expose ldap options

owncloud · Aug 5, 2022 · 7af0f3a · 7af0f3a
1 parent fe0b3ac
commit 7af0f3a
Show file tree

Hide file tree

Showing 7 changed files with 393 additions and 2 deletions.
diff --git a/charts/ocis/README.md b/charts/ocis/README.md
@@ -133,7 +133,28 @@ This chart only supports following oCIS versions:
 | features.externalUserManagement.enabled | bool | `false` | Enables external user management (and disables internal user management). Needs an external OpenID Connect Identity Provider and an external LDAP server. |
 | features.externalUserManagement.ldap.bindDN | string | `"uid=ocis,ou=system-users,dc=owncloud,dc=test"` | DN of the user to use to bind to the LDAP server. The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`. The user needs to have permission to list users and groups. |
 | features.externalUserManagement.ldap.certTrusted | bool | `true` | Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" |
+| features.externalUserManagement.ldap.group.baseDN | string | `"ou=groups,dc=owncloud,dc=com"` |  |
+| features.externalUserManagement.ldap.group.filter | string | `nil` |  |
+| features.externalUserManagement.ldap.group.objectClass | string | `"groupOfNames"` |  |
+| features.externalUserManagement.ldap.group.schema.displayName | string | `"cn"` |  |
+| features.externalUserManagement.ldap.group.schema.groupName | string | `"cn"` |  |
+| features.externalUserManagement.ldap.group.schema.id | string | `"ownclouduuid"` |  |
+| features.externalUserManagement.ldap.group.schema.idIsOctetString | bool | `false` |  |
+| features.externalUserManagement.ldap.group.schema.mail | string | `"mail"` |  |
+| features.externalUserManagement.ldap.group.schema.member | string | `"member"` |  |
+| features.externalUserManagement.ldap.group.scope | string | `"sub"` |  |
+| features.externalUserManagement.ldap.insecure | bool | `false` | For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations. |
 | features.externalUserManagement.ldap.uri | string | `"ldaps://ldaps.owncloud.test"` | URI to connect to the LDAP secure server. |
+| features.externalUserManagement.ldap.user.baseDN | string | `"ou=users,dc=owncloud,dc=com"` |  |
+| features.externalUserManagement.ldap.user.filter | string | `nil` |  |
+| features.externalUserManagement.ldap.user.objectClass | string | `"inetOrgPerson"` |  |
+| features.externalUserManagement.ldap.user.schema.displayName | string | `"displayname"` |  |
+| features.externalUserManagement.ldap.user.schema.id | string | `"ownclouduuid"` |  |
+| features.externalUserManagement.ldap.user.schema.idIsOctetString | bool | `false` |  |
+| features.externalUserManagement.ldap.user.schema.mail | string | `"mail"` |  |
+| features.externalUserManagement.ldap.user.schema.userName | string | `"uid"` |  |
+| features.externalUserManagement.ldap.user.scope | string | `"sub"` |  |
+| features.externalUserManagement.ldap.user.substringFilterType | string | `"any"` |  |
 | features.externalUserManagement.oidc.issuerURI | string | `"https://idp.owncloud.test/realms/ocis"` | Issuer URI of the OpenID Connect Identity Provider. If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"owncloud/ocis"` | Image repository |

diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc
@@ -188,13 +188,160 @@ a| [subs=-attributes]
 `true`
 a| [subs=-attributes]
 Set only to false, if the certificate of your LDAP secure service is not trusted. If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
+| features.externalUserManagement.ldap.group.baseDN
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"ou=groups,dc=owncloud,dc=com"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.filter
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.objectClass
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"groupOfNames"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.displayName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"cn"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.groupName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"cn"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.id
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"ownclouduuid"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.idIsOctetString
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.mail
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"mail"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.schema.member
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"member"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.group.scope
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"sub"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.insecure
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+a| [subs=-attributes]
+For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef" Not recommended for production installations.
 | features.externalUserManagement.ldap.uri
 a| [subs=-attributes]
 +string+
 a| [subs=-attributes]
 `"ldaps://ldaps.owncloud.test"`
 a| [subs=-attributes]
 URI to connect to the LDAP secure server.
+| features.externalUserManagement.ldap.user.baseDN
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"ou=users,dc=owncloud,dc=com"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.filter
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.objectClass
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"inetOrgPerson"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.schema.displayName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"displayname"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.schema.id
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"ownclouduuid"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.schema.idIsOctetString
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.schema.mail
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"mail"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.schema.userName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"uid"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.scope
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"sub"`
+a| [subs=-attributes]
+
+| features.externalUserManagement.ldap.user.substringFilterType
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"any"`
+a| [subs=-attributes]
+
 | features.externalUserManagement.oidc.issuerURI
 a| [subs=-attributes]
 +string+

diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml
@@ -101,10 +101,40 @@ features:
       # -- Set only to false, if the certificate of your LDAP secure service is not trusted.
       # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
       certTrusted: true
+      # -- Disables SSL certificate checking for connections to the LDAP server.
+      # -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
+      # Not recommended for production installations.
+      insecure: false
       # -- DN of the user to use to bind to the LDAP server.
       # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`.
       # The user needs to have permission to list users and groups.
       bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test
+      user:
+        schema:
+          id: ownclouduuid
+          idIsOctetString: false
+          mail: mail
+          displayName: displayname
+          userName: uid
+        baseDN: ou=users,dc=owncloud,dc=com
+        scope: sub
+        substringFilterType: any
+        filter:
+        objectClass: inetOrgPerson
+      group:
+        schema:
+          id: ownclouduuid
+          idIsOctetString: false
+          mail: mail
+          displayName: cn
+          groupName: cn
+          member: member
+        baseDN: ou=groups,dc=owncloud,dc=com
+        scope: sub
+        filter:
+        objectClass: groupOfNames
+
+
 
       # TODO: all other LDAP related settings
 

diff --git a/charts/ocis/templates/auth-basic/deployment.yaml b/charts/ocis/templates/auth-basic/deployment.yaml
@@ -56,6 +56,62 @@ spec:
             - name: REVA_GATEWAY
               value: gateway:9142
 
+            {{- if .Values.features.externalUserManagement.enabled }}
+            - name: AUTH_BASIC_LDAP_INSECURE
+              value: {{ .Values.features.externalUserManagement.ldap.insecure }}
+
+            - name: AUTH_BASIC_LDAP_USER_BASE_DN
+              value: {{ .Values.features.externalUserManagement.ldap.user.baseDN }}
+            - name: AUTH_BASIC_LDAP_GROUP_BASE_DN
+              value: {{ .Values.features.externalUserManagement.ldap.group.baseDN }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCOPE
+              value: {{ .Values.features.externalUserManagement.ldap.user.scope }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCOPE
+              value: {{ .Values.features.externalUserManagement.ldap.group.scope }}
+
+            - name: AUTH_BASIC_LDAP_USER_SUBSTRING_FILTER_TYPE
+              value: {{ .Values.features.externalUserManagement.ldap.user.substringFilterType }}
+
+            - name: AUTH_BASIC_LDAP_USER_FILTER
+              value: {{ .Values.features.externalUserManagement.ldap.user.filter }}
+            - name: AUTH_BASIC_LDAP_GROUP_FILTER
+              value: {{ .Values.features.externalUserManagement.ldap.group.filter }}
+
+            - name: AUTH_BASIC_LDAP_USER_OBJECTCLASS
+              value: {{ .Values.features.externalUserManagement.ldap.user.objectClass }}
+            - name: AUTH_BASIC_LDAP_GROUP_OBJECTCLASS
+              value: {{ .Values.features.externalUserManagement.ldap.group.objectClass }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCHEMA_ID
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.id }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_ID
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.id }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.idIsOctetString }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.idIsOctetString }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCHEMA_MAIL
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.mail }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.mail }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.displayName }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.displayName }}
+
+            - name: AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.userName }}
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.groupName }}
+
+            - name: AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.member }}
+            {{- end }}
+
             - name: AUTH_BASIC_LDAP_URI
             {{ if not .Values.features.externalUserManagement.enabled }}
               value: ldaps://idm:9235

diff --git a/charts/ocis/templates/groups/deployment.yaml b/charts/ocis/templates/groups/deployment.yaml
@@ -52,6 +52,61 @@ spec:
             - name: GROUPS_GRPC_ADDR
               value: 0.0.0.0:9160
 
+            {{- if .Values.features.externalUserManagement.enabled }}
+            - name: GROUPS_LDAP_INSECURE
+              value: {{ .Values.features.externalUserManagement.ldap.insecure }}
+
+            - name: GROUPS_LDAP_USER_BASE_DN
+              value: {{ .Values.features.externalUserManagement.ldap.user.baseDN }}
+            - name: GROUPS_LDAP_GROUP_BASE_DN
+              value: {{ .Values.features.externalUserManagement.ldap.group.baseDN }}
+
+            - name: GROUPS_LDAP_USER_SCOPE
+              value: {{ .Values.features.externalUserManagement.ldap.user.scope }}
+            - name: GROUPS_LDAP_GROUP_SCOPE
+              value: {{ .Values.features.externalUserManagement.ldap.group.scope }}
+
+            - name: GROUPS_LDAP_USER_SUBSTRING_FILTER_TYPE
+              value: {{ .Values.features.externalUserManagement.ldap.user.substringFilterType }}
+
+            - name: GROUPS_LDAP_USER_FILTER
+              value: {{ .Values.features.externalUserManagement.ldap.user.filter }}
+            - name: GROUPS_LDAP_GROUP_FILTER
+              value: {{ .Values.features.externalUserManagement.ldap.group.filter }}
+
+            - name: GROUPS_LDAP_USER_OBJECTCLASS
+              value: {{ .Values.features.externalUserManagement.ldap.user.objectClass }}
+            - name: GROUPS_LDAP_GROUP_OBJECTCLASS
+              value: {{ .Values.features.externalUserManagement.ldap.group.objectClass }}
+
+            - name: GROUPS_LDAP_USER_SCHEMA_ID
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.id }}
+            - name: GROUPS_LDAP_GROUP_SCHEMA_ID
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.id }}
+
+            - name: GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.idIsOctetString }}
+            - name: GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.idIsOctetString }}
+
+            - name: GROUPS_LDAP_USER_SCHEMA_MAIL
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.mail }}
+            - name: GROUPS_LDAP_GROUP_SCHEMA_MAIL
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.mail }}
+
+            - name: GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.displayName }}
+            - name: GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.displayName }}
+
+            - name: GROUPS_LDAP_USER_SCHEMA_USERNAME
+              value: {{ .Values.features.externalUserManagement.ldap.user.schema.userName }}
+            - name: GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.groupName }}
+
+            - name: GROUPS_LDAP_GROUP_SCHEMA_MEMBER
+              value: {{ .Values.features.externalUserManagement.ldap.group.schema.member }}
+            {{- end }}
 
             - name: GROUPS_LDAP_URI
             {{ if not .Values.features.externalUserManagement.enabled }}