lldap/example_configs/ocis.md
2024-02-20 10:40:47 +01:00

99 lines
3.5 KiB
Markdown

# OCIS (OwnCloud Infinite Scale)
This is using version 5 which is currently still in RC.
IMPORTANT: There is a bug/quirk in how the OCIS container handles bind mounts.
If the bind mount locations (eg. `/srv/ocis/{app,cfg}`) don't exist when the container is started, OCIS creates them with `root` permissions. It then seems to drop permissions to UID 1000 and gives an error because it can't create files in the `{app,cfg}`.
So you must create the bind mount locations and manually chown them to uid/gid 1000, eg.
```
# cd /srv/ocis
# mkdir app cfg
# chown 1000:1000 app cfg
# docker compose up -d && docker compose logs -f
```
## .env
```
OCIS_URL="https://ocis.example.nz"
LDAP_BASE_DN="dc=example,dc=nz"
LDAP_BIND_PASSWORD=very-secret-yogurt
# LLDAP UUID to be given admin permissions
LLDAP_ADMIN_UUID=c1c2428a-xxxx-yyyy-zzzz-6cc946bf6809
```
## docker-compose.yml
```
version: "3.7"
networks:
caddy:
external: true
services:
ocis:
image: owncloud/ocis:5.0.0-rc.4
container_name: ocis
networks:
- caddy
entrypoint:
- /bin/sh
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: ${OCIS_URL}
OCIS_LOG_LEVEL: warn
OCIS_LOG_COLOR: "false"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
OCIS_INSECURE: "false"
# Basic Auth is required for WebDAV clients that don't support OIDC
PROXY_ENABLE_BASIC_AUTH: "false"
#IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD}" # Not needed if admin user is in LDAP (?)
#OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
# Assumes your LLDAP container is named `lldap`
OCIS_LDAP_URI: ldap://lldap:3890
OCIS_LDAP_INSECURE: "true"
OCIS_LDAP_BIND_DN: "uid=admin,ou=people,${LDAP_BASE_DN}"
OCIS_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD}
OCIS_ADMIN_USER_ID: ${LLDAP_ADMIN_UUID}
OCIS_LDAP_USER_ENABLED_ATTRIBUTE: uid
GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # Does your LLDAP bind user have write access?
GRAPH_LDAP_REFINT_ENABLED: "false"
# Disable the built in LDAP server
OCIS_EXCLUDE_RUN_SERVICES: idm
# both text and binary cause errors in LLDAP, seems harmless though (?)
#IDP_LDAP_UUID_ATTRIBUTE_TYPE: 'text'
LDAP_LOGIN_ATTRIBUTES: "uid"
IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
IDP_LDAP_UUID_ATTRIBUTE: "entryuuid"
OCIS_LDAP_USER_SCHEMA_ID: "entryuuid"
OCIS_LDAP_GROUP_SCHEMA_ID: "uid"
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "uid"
OCIS_LDAP_GROUP_BASE_DN: "ou=groups,${LDAP_BASE_DN}"
OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
# can filter which groups are imported, eg: `(&(objectclass=groupOfUniqueNames)(uid=ocis_*))`
OCIS_LDAP_GROUP_FILTER: "(objectclass=groupOfUniqueNames)"
OCIS_LDAP_USER_BASE_DN: "ou=people,${LDAP_BASE_DN}"
OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
# Allows all users
#OCIS_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
# Allows users who are in the LLDAP group `ocis_users`
OCIS_LDAP_USER_FILTER: "(&(objectclass=person)(memberOf=cn=ocis_users,ou=groups,${LDAP_BASE_DN}))"
# NOT WORKING: Used instead of restricting users with OCIS_LDAP_USER_FILTER
#OCIS_LDAP_DISABLE_USER_MECHANISM: "group"
#OCIS_LDAP_DISABLED_USERS_GROUP_DN: "uid=ocis_disabled,ou=groups,${LDAP_BASE_DN}"
volumes:
# - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
# IMPORTANT: see note at top about creating/cowning bind mounts
- ./cfg:/etc/ocis
- ./app:/var/lib/ocis
restart: always
```