From 823ad9dd05ab4445003ba44fbccf3d7c1a0a576f Mon Sep 17 00:00:00 2001 From: mmattel Date: Tue, 13 Jun 2023 17:15:20 +0200 Subject: [PATCH 1/3] Add a new upgrading step --- modules/ROOT/pages/migration/upgrading-ocis.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/ROOT/pages/migration/upgrading-ocis.adoc b/modules/ROOT/pages/migration/upgrading-ocis.adoc index 7c98d2cd..c5c9c82b 100644 --- a/modules/ROOT/pages/migration/upgrading-ocis.adoc +++ b/modules/ROOT/pages/migration/upgrading-ocis.adoc @@ -19,6 +19,7 @@ IMPORTANT: Before starting any upgrade, make a xref:maintenance/b-r/backup.adoc[ * A new `GRAPH_APPLICATION_ID` environment variable has been added that must be populated. * Automatic Role Assignments have been introduced that need a settings review. +* A new `OCIS_LDAP_DISABLE_USER_MECHANISM` environment variable has been introduced that needs a settings review. * The search index needs to be deleted as the layout has been changed. * The xref:prerequisites/prerequisites.adoc#backend-for-metadata[metadata backend] has changed. * The xref:deployment/container/orchestration/orchestration.adoc#using-helm-charts-with-infinite-scale[Helm Chart] has been upgraded. @@ -59,6 +60,8 @@ NOTE: This environment variable will be defined automatically when installing a . xref:deployment/services/s-list/proxy.adoc#automatic-role-assignments[Automatic Role Assignments,window=_blank] have been introduced that need a settings review. All users that do not have a role assigned at the time of their first login will get the role 'user' assigned if the default of the environment variable `PROXY_ROLE_ASSIGNMENT_DRIVER` is used. The assignment can be changed based to the values of an OpenID Connect Claim of that user using a different setting. See the referenced documentation for more details. +. The environment variable xref:deployment/services/env-vars-special-scope.adoc[OCIS_LDAP_DISABLE_USER_MECHANISM] is an option to control the behavior for disabling users. The default value is `attribute` and requires configuration on the LDAP server. Disabled user management is LDAP implementation specific. If you are using the internal xref:{s-path}/idm.adoc[IDM] service instead of an external LDAP server or the LDAP server can not deal with disabled users or other possible incompatibilities, you must set this to `none`. Additionally and due to a bug recently discovered in the xref:{s-path}/idp.adoc[IDP] service, you must set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE=""` to overwrite the default setting. This bug will be fixed in a subsequent release. + . Delete the full search index. For details about the used path see: xref:deployment/general/general-info.adoc#default-paths[OCIS_BASE_DATA_PATH,window=_blank]: + -- From 0d3eca775b748bc8f7b1e4ff6d54675a1867840a Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 13 Jun 2023 17:34:05 +0200 Subject: [PATCH 2/3] Update modules/ROOT/pages/migration/upgrading-ocis.adoc --- modules/ROOT/pages/migration/upgrading-ocis.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/migration/upgrading-ocis.adoc b/modules/ROOT/pages/migration/upgrading-ocis.adoc index c5c9c82b..26854822 100644 --- a/modules/ROOT/pages/migration/upgrading-ocis.adoc +++ b/modules/ROOT/pages/migration/upgrading-ocis.adoc @@ -60,7 +60,12 @@ NOTE: This environment variable will be defined automatically when installing a . xref:deployment/services/s-list/proxy.adoc#automatic-role-assignments[Automatic Role Assignments,window=_blank] have been introduced that need a settings review. All users that do not have a role assigned at the time of their first login will get the role 'user' assigned if the default of the environment variable `PROXY_ROLE_ASSIGNMENT_DRIVER` is used. The assignment can be changed based to the values of an OpenID Connect Claim of that user using a different setting. See the referenced documentation for more details. -. The environment variable xref:deployment/services/env-vars-special-scope.adoc[OCIS_LDAP_DISABLE_USER_MECHANISM] is an option to control the behavior for disabling users. The default value is `attribute` and requires configuration on the LDAP server. Disabled user management is LDAP implementation specific. If you are using the internal xref:{s-path}/idm.adoc[IDM] service instead of an external LDAP server or the LDAP server can not deal with disabled users or other possible incompatibilities, you must set this to `none`. Additionally and due to a bug recently discovered in the xref:{s-path}/idp.adoc[IDP] service, you must set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE=""` to overwrite the default setting. This bug will be fixed in a subsequent release. +. The environment variable xref:deployment/services/env-vars-special-scope.adoc[OCIS_LDAP_DISABLE_USER_MECHANISM] is an option to control the behavior for disabling users. The default value is `attribute` and requires configuration on the LDAP server. Enabling and Disabling users is LDAP implementation specific. ++ +-- +- If you are using an external LDAP server you can either set `OCIS_LDAP_DISABLE_USER_MECHANISM` to `none` to disable it completely or to `attribute` in which case you need to set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE` according to your external LDAP servers requirements. +- Additionally and due to a bug recently discovered in the xref:{s-path}/idp.adoc[IDP] service, you must set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE=""` to overwrite the default setting when `OCIS_LDAP_DISABLE_USER_MECHANISM` is set to `none`. This bug will be fixed in a subsequent release. +-- . Delete the full search index. For details about the used path see: xref:deployment/general/general-info.adoc#default-paths[OCIS_BASE_DATA_PATH,window=_blank]: + From b5a9b38eac8c74d5694ac8460a02025600ea9877 Mon Sep 17 00:00:00 2001 From: Edith Parzefall Date: Wed, 14 Jun 2023 06:31:41 +0200 Subject: [PATCH 3/3] Apply suggestions from code review --- modules/ROOT/pages/migration/upgrading-ocis.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/migration/upgrading-ocis.adoc b/modules/ROOT/pages/migration/upgrading-ocis.adoc index 26854822..32473b47 100644 --- a/modules/ROOT/pages/migration/upgrading-ocis.adoc +++ b/modules/ROOT/pages/migration/upgrading-ocis.adoc @@ -60,10 +60,10 @@ NOTE: This environment variable will be defined automatically when installing a . xref:deployment/services/s-list/proxy.adoc#automatic-role-assignments[Automatic Role Assignments,window=_blank] have been introduced that need a settings review. All users that do not have a role assigned at the time of their first login will get the role 'user' assigned if the default of the environment variable `PROXY_ROLE_ASSIGNMENT_DRIVER` is used. The assignment can be changed based to the values of an OpenID Connect Claim of that user using a different setting. See the referenced documentation for more details. -. The environment variable xref:deployment/services/env-vars-special-scope.adoc[OCIS_LDAP_DISABLE_USER_MECHANISM] is an option to control the behavior for disabling users. The default value is `attribute` and requires configuration on the LDAP server. Enabling and Disabling users is LDAP implementation specific. +. The environment variable xref:deployment/services/env-vars-special-scope.adoc[OCIS_LDAP_DISABLE_USER_MECHANISM] is an option to control the behavior for disabling users. The default value is `attribute` and requires configuration on the LDAP server. Enabling and disabling users is LDAP implementation specific. + -- -- If you are using an external LDAP server you can either set `OCIS_LDAP_DISABLE_USER_MECHANISM` to `none` to disable it completely or to `attribute` in which case you need to set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE` according to your external LDAP servers requirements. +- If you are using an external LDAP server you can either set `OCIS_LDAP_DISABLE_USER_MECHANISM` to `none` to disable it completely or to `attribute` in which case you need to set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE` according to your external LDAP server's requirements. - Additionally and due to a bug recently discovered in the xref:{s-path}/idp.adoc[IDP] service, you must set `OCIS_LDAP_USER_ENABLED_ATTRIBUTE=""` to overwrite the default setting when `OCIS_LDAP_DISABLE_USER_MECHANISM` is set to `none`. This bug will be fixed in a subsequent release. --