Skip to content

Commit

Permalink
Merge pull request #58 from owncloud/external-user-management
Browse files Browse the repository at this point in the history 
add feature flag for external user management
  • Loading branch information
@wkloucek
wkloucek authored Aug 12, 2022
2 parents aef59bf + 63c450d commit 5cbfe1d
Show file tree
Hide file tree
Showing 25 changed files with 841 additions and 125 deletions.
173 changes: 119 additions & 54 deletions charts/ocis/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,34 @@ This chart only supports following oCIS versions:
| features.basicAuthentication | bool | `false` | Enable basic authentication. Not recommended for production installations. |
| features.demoUsers | bool | `false` | Create demo users on the first startup. Not recommended for production installations. |
| features.emailNotifications | bool | `false` | Enables email notifications. This features needs the secret from notificationsSmtpSecretRef present. |
| features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. |
| features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. |
| features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" |
| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` | Search base DN for looking up LDAP groups. |
| features.externalUserManagement.ldap.group.filter | string | `nil` | LDAP filter to add to the default filters for group searches. |
| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` | The object class to use for groups in the default group search filter like `groupOfNames`. |
| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` | LDAP Attribute to use for the name of groups. |
| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID. |
| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s. |
| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of groups (can be empty). |
| features.externalUserManagement.ldap.group.schema.member | string | `"member"` | LDAP Attribute that is used for group members. |
| features.externalUserManagement.ldap.group.scope | string | `"sub"` | LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`. |
| features.externalUserManagement.ldap.insecure | bool | `false` | For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. |
| features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. |
| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` | Search base DN for looking up LDAP users. |
| features.externalUserManagement.ldap.user.filter | string | `nil` | LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`. |
| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` | The object class to use for users in the default user search filter like `inetOrgPerson`. |
| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` | LDAP Attribute to use for the displayname of users. |
| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` | LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. |
| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` | Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s. |
| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` | LDAP Attribute to use for the email address of users. |
| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` | LDAP Attribute to use for username of users. |
| features.externalUserManagement.ldap.user.scope | string | `"sub"` | LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`. |
| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` | Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches |
| features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. |
| features.externalUserManagement.oidc.userIDClaim | string | `"ocis.user.uuid"` | Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. |
| features.externalUserManagement.oidc.userIDClaimAttributeMapping | string | `"userid"` | Attribute mapping of for the userIDClaim. Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"owncloud/ocis"` | Image repository |
| image.sha | string | `""` | Image sha / digest (optional). |
Expand Down Expand Up @@ -209,7 +237,7 @@ This chart only supports following oCIS versions:
| services.storageUsers.persistence.storageClassName | string | `nil` | Storage class to use. Uses the default storage class if not set. |
| services.storageUsers.storageBackend.driver | string | `"ocis"` | Configures the storage driver. Possible values are "ocis" and "s3ng". The oCIS driver stores all data in the persistent volume if persistence is enabled. The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled. |
| services.storageUsers.storageBackend.driverConfig.s3ng.accessKey | string | `"lorem-ipsum"` | S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | - S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.bucket | string | `"example-bucket"` | S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.endpoint | string | `"https://localhost:1234"` | S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.region | string | `"default"` | S3 region to use for the S3NG driver. Only used if driver is set to "s3ng". |
| services.storageUsers.storageBackend.driverConfig.s3ng.secretKey | string | `"lorem-ipsum"` | S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng". |
Expand Down Expand Up @@ -261,59 +289,6 @@ data:
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
jwt-secret: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -404,6 +379,8 @@ data:
thumbnails-transfer-secret: XXXXXXXXXXXXX
```
#### Notifications related secrets
If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret:

```yaml
Expand All @@ -422,7 +399,95 @@ data:
smtp-port: 1025
# Password of the SMTP host to connect to.
smtp-password: XXXXXXXXXXXXX
```

#### User management related secrets

If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX
```
If you're using an external user managment (`features.externalUserManagement.enabled` == `true`),
you need to set the LDAP bind password into a secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# Base64 encoded password for the LDAP bind user.
reva-ldap-bind-password: XXXXXXXXXXXXX
```

If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`),
you need to set your LDAP CA (Certificate Authority) certificate in following secret:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# Base64 encoded certificate of the CA that issued the LDAP server certificate.
ldap-ca.crt: XXXXXXXXXXXXX
```

### Example with NGINX ingress and certificate issued by cert-manager
Expand Down
145 changes: 91 additions & 54 deletions charts/ocis/README.md.gotmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,60 +145,6 @@ data:
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
jwt-secret: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX


---
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -289,6 +235,8 @@ data:
thumbnails-transfer-secret: XXXXXXXXXXXXX
```

#### Notifications related secrets

If you set `features.emailNotifications` to `true` you also need to configure a SMTP email server secret:

```yaml
Expand All @@ -307,9 +255,98 @@ data:
smtp-port: 1025
# Password of the SMTP host to connect to.
smtp-password: XXXXXXXXXXXXX
```

#### User management related secrets

If you're using the builtin user management (`features.externalUserManagement.enabled` == `false`), you need to set these secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
reva-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
idp-ldap-bind-password: XXXXXXXXXXXXX

# how to generate: base64 encode a random string (reasonable long and mixed characters)
# example generation command: `tr -cd '[:alnum:],.' < /dev/urandom | fold -w 50 | head -n 1 | base64`
graph-ldap-bind-password: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# how to generate: base64 encode the pem-encoded certificate of a (self-signed) x509 certificate authority
# example generation commands:
# - `openssl genrsa -out ldap-ca.key 4096`
# - `openssl req -new -x509 -days 3650 -key ldap-ca.key -out ldap-ca.crt`
# - `cat ldap-ca.crt | base64 | tr -d '\n' && echo`
ldap-ca.crt: XXXXXXXXXXXXX

---
apiVersion: v1
kind: Secret
metadata:
name: ldap-cert
type: Opaque
data:
# how to generate: base64 encode a private key (eg. ed25519, ensure that you use reasonable long key size)
# example generation commands:
# - `openssl genrsa -out ldap.key 4096`
# - `cat ldap.key | base64 | tr -d '\n' && echo`
ldap.key: XXXXXXXXXXXXX

# how to generate: base64 encode a x509 certificate signed by the above CA, using the above private key.
# example generation commands:
# - `openssl req -new -subj "/CN=idm" -key ldap.key -out ldap.csr`
# - `openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:idm")) -days 365 -in ldap.csr -CA ldap-ca.crt -CAkey ldap-ca.key -out ldap.crt -CAcreateserial`
# - `cat ldap.crt | base64 | tr -d '\n' && echo`
ldap.crt: XXXXXXXXXXXXX
```

If you're using an external user managment (`features.externalUserManagement.enabled` == `true`),
you need to set the LDAP bind password into a secrets:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-bind-secrets
type: Opaque
data:
# Base64 encoded password for the LDAP bind user.
reva-ldap-bind-password: XXXXXXXXXXXXX
```

If your LDAP secure server is not using a trusted certificate (`features.externalUserManagement.ldap.certTrusted` == `false`),
you need to set your LDAP CA (Certificate Authority) certificate in following secret:

```yaml
---
apiVersion: v1
kind: Secret
metadata:
name: ldap-ca
type: Opaque
data:
# Base64 encoded certificate of the CA that issued the LDAP server certificate.
ldap-ca.crt: XXXXXXXXXXXXX
```


### Example with NGINX ingress and certificate issued by cert-manager

To make this work you need to have NGINX ingress and cert-manager installed in your cluster.
Expand Down
Loading

0 comments on commit 5cbfe1d

Please sign in to comment.