider.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST:
-  name: OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
+  name: OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
  defaultValue: ""
  type: string
  description: Path to the 'banned passwords list' file. This only impacts public
@@ -8940,7 +8955,7 @@ OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_DISABLED:
-  name: OCIS_PASSWORD_POLICY_DISABLED;FRONTEND_PASSWORD_POLICY_DISABLED
+  name: OCIS_PASSWORD_POLICY_DISABLED;SHARING_PASSWORD_POLICY_DISABLED
  defaultValue: "false"
  type: bool
  description: Disable the password policy. Defaults to false if not set.
@@ -8949,7 +8964,7 @@ OCIS_PASSWORD_POLICY_DISABLED:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_MIN_CHARACTERS:
-  name: OCIS_PASSWORD_POLICY_MIN_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS
+  name: OCIS_PASSWORD_POLICY_MIN_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_CHARACTERS
  defaultValue: "8"
  type: int
  description: Define the minimum password length. Defaults to 8 if not set.
@@ -8958,7 +8973,7 @@ OCIS_PASSWORD_POLICY_MIN_CHARACTERS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_MIN_DIGITS:
-  name: OCIS_PASSWORD_POLICY_MIN_DIGITS;FRONTEND_PASSWORD_POLICY_MIN_DIGITS
+  name: OCIS_PASSWORD_POLICY_MIN_DIGITS;SHARING_PASSWORD_POLICY_MIN_DIGITS
  defaultValue: "1"
  type: int
  description: Define the minimum number of digits. Defaults to 1 if not set.
@@ -8967,7 +8982,7 @@ OCIS_PASSWORD_POLICY_MIN_DIGITS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:
-  name: OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
+  name: OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
  defaultValue: "1"
  type: int
  description: Define the minimum number of uppercase letters. Defaults to 1 if not
@@ -8977,7 +8992,7 @@ OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:
-  name: OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
+  name: OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
  defaultValue: "1"
  type: int
  description: Define the minimum number of characters from the special characters
@@ -8987,7 +9002,7 @@ OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:
-  name: OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
+  name: OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
  defaultValue: "1"
  type: int
  description: Define the minimum number of lowercase letters. Defaults to 1 if not
@@ -8997,17 +9012,17 @@ OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PERSISTENT_STORE:
-  name: OCIS_PERSISTENT_STORE;POSTPROCESSING_STORE
+  name: OCIS_PERSISTENT_STORE;USERLOG_STORE
-  defaultValue: nats-js-kv
+  defaultValue: memory
  type: string
-  description: 'The type of the store. Supported values are: ''memory'', ''redis-sentinel'',
+  description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'',
-    ''nats-js-kv'', ''noop''. See the text description for details.'
+    ''redis-sentinel'', ''noop''. See the text description for details.'
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PERSISTENT_STORE_AUTH_PASSWORD:
-  name: OCIS_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD
+  name: OCIS_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD
  defaultValue: ""
  type: string
  description: The password to authenticate with the store. Only applies when store
@@ -9017,7 +9032,7 @@ OCIS_PERSISTENT_STORE_AUTH_PASSWORD:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PERSISTENT_STORE_AUTH_USERNAME:
-  name: OCIS_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME
+  name: OCIS_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME
  defaultValue: ""
  type: string
  description: The username to authenticate with the store. Only applies when store
@@ -9027,8 +9042,8 @@ OCIS_PERSISTENT_STORE_AUTH_USERNAME:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PERSISTENT_STORE_NODES:
-  name: OCIS_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES
+  name: OCIS_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES
-  defaultValue: '[127.0.0.1:9233]'
+  defaultValue: '[]'
  type: '[]string'
  description: A list of nodes to access the configured store. This has no effect
    when 'memory' store is configured. Note that the behaviour how nodes are used
@@ -9039,11 +9054,11 @@ OCIS_PERSISTENT_STORE_NODES:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_PERSISTENT_STORE_TTL:
-  name: OCIS_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL
+  name: OCIS_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL
-  defaultValue: 0s
+  defaultValue: 336h0m0s
  type: Duration
-  description: Time to live for events in the store. See the Environment Variable
+  description: Time to live for events in the store. Defaults to '336h' (2 weeks).
-    Types description for more details.
+    See the Environment Variable Types description for more details.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
@@ -9061,7 +9076,7 @@ OCIS_REVA_GATEWAY:
  name: OCIS_REVA_GATEWAY
  defaultValue: com.owncloud.api.gateway
  type: string
-  description: CS3 gateway used to look up user metadata
+  description: The CS3 gateway endpoint.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
@@ -9089,7 +9104,7 @@ OCIS_REVA_GATEWAY_TLS_MODE:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SERVICE_ACCOUNT_ID:
-  name: OCIS_SERVICE_ACCOUNT_ID;NOTIFICATIONS_SERVICE_ACCOUNT_ID
+  name: OCIS_SERVICE_ACCOUNT_ID;STORAGE_USERS_SERVICE_ACCOUNT_ID
  defaultValue: ""
  type: string
  description: The ID of the service account the service should use. See the 'auth-service'
@@ -9099,7 +9114,7 @@ OCIS_SERVICE_ACCOUNT_ID:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SERVICE_ACCOUNT_SECRET:
-  name: OCIS_SERVICE_ACCOUNT_SECRET;NOTIFICATIONS_SERVICE_ACCOUNT_SECRET
+  name: OCIS_SERVICE_ACCOUNT_SECRET;STORAGE_USERS_SERVICE_ACCOUNT_SECRET
  defaultValue: ""
  type: string
  description: The service account secret.
@@ -9108,7 +9123,7 @@ OCIS_SERVICE_ACCOUNT_SECRET:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:
-  name: OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
+  name: OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
  defaultValue: "true"
  type: bool
  description: Set this to true if you want to enforce passwords on all public shares.
@@ -9117,27 +9132,28 @@ OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD:
-  name: OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
+  name: OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
  defaultValue: "false"
  type: bool
-  description: Set this to true if you want to enforce passwords for writable shares.
+  description: Set this to true if you want to enforce passwords on Uploader, Editor
-    Only effective if the setting for 'passwords on all public shares' is set to false.
+    or Contributor shares.
  introductionVersion: "5.0"
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SPACES_MAX_QUOTA:
-  name: OCIS_SPACES_MAX_QUOTA;FRONTEND_MAX_QUOTA
+  name: OCIS_SPACES_MAX_QUOTA;STORAGE_USERS_OCIS_MAX_QUOTA
  defaultValue: "0"
  type: uint64
-  description: Set the global max quota value in bytes. A value of 0 equals unlimited.
+  description: Set a global max quota for spaces in bytes. A value of 0 equals unlimited.
-    The value is provided via capabilities.
+    If not using the global OCIS_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA
    in the frontend service.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SYSTEM_USER_API_KEY:
-  name: OCIS_SYSTEM_USER_API_KEY
+  name: OCIS_SYSTEM_USER_API_KEY;SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY
  defaultValue: ""
  type: string
  description: API key for the STORAGE-SYSTEM system user.
@@ -9146,10 +9162,10 @@ OCIS_SYSTEM_USER_API_KEY:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_SYSTEM_USER_ID:
-  name: OCIS_SYSTEM_USER_ID
+  name: OCIS_SYSTEM_USER_ID;SHARING_PUBLIC_CS3_SYSTEM_USER_ID
  defaultValue: ""
  type: string
-  description: ID of the oCIS storage-system system user. Admins need to set the ID
+  description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID
    for the STORAGE-SYSTEM system user in this config option which is then used to
    reference the user. Any reasonable long string is possible, preferably this would
    be an UUIDv4 format.
@@ -9167,7 +9183,7 @@ OCIS_SYSTEM_USER_IDP:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_TRACING_COLLECTOR:
-  name: OCIS_TRACING_COLLECTOR;WEBDAV_TRACING_COLLECTOR
+  name: OCIS_TRACING_COLLECTOR;SHARING_TRACING_COLLECTOR
  defaultValue: ""
  type: string
  description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces.
@@ -9177,7 +9193,7 @@ OCIS_TRACING_COLLECTOR:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_TRACING_ENABLED:
-  name: OCIS_TRACING_ENABLED;WEBDAV_TRACING_ENABLED
+  name: OCIS_TRACING_ENABLED;SHARING_TRACING_ENABLED
  defaultValue: "false"
  type: bool
  description: Activates tracing.
@@ -9186,7 +9202,7 @@ OCIS_TRACING_ENABLED:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_TRACING_ENDPOINT:
-  name: OCIS_TRACING_ENDPOINT;WEBDAV_TRACING_ENDPOINT
+  name: OCIS_TRACING_ENDPOINT;SHARING_TRACING_ENDPOINT
  defaultValue: ""
  type: string
  description: The endpoint of the tracing agent.
@@ -9195,7 +9211,7 @@ OCIS_TRACING_ENDPOINT:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_TRACING_TYPE:
-  name: OCIS_TRACING_TYPE;WEBDAV_TRACING_TYPE
+  name: OCIS_TRACING_TYPE;SHARING_TRACING_TYPE
  defaultValue: ""
  type: string
  description: The type of tracing. Defaults to '', which is the same as 'jaeger'.
@@ -9214,7 +9230,7 @@ OCIS_TRANSFER_SECRET:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_TRANSLATION_PATH:
-  name: OCIS_TRANSLATION_PATH;NOTIFICATIONS_TRANSLATION_PATH
+  name: OCIS_TRANSLATION_PATH;USERLOG_TRANSLATION_PATH
  defaultValue: ""
  type: string
  description: (optional) Set this to a path with custom translations to overwrite
@@ -9225,19 +9241,19 @@ OCIS_TRANSLATION_PATH:
  removalVersion: ""
  deprecationInfo: ""
 OCIS_URL:
-  name: OCIS_URL;OCIS_PUBLIC_URL
+  name: OCIS_URL;OCDAV_PUBLIC_URL
-  defaultValue: https://127.0.0.1:9200
+  defaultValue: https://localhost:9200
  type: string
-  description: URL, where oCIS is reachable for users.
+  description: URL where oCIS is reachable for users.
  introductionVersion: pre5.0
  deprecationVersion: ""
  removalVersion: ""
  deprecationInfo: ""
 OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES:
-  name: OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES;FRONTEND_USER_SEARCH_DISPLAYED_ATTRIBUTES
+  name: OCIS_USER_SEARCH_DISPLAYED_ATTRIBUTES
  defaultValue: '[]'
  type: '[]string'
-  description: A list of user attributes to display in the user search results.
+  description: The attributes to display in the user search results.
  introductionVersion: 7.3.0
  deprecationVersion: ""
  removalVersion: ""
--- a/docs/services/general-info/envvars/env-var-deltas/7.3.0-8.0.0-added.adoc
+++ b/docs/services/general-info/envvars/env-var-deltas/7.3.0-8.0.0-added.adoc
@@ -58,6 +58,11 @@
 | Template for the instance URL. Requires OCIS_MULTI_INSTANCE_ENABLED.
 | 
 |
 | OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE
 | LDAP Attribute to signal which instance the group is belonging to. Requires OCIS_MULTI_INSTANCE_ENABLED.
 | 
 |
 | OCIS_LDAP_PRECISE_SEARCH_ATTRIBUTE
 | LDAP Attribute to be used for searching users on other instances. Requires OCIS_MULTI_INSTANCE_ENABLED.
--- a/docs/services/general-info/envvars/env-var-deltas/7.3.0-8.0.0-added.md
+++ b/docs/services/general-info/envvars/env-var-deltas/7.3.0-8.0.0-added.md
@@ -10,6 +10,7 @@
 |  | OCIS_LDAP_INSTANCE_MAPPER_NAME_ATTRIBUTE | LDAP Attribute of the instance name. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_CROSS_INSTANCE_REFERENCE_TEMPLATE | Template for the users unique reference across oCIS instances. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_INSTANCE_URL_TEMPLATE | Template for the instance URL. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE | LDAP Attribute to signal which instance the group is belonging to. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_PRECISE_SEARCH_ATTRIBUTE | LDAP Attribute to be used for searching users on other instances. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_USER_GUEST_ATTRIBUTE | LDAP Attribute to signal the user is guest of an instance. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
 |  | OCIS_LDAP_USER_MEMBER_ATTRIBUTE | LDAP Attribute to signal the user is member of an instance. Requires OCIS_MULTI_INSTANCE_ENABLED. |  |
--- a/protogen/gen/ocis/messages/settings/v0/settings.pb.go
+++ b/protogen/gen/ocis/messages/settings/v0/settings.pb.go
@@ -627,13 +627,13 @@ type Bundle struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Id          string      `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" yaml:"id"`                                                 // @gotags: yaml:"id"
+	Id          string      `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                                                 // @gotags: yaml:"id"
-	Name        string      `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty" yaml:"name"`                                             // @gotags: yaml:"name"
+	Name        string      `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`                                             // @gotags: yaml:"name"
-	Type        Bundle_Type `protobuf:"varint,3,opt,name=type,proto3,enum=ocis.messages.settings.v0.Bundle_Type" json:"type,omitempty" yaml:"type"` // @gotags: yaml:"type"
+	Type        Bundle_Type `protobuf:"varint,3,opt,name=type,proto3,enum=ocis.messages.settings.v0.Bundle_Type" json:"type,omitempty"` // @gotags: yaml:"type"
-	Extension   string      `protobuf:"bytes,4,opt,name=extension,proto3" json:"extension,omitempty" yaml:"extension"`                                   // @gotags: yaml:"extension"
+	Extension   string      `protobuf:"bytes,4,opt,name=extension,proto3" json:"extension,omitempty"`                                   // @gotags: yaml:"extension"
-	DisplayName string      `protobuf:"bytes,5,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty" yaml:"display_name"`            // @gotags: yaml:"display_name"
+	DisplayName string      `protobuf:"bytes,5,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`            // @gotags: yaml:"display_name"
-	Settings    []*Setting  `protobuf:"bytes,6,rep,name=settings,proto3" json:"settings,omitempty" yaml:"settings"`                                     // @gotags: yaml:"settings"
+	Settings    []*Setting  `protobuf:"bytes,6,rep,name=settings,proto3" json:"settings,omitempty"`                                     // @gotags: yaml:"settings"
-	Resource    *Resource   `protobuf:"bytes,7,opt,name=resource,proto3" json:"resource,omitempty" yaml:"resource"`                                     // @gotags: yaml:"resource"
+	Resource    *Resource   `protobuf:"bytes,7,opt,name=resource,proto3" json:"resource,omitempty"`                                     // @gotags: yaml:"resource"
 }
 func (x *Bundle) Reset() {
@@ -722,10 +722,10 @@ type Setting struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Id          string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" yaml:"id"`                                      // @gotags: yaml:"id"
+	Id          string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                                      // @gotags: yaml:"id"
-	Name        string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty" yaml:"name"`                                  // @gotags: yaml:"name"
+	Name        string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`                                  // @gotags: yaml:"name"
-	DisplayName string `protobuf:"bytes,3,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty" yaml:"display_name"` // @gotags: yaml:"display_name"
+	DisplayName string `protobuf:"bytes,3,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"` // @gotags: yaml:"display_name"
-	Description string `protobuf:"bytes,4,opt,name=description,proto3" json:"description,omitempty" yaml:"description"`                    // @gotags: yaml:"description"
+	Description string `protobuf:"bytes,4,opt,name=description,proto3" json:"description,omitempty"`                    // @gotags: yaml:"description"
 	// Types that are assignable to Value:
 	//
 	//	*Setting_IntValue
@@ -736,7 +736,7 @@ type Setting struct {
 	//	*Setting_PermissionValue
 	//	*Setting_MultiChoiceCollectionValue
 	Value    isSetting_Value `protobuf_oneof:"value"`
-	Resource *Resource       `protobuf:"bytes,11,opt,name=resource,proto3" json:"resource,omitempty" yaml:"resource"` // @gotags: yaml:"resource"
+	Resource *Resource       `protobuf:"bytes,11,opt,name=resource,proto3" json:"resource,omitempty"` // @gotags: yaml:"resource"
 }
 func (x *Setting) Reset() {
@@ -867,31 +867,31 @@ type isSetting_Value interface {
 }
 type Setting_IntValue struct {
-	IntValue *Int `protobuf:"bytes,5,opt,name=int_value,json=intValue,proto3,oneof" yaml:"int_value"` // @gotags: yaml:"int_value"
+	IntValue *Int `protobuf:"bytes,5,opt,name=int_value,json=intValue,proto3,oneof"` // @gotags: yaml:"int_value"
 }
 type Setting_StringValue struct {
-	StringValue *String `protobuf:"bytes,6,opt,name=string_value,json=stringValue,proto3,oneof" yaml:"string_value"` // @gotags: yaml:"string_value"
+	StringValue *String `protobuf:"bytes,6,opt,name=string_value,json=stringValue,proto3,oneof"` // @gotags: yaml:"string_value"
 }
 type Setting_BoolValue struct {
-	BoolValue *Bool `protobuf:"bytes,7,opt,name=bool_value,json=boolValue,proto3,oneof" yaml:"bool_value"` // @gotags: yaml:"bool_value"
+	BoolValue *Bool `protobuf:"bytes,7,opt,name=bool_value,json=boolValue,proto3,oneof"` // @gotags: yaml:"bool_value"
 }
 type Setting_SingleChoiceValue struct {
-	SingleChoiceValue *SingleChoiceList `protobuf:"bytes,8,opt,name=single_choice_value,json=singleChoiceValue,proto3,oneof" yaml:"single_choice_value"` // @gotags: yaml:"single_choice_value"
+	SingleChoiceValue *SingleChoiceList `protobuf:"bytes,8,opt,name=single_choice_value,json=singleChoiceValue,proto3,oneof"` // @gotags: yaml:"single_choice_value"
 }
 type Setting_MultiChoiceValue struct {
-	MultiChoiceValue *MultiChoiceList `protobuf:"bytes,9,opt,name=multi_choice_value,json=multiChoiceValue,proto3,oneof" yaml:"multi_choice_value"` // @gotags: yaml:"multi_choice_value"
+	MultiChoiceValue *MultiChoiceList `protobuf:"bytes,9,opt,name=multi_choice_value,json=multiChoiceValue,proto3,oneof"` // @gotags: yaml:"multi_choice_value"
 }
 type Setting_PermissionValue struct {
-	PermissionValue *Permission `protobuf:"bytes,10,opt,name=permission_value,json=permissionValue,proto3,oneof" yaml:"permission_value"` // @gotags: yaml:"permission_value"
+	PermissionValue *Permission `protobuf:"bytes,10,opt,name=permission_value,json=permissionValue,proto3,oneof"` // @gotags: yaml:"permission_value"
 }
 type Setting_MultiChoiceCollectionValue struct {
-	MultiChoiceCollectionValue *MultiChoiceCollection `protobuf:"bytes,12,opt,name=multi_choice_collection_value,json=multiChoiceCollectionValue,proto3,oneof" yaml:"multi_choice_collection_value"` // @gotags: yaml:"multi_choice_collection_value"
+	MultiChoiceCollectionValue *MultiChoiceCollection `protobuf:"bytes,12,opt,name=multi_choice_collection_value,json=multiChoiceCollectionValue,proto3,oneof"` // @gotags: yaml:"multi_choice_collection_value"
 }
 func (*Setting_IntValue) isSetting_Value() {}
@@ -913,11 +913,11 @@ type Int struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Default     int64  `protobuf:"varint,1,opt,name=default,proto3" json:"default,omitempty" yaml:"default"`        // @gotags: yaml:"default"
+	Default     int64  `protobuf:"varint,1,opt,name=default,proto3" json:"default,omitempty"`        // @gotags: yaml:"default"
-	Min         int64  `protobuf:"varint,2,opt,name=min,proto3" json:"min,omitempty" yaml:"min"`                // @gotags: yaml:"min"
+	Min         int64  `protobuf:"varint,2,opt,name=min,proto3" json:"min,omitempty"`                // @gotags: yaml:"min"
-	Max         int64  `protobuf:"varint,3,opt,name=max,proto3" json:"max,omitempty" yaml:"max"`                // @gotags: yaml:"max"
+	Max         int64  `protobuf:"varint,3,opt,name=max,proto3" json:"max,omitempty"`                // @gotags: yaml:"max"
-	Step        int64  `protobuf:"varint,4,opt,name=step,proto3" json:"step,omitempty" yaml:"step"`              // @gotags: yaml:"step"
+	Step        int64  `protobuf:"varint,4,opt,name=step,proto3" json:"step,omitempty"`              // @gotags: yaml:"step"
-	Placeholder string `protobuf:"bytes,5,opt,name=placeholder,proto3" json:"placeholder,omitempty" yaml:"placeholder"` // @gotags: yaml:"placeholder"
+	Placeholder string `protobuf:"bytes,5,opt,name=placeholder,proto3" json:"placeholder,omitempty"` // @gotags: yaml:"placeholder"
 }
 func (x *Int) Reset() {
@@ -992,11 +992,11 @@ type String struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Default     string `protobuf:"bytes,1,opt,name=default,proto3" json:"default,omitempty" yaml:"default"`                       // @gotags: yaml:"default"
+	Default     string `protobuf:"bytes,1,opt,name=default,proto3" json:"default,omitempty"`                       // @gotags: yaml:"default"
-	Required    bool   `protobuf:"varint,2,opt,name=required,proto3" json:"required,omitempty" yaml:"required"`                    // @gotags: yaml:"required"
+	Required    bool   `protobuf:"varint,2,opt,name=required,proto3" json:"required,omitempty"`                    // @gotags: yaml:"required"
-	MinLength   int32  `protobuf:"varint,3,opt,name=min_length,json=minLength,proto3" json:"min_length,omitempty" yaml:"min_length"` // @gotags: yaml:"min_length"
+	MinLength   int32  `protobuf:"varint,3,opt,name=min_length,json=minLength,proto3" json:"min_length,omitempty"` // @gotags: yaml:"min_length"
-	MaxLength   int32  `protobuf:"varint,4,opt,name=max_length,json=maxLength,proto3" json:"max_length,omitempty" yaml:"max_length"` // @gotags: yaml:"max_length"
+	MaxLength   int32  `protobuf:"varint,4,opt,name=max_length,json=maxLength,proto3" json:"max_length,omitempty"` // @gotags: yaml:"max_length"
-	Placeholder string `protobuf:"bytes,5,opt,name=placeholder,proto3" json:"placeholder,omitempty" yaml:"placeholder"`               // @gotags: yaml:"placeholder"
+	Placeholder string `protobuf:"bytes,5,opt,name=placeholder,proto3" json:"placeholder,omitempty"`               // @gotags: yaml:"placeholder"
 }
 func (x *String) Reset() {
@@ -1071,8 +1071,8 @@ type Bool struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Default bool   `protobuf:"varint,1,opt,name=default,proto3" json:"default,omitempty" yaml:"default"` // @gotags: yaml:"default"
+	Default bool   `protobuf:"varint,1,opt,name=default,proto3" json:"default,omitempty"` // @gotags: yaml:"default"
-	Label   string `protobuf:"bytes,2,opt,name=label,proto3" json:"label,omitempty" yaml:"label"`      // @gotags: yaml:"label"
+	Label   string `protobuf:"bytes,2,opt,name=label,proto3" json:"label,omitempty"`      // @gotags: yaml:"label"
 }
 func (x *Bool) Reset() {
@@ -1126,7 +1126,7 @@ type SingleChoiceList struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Options []*ListOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty" yaml:"options"` // @gotags: yaml:"options"
+	Options []*ListOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty"` // @gotags: yaml:"options"
 }
 func (x *SingleChoiceList) Reset() {
@@ -1173,7 +1173,7 @@ type MultiChoiceList struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Options []*ListOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty" yaml:"options"` // @gotags: yaml:"options"
+	Options []*ListOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty"` // @gotags: yaml:"options"
 }
 func (x *MultiChoiceList) Reset() {
@@ -1220,9 +1220,9 @@ type ListOption struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Value        *ListOptionValue `protobuf:"bytes,1,opt,name=value,proto3" json:"value,omitempty" yaml:"value"`                                   // @gotags: yaml:"value"
+	Value        *ListOptionValue `protobuf:"bytes,1,opt,name=value,proto3" json:"value,omitempty"`                                   // @gotags: yaml:"value"
-	Default      bool             `protobuf:"varint,2,opt,name=default,proto3" json:"default,omitempty" yaml:"default"`                              // @gotags: yaml:"default"
+	Default      bool             `protobuf:"varint,2,opt,name=default,proto3" json:"default,omitempty"`                              // @gotags: yaml:"default"
-	DisplayValue string           `protobuf:"bytes,3,opt,name=display_value,json=displayValue,proto3" json:"display_value,omitempty" yaml:"display_value"` // @gotags: yaml:"display_value"
+	DisplayValue string           `protobuf:"bytes,3,opt,name=display_value,json=displayValue,proto3" json:"display_value,omitempty"` // @gotags: yaml:"display_value"
 }
 func (x *ListOption) Reset() {
@@ -1283,7 +1283,7 @@ type MultiChoiceCollection struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Options []*MultiChoiceCollectionOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty" yaml:"options"` // @gotags: yaml:"options"
+	Options []*MultiChoiceCollectionOption `protobuf:"bytes,1,rep,name=options,proto3" json:"options,omitempty"` // @gotags: yaml:"options"
 }
 func (x *MultiChoiceCollection) Reset() {
@@ -1330,10 +1330,10 @@ type MultiChoiceCollectionOption struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Value        *MultiChoiceCollectionOptionValue `protobuf:"bytes,1,opt,name=value,proto3" json:"value,omitempty" yaml:"value"`                                   // @gotags: yaml:"value"
+	Value        *MultiChoiceCollectionOptionValue `protobuf:"bytes,1,opt,name=value,proto3" json:"value,omitempty"`                                   // @gotags: yaml:"value"
-	Key          string                            `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty" yaml:"key"`                                       // @gotags: yaml:"key"
+	Key          string                            `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`                                       // @gotags: yaml:"key"
-	Attribute    string                            `protobuf:"bytes,3,opt,name=attribute,proto3" json:"attribute,omitempty" yaml:"attribute"`                           // @gotags: yaml:"attribute"
+	Attribute    string                            `protobuf:"bytes,3,opt,name=attribute,proto3" json:"attribute,omitempty"`                           // @gotags: yaml:"attribute"
-	DisplayValue string                            `protobuf:"bytes,4,opt,name=display_value,json=displayValue,proto3" json:"display_value,omitempty" yaml:"display_value"` // @gotags: yaml:"display_value"
+	DisplayValue string                            `protobuf:"bytes,4,opt,name=display_value,json=displayValue,proto3" json:"display_value,omitempty"` // @gotags: yaml:"display_value"
 }
 func (x *MultiChoiceCollectionOption) Reset() {
@@ -1474,15 +1474,15 @@ type isMultiChoiceCollectionOptionValue_Option interface {
 }
 type MultiChoiceCollectionOptionValue_IntValue struct {
-	IntValue *Int `protobuf:"bytes,1,opt,name=int_value,json=intValue,proto3,oneof" yaml:"int_value"` // @gotags: yaml:"int_value"
+	IntValue *Int `protobuf:"bytes,1,opt,name=int_value,json=intValue,proto3,oneof"` // @gotags: yaml:"int_value"
 }
 type MultiChoiceCollectionOptionValue_StringValue struct {
-	StringValue *String `protobuf:"bytes,2,opt,name=string_value,json=stringValue,proto3,oneof" yaml:"string_value"` // @gotags: yaml:"string_value"
+	StringValue *String `protobuf:"bytes,2,opt,name=string_value,json=stringValue,proto3,oneof"` // @gotags: yaml:"string_value"
 }
 type MultiChoiceCollectionOptionValue_BoolValue struct {
-	BoolValue *Bool `protobuf:"bytes,3,opt,name=bool_value,json=boolValue,proto3,oneof" yaml:"bool_value"` // @gotags: yaml:"bool_value"
+	BoolValue *Bool `protobuf:"bytes,3,opt,name=bool_value,json=boolValue,proto3,oneof"` // @gotags: yaml:"bool_value"
 }
 func (*MultiChoiceCollectionOptionValue_IntValue) isMultiChoiceCollectionOptionValue_Option() {}
@@ -1496,8 +1496,8 @@ type Permission struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Operation  Permission_Operation  `protobuf:"varint,1,opt,name=operation,proto3,enum=ocis.messages.settings.v0.Permission_Operation" json:"operation,omitempty" yaml:"operation"`    // @gotags: yaml:"operation"
+	Operation  Permission_Operation  `protobuf:"varint,1,opt,name=operation,proto3,enum=ocis.messages.settings.v0.Permission_Operation" json:"operation,omitempty"`    // @gotags: yaml:"operation"
-	Constraint Permission_Constraint `protobuf:"varint,2,opt,name=constraint,proto3,enum=ocis.messages.settings.v0.Permission_Constraint" json:"constraint,omitempty" yaml:"constraint"` // @gotags: yaml:"constraint"
+	Constraint Permission_Constraint `protobuf:"varint,2,opt,name=constraint,proto3,enum=ocis.messages.settings.v0.Permission_Constraint" json:"constraint,omitempty"` // @gotags: yaml:"constraint"
 }
 func (x *Permission) Reset() {
@@ -1552,12 +1552,12 @@ type Value struct {
 	unknownFields protoimpl.UnknownFields
 	// id is the id of the Value. It is generated on saving it.
-	Id       string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty" yaml:"id"`                             // @gotags: yaml:"id"
+	Id       string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`                             // @gotags: yaml:"id"
-	BundleId string `protobuf:"bytes,2,opt,name=bundle_id,json=bundleId,proto3" json:"bundle_id,omitempty" yaml:"bundle_id"` // @gotags: yaml:"bundle_id"
+	BundleId string `protobuf:"bytes,2,opt,name=bundle_id,json=bundleId,proto3" json:"bundle_id,omitempty"` // @gotags: yaml:"bundle_id"
 	// setting_id is the id of the setting from within its bundle.
-	SettingId   string    `protobuf:"bytes,3,opt,name=setting_id,json=settingId,proto3" json:"setting_id,omitempty" yaml:"setting_id"`       // @gotags: yaml:"setting_id"
+	SettingId   string    `protobuf:"bytes,3,opt,name=setting_id,json=settingId,proto3" json:"setting_id,omitempty"`       // @gotags: yaml:"setting_id"
-	AccountUuid string    `protobuf:"bytes,4,opt,name=account_uuid,json=accountUuid,proto3" json:"account_uuid,omitempty" yaml:"account_uuid"` // @gotags: yaml:"account_uuid"
+	AccountUuid string    `protobuf:"bytes,4,opt,name=account_uuid,json=accountUuid,proto3" json:"account_uuid,omitempty"` // @gotags: yaml:"account_uuid"
-	Resource    *Resource `protobuf:"bytes,5,opt,name=resource,proto3" json:"resource,omitempty" yaml:"resource"`                          // @gotags: yaml:"resource"
+	Resource    *Resource `protobuf:"bytes,5,opt,name=resource,proto3" json:"resource,omitempty"`                          // @gotags: yaml:"resource"
 	// Types that are assignable to Value:
 	//
 	//	*Value_BoolValue
@@ -1682,23 +1682,23 @@ type isValue_Value interface {
 }
 type Value_BoolValue struct {
-	BoolValue bool `protobuf:"varint,6,opt,name=bool_value,json=boolValue,proto3,oneof" yaml:"bool_value"` // @gotags: yaml:"bool_value"
+	BoolValue bool `protobuf:"varint,6,opt,name=bool_value,json=boolValue,proto3,oneof"` // @gotags: yaml:"bool_value"
 }
 type Value_IntValue struct {
-	IntValue int64 `protobuf:"varint,7,opt,name=int_value,json=intValue,proto3,oneof" yaml:"int_value"` // @gotags: yaml:"int_value"
+	IntValue int64 `protobuf:"varint,7,opt,name=int_value,json=intValue,proto3,oneof"` // @gotags: yaml:"int_value"
 }
 type Value_StringValue struct {
-	StringValue string `protobuf:"bytes,8,opt,name=string_value,json=stringValue,proto3,oneof" yaml:"string_value"` // @gotags: yaml:"string_value"
+	StringValue string `protobuf:"bytes,8,opt,name=string_value,json=stringValue,proto3,oneof"` // @gotags: yaml:"string_value"
 }
 type Value_ListValue struct {
-	ListValue *ListValue `protobuf:"bytes,9,opt,name=list_value,json=listValue,proto3,oneof" yaml:"list_value"` // @gotags: yaml:"list_value"
+	ListValue *ListValue `protobuf:"bytes,9,opt,name=list_value,json=listValue,proto3,oneof"` // @gotags: yaml:"list_value"
 }
 type Value_CollectionValue struct {
-	CollectionValue *CollectionValue `protobuf:"bytes,10,opt,name=collection_value,json=collectionValue,proto3,oneof" yaml:"collection_value"` // @gotags: yaml:"collection_value"
+	CollectionValue *CollectionValue `protobuf:"bytes,10,opt,name=collection_value,json=collectionValue,proto3,oneof"` // @gotags: yaml:"collection_value"
 }
 func (*Value_BoolValue) isValue_Value() {}
@@ -1716,7 +1716,7 @@ type ListValue struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Values []*ListOptionValue `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty" yaml:"values"` // @gotags: yaml:"values"
+	Values []*ListOptionValue `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"` // @gotags: yaml:"values"
 }
 func (x *ListValue) Reset() {
@@ -1836,15 +1836,15 @@ type isListOptionValue_Option interface {
 }
 type ListOptionValue_StringValue struct {
-	StringValue string `protobuf:"bytes,1,opt,name=string_value,json=stringValue,proto3,oneof" yaml:"string_value"` // @gotags: yaml:"string_value"
+	StringValue string `protobuf:"bytes,1,opt,name=string_value,json=stringValue,proto3,oneof"` // @gotags: yaml:"string_value"
 }
 type ListOptionValue_IntValue struct {
-	IntValue int64 `protobuf:"varint,2,opt,name=int_value,json=intValue,proto3,oneof" yaml:"int_value"` // @gotags: yaml:"int_value"
+	IntValue int64 `protobuf:"varint,2,opt,name=int_value,json=intValue,proto3,oneof"` // @gotags: yaml:"int_value"
 }
 type ListOptionValue_BoolValue struct {
-	BoolValue bool `protobuf:"varint,3,opt,name=bool_value,json=boolValue,proto3,oneof" yaml:"bool_value"` // @gotags: yaml:"bool_value"
+	BoolValue bool `protobuf:"varint,3,opt,name=bool_value,json=boolValue,proto3,oneof"` // @gotags: yaml:"bool_value"
 }
 func (*ListOptionValue_StringValue) isListOptionValue_Option() {}
@@ -1858,7 +1858,7 @@ type CollectionValue struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-	Values []*CollectionOption `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty" yaml:"values"` // @gotags: yaml:"values"
+	Values []*CollectionOption `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"` // @gotags: yaml:"values"
 }
 func (x *CollectionValue) Reset() {
@@ -1906,7 +1906,7 @@ type CollectionOption struct {
 	unknownFields protoimpl.UnknownFields
 	// required
-	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty" yaml:"key"` // @gotags: yaml:"key"
+	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` // @gotags: yaml:"key"
 	// Types that are assignable to Option:
 	//
 	//	*CollectionOption_IntValue
@@ -1987,15 +1987,15 @@ type isCollectionOption_Option interface {
 }
 type CollectionOption_IntValue struct {
-	IntValue int64 `protobuf:"varint,2,opt,name=int_value,json=intValue,proto3,oneof" yaml:"int_value"` // @gotags: yaml:"int_value"
+	IntValue int64 `protobuf:"varint,2,opt,name=int_value,json=intValue,proto3,oneof"` // @gotags: yaml:"int_value"
 }
 type CollectionOption_StringValue struct {
-	StringValue string `protobuf:"bytes,3,opt,name=string_value,json=stringValue,proto3,oneof" yaml:"string_value"` // @gotags: yaml:"string_value"
+	StringValue string `protobuf:"bytes,3,opt,name=string_value,json=stringValue,proto3,oneof"` // @gotags: yaml:"string_value"
 }
 type CollectionOption_BoolValue struct {
-	BoolValue bool `protobuf:"varint,4,opt,name=bool_value,json=boolValue,proto3,oneof" yaml:"bool_value"` // @gotags: yaml:"bool_value"
+	BoolValue bool `protobuf:"varint,4,opt,name=bool_value,json=boolValue,proto3,oneof"` // @gotags: yaml:"bool_value"
 }
 func (*CollectionOption_IntValue) isCollectionOption_Option() {}
--- a/services/graph/pkg/config/config.go
+++ b/services/graph/pkg/config/config.go
@@ -97,6 +97,7 @@ type LDAP struct {
 	// Multi-Instance Only
 	UserMemberAttribute            string `yaml:"user_member_attribute" env:"OCIS_LDAP_USER_MEMBER_ATTRIBUTE" desc:"LDAP Attribute to signal the user is member of an instance. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
 	UserGuestAttribute             string `yaml:"user_guest_attribute" env:"OCIS_LDAP_USER_GUEST_ATTRIBUTE" desc:"LDAP Attribute to signal the user is guest of an instance. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
 	GroupAffiliationAttribute      string `yaml:"group_affiliation_attribute" env:"OCIS_LDAP_GROUP_AFFILIATION_ATTRIBUTE" desc:"LDAP Attribute to signal which instance the group is belonging to. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
 	PreciseSearchAttribute         string `yaml:"precise_search_attribute" env:"OCIS_LDAP_PRECISE_SEARCH_ATTRIBUTE" desc:"LDAP Attribute to be used for searching users on other instances. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
 	InstanceMapperEnabled          bool   `yaml:"instance_mapper_enabled" env:"OCIS_LDAP_INSTANCE_MAPPER_ENABLED" desc:"The InstanceMapper allows mapping instance names (user readable) to instance IDs (machine readable) based on an LDAP query. See other _INSTANCE_MAPPER_ env vars. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
 	InstanceMapperBaseDN           string `yaml:"instance_mapper_base_dn" env:"OCIS_LDAP_INSTANCE_MAPPER_BASE_DN" desc:"BaseDN of the 'instancename to instanceid' mapper in LDAP. Requires OCIS_MULTI_INSTANCE_ENABLED." introductionVersion:"8.0.0"`
--- a/services/graph/pkg/identity/ldap.go
+++ b/services/graph/pkg/identity/ldap.go
@@ -79,6 +79,7 @@ type LDAP struct {
 	conn   ldap.Client
 	// multi instance only
 	instanceID                     string
 	preciseSearchAttribute         string
 	instanceMapperEnabled          bool
 	instanceMapperBaseDN           string
@@ -146,9 +147,10 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger, inst
 		return nil, errors.New("invalid group attribute mappings")
 	}
 	gam := groupAttributeMap{
-		name:   config.GroupNameAttribute,
+		name:        config.GroupNameAttribute,
-		id:     config.GroupIDAttribute,
+		id:          config.GroupIDAttribute,
-		member: config.GroupMemberAttribute,
+		member:      config.GroupMemberAttribute,
 		affiliation: config.GroupAffiliationAttribute,
 	}
 	var userScope, groupScope int
@@ -211,6 +213,7 @@ func NewLDAPBackend(lc ldap.Client, config config.LDAP, logger *log.Logger, inst
 		writeEnabled:                   config.WriteEnabled,
 		refintEnabled:                  config.RefintEnabled,
 		useExternalID:                  config.RequireExternalID,
 		instanceID:                     instanceID,
 		preciseSearchAttribute:         config.PreciseSearchAttribute,
 		instanceMapperEnabled:          config.InstanceMapperEnabled,
 		instanceMapperBaseDN:           config.InstanceMapperBaseDN,
--- a/services/graph/pkg/identity/ldap_group.go
+++ b/services/graph/pkg/identity/ldap_group.go
@@ -18,9 +18,10 @@ import (
 )
 type groupAttributeMap struct {
-	name   string
+	name        string
-	id     string
+	id          string
-	member string
+	member      string
 	affiliation string
 }
 // GetGroup implements the Backend Interface for the LDAP Backend
@@ -199,13 +200,24 @@ func (i *LDAP) CreateGroup(ctx context.Context, group libregraph.Group) (*libreg
 	if err := i.conn.Add(ar); err != nil {
 		var lerr *ldap.Error
-		logger.Debug().Str("backend", "ldap").Str("dn", group.GetDisplayName()).Err(err).Msg("Failed to create group")
+		logger.Error().Str("backend", "ldap").Str("dn", group.GetDisplayName()).Err(err).Msg("Failed to create group")
 		if errors.As(err, &lerr) {
 			if lerr.ResultCode == ldap.LDAPResultEntryAlreadyExists {
 				err = errorcode.New(errorcode.NameAlreadyExists, "group already exists")
 			}
 			if lerr.ResultCode == ldap.LDAPResultNoSuchObject {
 				r := ldap.NewAddRequest(i.groupCreateBaseDN, nil)
 				r.Attribute("objectClass", []string{"organizationalUnit"})
 				e := i.conn.Add(r)
 				if e == nil {
 					err = i.conn.Add(ar)
 				}
 			}
 		}
 		if err != nil {
 			return nil, err
 		}
 		return nil, err
 	}
 	// Read	back group from LDAP to get the generated UUID
@@ -436,7 +448,7 @@ func (i *LDAP) getGroupCreateLDAPDN(group libregraph.Group) string {
 func (i *LDAP) groupToLDAPAttrValues(group libregraph.Group) (map[string][]string, error) {
 	attrs := map[string][]string{
 		i.groupAttributeMap.name: {group.GetDisplayName()},
-		"objectClass":            {"groupOfNames", "top"},
+		"objectClass":            {"groupOfNames", "top", i.groupObjectClass},
 		// This is a crutch to allow groups without members for LDAP servers
 		// that apply strict Schema checking. The RFCs define "member/uniqueMember"
 		// as required attribute for groupOfNames/groupOfUniqueNames. So we
@@ -451,6 +463,11 @@ func (i *LDAP) groupToLDAPAttrValues(group libregraph.Group) (map[string][]strin
 		attrs["owncloudUUID"] = []string{uuid.Must(uuid.NewV4()).String()}
 		attrs["objectClass"] = append(attrs["objectClass"], "owncloud")
 	}
 	if i.instanceID != "" {
 		attrs[i.groupAttributeMap.affiliation] = []string{i.instanceID}
 	}
 	return attrs, nil
 }
--- a/services/graph/pkg/service/v0/groups.go
+++ b/services/graph/pkg/service/v0/groups.go
@@ -126,7 +126,7 @@ func (g Graph) PostGroup(w http.ResponseWriter, r *http.Request) {
 	}
 	if grp, err = g.identityBackend.CreateGroup(r.Context(), *grp); err != nil {
-		logger.Debug().Err(err).Interface("group", grp).Msg("could not create group: backend error")
+		logger.Error().Err(err).Interface("group", grp).Msg("could not create group: backend error")
 		errorcode.RenderError(w, r, err)
 		return
 	}
--- a/services/proxy/pkg/user/backend/cs3.go
+++ b/services/proxy/pkg/user/backend/cs3.go
@@ -261,6 +261,11 @@ func (c *cs3backend) UpdateUserIfNeeded(ctx context.Context, user *cs3.User, cla
 // SyncGroupMemberships maintains a users group memberships based on an OIDC claim
 func (c *cs3backend) SyncGroupMemberships(ctx context.Context, user *cs3.User, claims map[string]interface{}) error {
 	if c.autoProvisionClaims.Groups == "" {
 		// do not sync groups when claim is not set
 		return nil
 	}
 	gatewayClient, err := c.gatewaySelector.Next()
 	if err != nil {
 		c.logger.Error().Err(err).Msg("could not select next gateway client")