feat: add ldap to ocis-multi example

Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com>

deployments/examples/ocis_multi/config/ldap/ldif/04_internal.ldif

@@ -0,0 +1,8 @@
+# groupOfNames requires at least one member to be present
+# The refint will use this dn if the last member of the group
+# has been removed
+dn: cn=nobody,dc=owncloud,dc=com
+objectClass: top
+objectClass: organizationalRole
+description: to be used for refint in empty groups
+cn: nobody

deployments/examples/ocis_multi/config/ldap/ldif/05_memberofconf.ldif

@@ -0,0 +1,14 @@
+# configure memberof overlay to use groupOfNames and member attributes
+dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcMemberOfGroupOC
+olcMemberOfGroupOC: groupOfNames
+-
+replace: olcMemberOfMemberAD
+olcMemberOfMemberAD: member
+
+# configure refint overlay to use nobody if no member is present
+dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRefintNothing
+olcRefintNothing: cn=nobody,dc=owncloud,dc=com

deployments/examples/ocis_multi/config/ldap/ldif/10_base.ldif

@@ -0,0 +1,14 @@
+# the owncloud organization is already setup by osixia configuration
+#dn: dc=owncloud,dc=com
+#objectClass: organization
+#objectClass: dcObject
+#dc: owncloud
+#o: ownCloud
+
+dn: ou=users,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=owncloud,dc=com
+objectClass: organizationalUnit
+ou: groups

deployments/examples/ocis_multi/config/ldap/ldif/20_users.ldif

@@ -0,0 +1,130 @@
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=einstein,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: einstein
+givenName: Albert
+sn: Einstein
+cn: einstein
+displayName: Albert Einstein
+description: A German-born theoretical physicist who developed the theory of relativity, one of the two pillars of modern physics (alongside quantum mechanics).
+mail: einstein@example.org
+uidNumber: 20000
+gidNumber: 30000
+homeDirectory: /home/einstein
+ownCloudUUID: 4c510ada-c86b-4815-8820-42cdf82c3d51
+owncloudGuestOf: base
+owncloudGuestOf: ocm
+userPassword:: e1NTSEF9TXJEcXpFNGdKbXZxbVRVTGhvWEZ1VzJBbkV3NWFLK3J3WTIvbHc9PQ==
+
+dn: uid=marie,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: marie
+givenName: Marie
+sn: Curie
+cn: marie
+displayName: Marie Skłodowska Curie
+description: A Polish and naturalized-French physicist and chemist who conducted pioneering research on radioactivity.
+mail: marie@example.org
+uidNumber: 20001
+gidNumber: 30000
+homeDirectory: /home/marie
+ownCloudUUID: f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c
+owncloudMemberOf: ocm
+owncloudGuestOf: base
+userPassword:: e1NTSEF9UmFvQWs3TU9jRHBIUWY3bXN3MGhHNnVraFZQWnRIRlhOSUNNZEE9PQ==
+
+dn: uid=richard,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: richard
+givenName: Richard
+sn: Feynman
+cn: richard
+displayName: Richard Phillips Feynman
+description: An American theoretical physicist, known for his work in the path integral formulation of quantum mechanics, the theory of quantum electrodynamics, the physics of the superfluidity of supercooled liquid helium, as well as his work in particle physics for which he proposed the parton model.
+mail: richard@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/richard
+ownCloudUUID: 932b4540-8d16-481e-8ef4-588e4b6b151c
+owncloudMemberOf: base
+owncloudGuestOf: ocm
+userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==
+
+dn: uid=katherine,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: katherine
+givenName: Katherine
+sn: Johnson
+cn: johnson
+displayName: Creola Katherine Johnson
+description: An American mathematician whose precise orbital calculations were critical to NASA’s early spaceflights, including the Mercury and Apollo missions.
+mail: katherine@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/katherine
+ownCloudUUID: 534bb038-6f9d-4093-946f-133be61fa4e7
+owncloudMemberOf: base
+userPassword:: e1NTSEF9Z05LZTRreHdmOGRUREY5eHlhSmpySTZ3MGxSVUM1d1RGcWROTVE9PQ==
+
+dn: uid=moss,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: moss
+givenName: Maurice
+sn: Moss
+cn: moss
+displayName: Maurice Moss
+description: A worker in the IT Department of Reynholm Industries. Of all the working staff in the IT Department, he is the most hard-working, the most experienced, and the most capable of doing his job well. He puts a lot of effort into his work, however he does not get the credit he deserves.
+mail: moss@example.org
+uidNumber: 20003
+gidNumber: 30000
+homeDirectory: /home/moss
+ownCloudUUID: 058bff95-6708-4fe5-91e4-9ea3d377588b
+owncloudMemberOf: ocm
+userPassword:: e1NTSEF9N0hEdTRoMkFDVExFWWt4U0RtSDZVQjhmUlpKRExDZDc=
+
+dn: uid=admin,ou=users,dc=owncloud,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: ownCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Admin
+cn: admin
+displayName: Admin
+description: An admin for this oCIS instance.
+mail: admin@example.org
+uidNumber: 20004
+gidNumber: 30000
+homeDirectory: /home/admin
+ownCloudUUID: ddc2004c-0977-11eb-9d3f-a793888cd0f8
+owncloudMemberOf: base
+owncloudMemberOf: ocm
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo=

deployments/examples/ocis_multi/config/ldap/ldif/30_groups.ldif

@@ -0,0 +1,77 @@
+dn: cn=users,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: users
+description: Users
+ownCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa
+member: uid=einstein,ou=users,dc=owncloud,dc=com
+member: uid=marie,ou=users,dc=owncloud,dc=com
+member: uid=richard,ou=users,dc=owncloud,dc=com
+member: uid=moss,ou=users,dc=owncloud,dc=com
+member: uid=admin,ou=users,dc=owncloud,dc=com
+
+dn: cn=sailing-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: sailing-lovers
+description: Sailing lovers
+ownCloudUUID: 6040aa17-9c64-4fef-9bd0-77234d71bad0
+member: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=violin-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: violin-haters
+description: Violin haters
+ownCloudUUID: dd58e5ec-842e-498b-8800-61f2ec6f911f
+member: uid=einstein,ou=users,dc=owncloud,dc=com
+
+dn: cn=radium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: radium-lovers
+description: Radium lovers
+ownCloudUUID: 7b87fd49-286e-4a5f-bafd-c535d5dd997a
+member: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=polonium-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: polonium-lovers
+description: Polonium lovers
+ownCloudUUID: cedc21aa-4072-4614-8676-fa9165f598ff
+member: uid=marie,ou=users,dc=owncloud,dc=com
+
+dn: cn=quantum-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: quantum-lovers
+description: Quantum lovers
+ownCloudUUID: a1726108-01f8-4c30-88df-2b1a9d1cba1a
+member: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=philosophy-haters,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: philosophy-haters
+description: Philosophy haters
+ownCloudUUID: 167cbee2-0518-455a-bfb2-031fe0621e5d
+member: uid=richard,ou=users,dc=owncloud,dc=com
+
+dn: cn=physics-lovers,ou=groups,dc=owncloud,dc=com
+objectClass: groupOfNames
+objectClass: ownCloud
+objectClass: top
+cn: physics-lovers
+description: Physics lovers
+ownCloudUUID: 262982c1-2362-4afa-bfdf-8cbfef64a06e
+member: uid=einstein,ou=users,dc=owncloud,dc=com
+member: uid=marie,ou=users,dc=owncloud,dc=com
+member: uid=richard,ou=users,dc=owncloud,dc=com

deployments/examples/ocis_multi/config/ldap/schemas/10_owncloud_schema.ldif

@@ -0,0 +1,47 @@
+# This LDIF files describes the ownCloud schema
+dn: cn=owncloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: owncloud
+olcObjectIdentifier: ownCloudOid 1.3.6.1.4.1.39430
+olcAttributeTypes: ( ownCloudOid:1.1.2 NAME 'ownCloudUUID'
+  DESC 'A non-reassignable and persistent account ID)'
+  EQUALITY uuidMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE )
+olcAttributeTypes: ( ownCloudOid:1.1.3 NAME 'oCExternalIdentity'
+  DESC 'A triple separated by "$" representing the objectIdentity resource type of the Graph API ( signInType $ issuer $ issuerAssignedId )'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( ownCloudOid:1.1.4 NAME 'ownCloudUserEnabled'
+  DESC 'A boolean value indicating if ownCloudUser is enabled'
+  EQUALITY booleanMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE)
+olcAttributeTypes: ( ownCloudOid:1.1.5 NAME 'ownCloudUserType'
+  DESC 'User type (e.g. Member or Guest)'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( ownCloudOid:1.1.6 NAME 'ocLastSignInTimestamp'
+  DESC 'The timestamp of the last sign-in'
+  EQUALITY generalizedTimeMatch
+  ORDERING generalizedTimeOrderingMatch
+  SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
+olcAttributeTypes: ( ownCloudOid:1.1.7 NAME 'ownCloudMemberOf'
+  DESC 'Instances the user is member of'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( ownCloudOid:1.1.8 NAME 'ownCloudGuestOf'
+  DESC 'Instances the user is guest of'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: ( ownCloudOid:1.2.1 NAME 'ownCloud'
+  DESC 'ownCloud LDAP Schema'
+  AUXILIARY
+  MAY ( ownCloudUUID ) )
+olcObjectClasses: ( ownCloudOid:1.2.2 NAME 'ownCloudUser'
+  DESC 'ownCloud User LDAP Schema'
+  SUP ownCloud
+  AUXILIARY
+  MAY ( ocExternalIdentity $ ownCloudUserEnabled $ ownCloudUserType $ ocLastSignInTimestamp $ ownCloudMemberOf $ ownCloudGuestOf) )

deployments/examples/ocis_multi/docker-compose.yml

@@ -75,8 +75,7 @@ services:
       PROXY_USER_CS3_CLAIM: "username"
       # INSECURE: needed if oCIS / Traefik is using self generated certificates
       OCIS_INSECURE: "${INSECURE:-true}"
-      OCIS_ADMIN_USER_ID: ""
-      OCIS_EXCLUDE_RUN_SERVICES: "idp"
+      OCIS_EXCLUDE_RUN_SERVICES: "idp,idm"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
       # password policies
@@ -86,6 +85,24 @@ services:
       WEB_OIDC_SCOPE: "openid profile email acr"
       OCIS_MULTI_INSTANCE_ENABLED: true
       OCIS_MULTI_INSTANCE_INSTANCEID: "base"
+      # LDAP
+      OCIS_LDAP_URI: ldaps://ldap-server:636
+      OCIS_LDAP_INSECURE: "true"
+      OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      OCIS_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com"
+      OCIS_LDAP_GROUP_FILTER: "(objectclass=owncloud)"
+      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfNames"
+      OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com"
+      OCIS_LDAP_USER_FILTER: "(objectclass=owncloud)"
+      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
+      LDAP_LOGIN_ATTRIBUTES: "uid"
+      OCIS_ADMIN_USER_ID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8"
+      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
+      IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
+      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "true" # assuming the external ldap is writable
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
     volumes:
       - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
@@ -130,8 +147,7 @@ services:
       PROXY_USER_CS3_CLAIM: "username"
       # ??
       OCIS_INSECURE: "${INSECURE:-true}"
-      OCIS_ADMIN_USER_ID: ""
-      OCIS_EXCLUDE_RUN_SERVICES: "idp"
+      OCIS_EXCLUDE_RUN_SERVICES: "idp,idm"
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
       # CSP
@@ -149,6 +165,24 @@ services:
       NATS_NATS_PORT: 9233
       #keycloak
       WEB_UI_CONFIG_FILE: /etc/ocis/ocis.ocm.web.config.json
+      # LDAP
+      OCIS_LDAP_URI: ldaps://ldap-server:636
+      OCIS_LDAP_INSECURE: "true"
+      OCIS_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      OCIS_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,dc=owncloud,dc=com"
+      OCIS_LDAP_GROUP_FILTER: "(objectclass=owncloud)"
+      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfNames"
+      OCIS_LDAP_USER_BASE_DN: "ou=users,dc=owncloud,dc=com"
+      OCIS_LDAP_USER_FILTER: "(objectclass=owncloud)"
+      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
+      LDAP_LOGIN_ATTRIBUTES: "uid"
+      OCIS_ADMIN_USER_ID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8"
+      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
+      IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
+      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "true" # assuming the external ldap is writable
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
     volumes:
       - ./config/ocis/csp-ocm.yaml:/etc/ocis/csp-ocm.yaml
       - ./config/ocis/ocis.ocm.web.config.json:/etc/ocis/ocis.ocm.web.config.json:ro
@@ -218,6 +252,50 @@ services:
       driver: ${LOG_DRIVER:-local}
     restart: always
 
+  ldap-server:
+    image: osixia/openldap:1.5.0
+    networks:
+      ocis-net:
+    environment:
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_TLS: true
+      LDAP_ORGANISATION: owncloud
+      LDAP_DOMAIN: owncloud.com
+      LDAP_ROOT: "dc=owncloud,dc=com"
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      LDAP_SEED_INTERNAL_LDIF_PATH: /ldifs
+      LDAP_SEED_INTERNAL_SCHEMA_PATH: /schemas
+    ports:
+      - "127.0.0.1:389:389"
+      - "127.0.0.1:636:636"
+    volumes:
+      - ./config/ldap/ldif:/ldifs
+      - ./config/ldap/schemas:/schemas
+      - ldap-certs:/container/service/slapd/assets/certs
+      - ldap-data:/var/lib/ldap
+      - ldap-config:/etc/ldap/slapd.d
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+  ldap-manager:
+    image: osixia/phpldapadmin:latest
+    networks:
+      ocis-net:
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'ldap-server': [{'server': [{'port': 389}]}]}]"
+      PHPLDAPADMIN_HTTPS: "false"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=https"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.owncloud.test}`)"
+      - "traefik.http.routers.ldap-manager.tls.certresolver=http"
+      - "traefik.http.routers.ldap-manager.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=80"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
 volumes:
   certs:
   ocis-config:
@@ -225,6 +303,9 @@ volumes:
   keycloak_postgres_data:
   ocis-ocm-config:
   ocis-ocm-data:
+  ldap-data:
+  ldap-config:
+  ldap-certs:
 
 networks:
   ocis-net: