mirror of
https://github.com/lldap/lldap.git
synced 2024-11-25 17:13:25 +00:00
3.5 KiB
3.5 KiB
OCIS (OwnCloud Infinite Scale)
This is using version 5 which is currently still in RC.
IMPORTANT: There is a bug/quirk in how the OCIS container handles bind mounts.
If the bind mount locations (eg. /srv/ocis/{app,cfg}
) don't exist when the container is started, OCIS creates them with root
permissions. It then seems to drop permissions to UID 1000 and gives an error because it can't create files in the {app,cfg}
.
So you must create the bind mount locations and manually chown them to uid/gid 1000, eg.
# cd /srv/ocis
# mkdir app cfg
# chown 1000:1000 app cfg
# docker compose up -d && docker compose logs -f
.env
OCIS_URL="https://ocis.example.nz"
LDAP_BASE_DN="dc=example,dc=nz"
LDAP_BIND_PASSWORD=very-secret-yogurt
# LLDAP UUID to be given admin permissions
LLDAP_ADMIN_UUID=c1c2428a-xxxx-yyyy-zzzz-6cc946bf6809
docker-compose.yml
version: "3.7"
networks:
caddy:
external: true
services:
ocis:
image: owncloud/ocis:5.0.0-rc.4
container_name: ocis
networks:
- caddy
entrypoint:
- /bin/sh
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: ${OCIS_URL}
OCIS_LOG_LEVEL: warn
OCIS_LOG_COLOR: "false"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
OCIS_INSECURE: "false"
# Basic Auth is required for WebDAV clients that don't support OIDC
PROXY_ENABLE_BASIC_AUTH: "false"
#IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD}" # Not needed if admin user is in LDAP (?)
#OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
# Assumes your LLDAP container is named `lldap`
OCIS_LDAP_URI: ldap://lldap:3890
OCIS_LDAP_INSECURE: "true"
OCIS_LDAP_BIND_DN: "uid=admin,ou=people,${LDAP_BASE_DN}"
OCIS_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD}
OCIS_ADMIN_USER_ID: ${LLDAP_ADMIN_UUID}
OCIS_LDAP_USER_ENABLED_ATTRIBUTE: uid
GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # Does your LLDAP bind user have write access?
GRAPH_LDAP_REFINT_ENABLED: "false"
# Disable the built in LDAP server
OCIS_EXCLUDE_RUN_SERVICES: idm
# both text and binary cause errors in LLDAP, seems harmless though (?)
#IDP_LDAP_UUID_ATTRIBUTE_TYPE: 'text'
LDAP_LOGIN_ATTRIBUTES: "uid"
IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
IDP_LDAP_UUID_ATTRIBUTE: "entryuuid"
OCIS_LDAP_USER_SCHEMA_ID: "entryuuid"
OCIS_LDAP_GROUP_SCHEMA_ID: "uid"
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "uid"
OCIS_LDAP_GROUP_BASE_DN: "ou=groups,${LDAP_BASE_DN}"
OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
# can filter which groups are imported, eg: `(&(objectclass=groupOfUniqueNames)(uid=ocis_*))`
OCIS_LDAP_GROUP_FILTER: "(objectclass=groupOfUniqueNames)"
OCIS_LDAP_USER_BASE_DN: "ou=people,${LDAP_BASE_DN}"
OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
# Allows all users
#OCIS_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
# Allows users who are in the LLDAP group `ocis_users`
OCIS_LDAP_USER_FILTER: "(&(objectclass=person)(memberOf=cn=ocis_users,ou=groups,${LDAP_BASE_DN}))"
# NOT WORKING: Used instead of restricting users with OCIS_LDAP_USER_FILTER
#OCIS_LDAP_DISABLE_USER_MECHANISM: "group"
#OCIS_LDAP_DISABLED_USERS_GROUP_DN: "uid=ocis_disabled,ou=groups,${LDAP_BASE_DN}"
volumes:
# - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
# IMPORTANT: see note at top about creating/cowning bind mounts
- ./cfg:/etc/ocis
- ./app:/var/lib/ocis
restart: always