LDAP Documentation Feedback and Implementation Suggestion

[johnstonjs]

Is your feature request related to a problem? Please describe.

1. The documentation for upgrading to 3.0 did not account for a new LDAP configuration requirement. In particular, the OCIS_LDAP_USER_ENABLED_ATTRIBUTE is now required. Unfortunately, that isn't specified anywhere in the documentation.
2. We are able to specify an LDAP user as an administrator by specifically flagging their UUID via OCIS_ADMIN_USER_ID, however that isn't very flexible nor does it allow for straightforward changing of user permissions.

Describe the solution you'd like

1. I suggest updating the documentation for upgrading to 3.0 to note that LDAP users must specify that OCIS_LDAP_USER_ENABLED_ATTRIUTE be configured. This took me a few hours to figure out, and by trial/error I've found that simply having a value present makes the flag TRUE. Therefore I further suggest updating the documentation for this setting to note that it is required and describe how it functions (I just set mine to =cn so I don't worry about it again).

2. I'd greatly prefer to have a setting such as OCIS_LDAP_ADMIN_FILTER which would allow me to specify an LDAP search string like (memberOf=cn=admin,ou=Lists,dc=example,dc=com). This way permissions could be managed the same way I do for every other system on my network.

Even with these minor nits, this is a great system that I greatly appreciate!

[rhafer]

1. The documentation for upgrading to 3.0 did not account for a new LDAP configuration requirement.

Hm, yeah. Good catch

In particular, the OCIS_LDAP_USER_ENABLED_ATTRIBUTE is now required. Unfortunately, that isn't specified anywhere in the documentation.

Actually OCIS_LDAP_USER_ENABLED_ATTRIBUTE is not strictly required (at least it shouldn't be). Whether you need it depends on the OCIS_LDAP_DISABLE_USER_MECHANISM setting. If you set that to none you shouldn't need OCIS_LDAP_USER_ENABLED_ATTRIBUTE (otherwise we have a bug). The default for OCIS_LDAP_DISABLE_USER_MECHANISM however is attribute (in order to make the enable/disable feature work with the builtin LDAP server by default. (some of that is described here https://doc.owncloud.com/ocis/next/deployment/services/s-list/graph.html)

@mmattel Would be nice to have something in the release notes regarding the new OCIS_LDAP_DISABLE_USER_MECHANISM setting. Especially for people integrating with external LDAP servers.

2. I'd greatly prefer to have a setting such as OCIS_LDAP_ADMIN_FILTER which would allow me to specify an LDAP search string like (memberOf=cn=admin,ou=Lists,dc=example,dc=com). This way permissions could be managed the same way I do for every other system on my network.

Actually that is already possible. You can add such a filter to OCIS_LDAP_USER_FILTER

Even with these minor nits, this is a great system that I greatly appreciate!

That's great to hear, thanks!

[johnstonjs]

Thanks for the quick reply!

On (1), I didn't set the OCIS_LDAP_DISABLE_USER_MECHANISM to none, but will try that out this evening and see if I get the same result.

On (2), I use the OCIS_LDAP_USER_FILTER to derive my list of users, but I'd like to see another option that can derive a list of administrators.

[rhafer]

I didn't set the OCIS_LDAP_DISABLE_USER_MECHANISM to none, but will try that out this evening and see if I get the same result.

I just realized that we have a bug in the internal IDP service, which causes OCIS_LDAP_DISABLE_USER_MECHANISM=none to not work correctly (#6517). You additionally need to set OCIS_LDAP_USER_ENABLED_ATTRIBUTE="" as a workaround. Sorry for the confusion...

[mmattel]

I think this one can be closed as we covered the docs part and opened a dedicated issue (#6517) for the bug found.