Open Whidix opened 9 months ago
wkloucek
commented
9 months ago The documentation comments in the values.yaml state following:
This means you also change the OIDC identity provider settings:
I admit, that we should not have a default value here. We should refuse the installation if external user management is enabled and not external OIDC identity provider is configured.
Whidix
commented
9 months ago I understand but is it possible to have an ldap server without oidc ? On the owncloud dev website there is no mention of openId for authentication relying on ldap.
wkloucek
commented
9 months ago oCIS ships a LDAP and IDP service by default. You can omit one or both of them.
The oCIS Helm chart is more opinionated and does only allow to use both for development or small installation purposes. This is because the chart aims at high available and scalable installations. Neither the oCIS LDAP nor the IDP services are currently (horizontally) scalable. Therefore we expect them to be replaced both for the Helm Chart (also to reduce configuration permutations)
Whidix
commented
9 months ago Sorry, what I mean is that I have an external ldap server and I want to use it as a users provider.
wkloucek
commented
9 months ago There is no out of the box setup with this Helm Chart to use only a external LDAP server. If you use a external LDAP server, you also must use an external OIDC identity provider.
There are no plans for this Helm Chart to only support external LDAP without external OIDC identity provider.
Whidix
commented
9 months ago Just ouf of curiousity, what is the point of having both an external ldap and oidc provider at the same time ? Both of them can do authentification, and in my case, the keycloak use ldap as it's source.
I tried too use keycloak before opening this issue but it didn't work, where am I supposed to register the token generated by keycloak ?
wkloucek
commented
9 months ago Just ouf of curiousity, what is the point of having both an external ldap and oidc provider at the same time ? Both of them can do authentification, and in my case, the keycloak use ldap as it's source.
oCIS uses OIDC for authentication. Therefore the identity provider handles session managment, ... for us (which LDAP doesn't do). oCIS also has a so called "autoprovisioning mode" (https://github.com/owncloud/ocis/blob/3f99d182bfd0e70f97b776bf7c7cfd0d017327c3/deployments/examples/ocis_keycloak/docker-compose.yml#L62) where it learns about the users only via OIDC when they log in for the first time and writes them to the oCIS internal LDAP. In this case you only need to have an external OIDC provider.
LDAP is needed so that we can search for users and groups. This can not be done via the OIDC protocol.
I tried too use keycloak before opening this issue but it didn't work, where am I supposed to register the token generated by keycloak ?
Please have a look at this Helm File that sets up a environment with LDAP + Keycloak: https://github.com/owncloud/ocis-charts/blob/master/deployments/external-user-management/helmfile.yaml
ownCloud Web is using a public OIDC client and therefore has no client secret (https://github.com/owncloud/ocis-charts/blob/5c854bc2ac38ee2326039f96576ae5b050d3ce16/deployments/external-user-management/charts/keycloak/002-ocis-realm.yaml#L760-L814 or https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_keycloak/config/keycloak/clients/web.json). The native apps OIDC clients have a client secret (see https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak/config/keycloak/clients)
Whidix
commented
9 months ago Thank you, I have one last question.
I ended up with this "error":
I want to use my users uid (ldap ones) which are equals to usernames of keycloak users. I don't understand how to map them to ocis. For example with my user (uid=whidix), I have :
features:
basicAuthentication: true
externalUserManagement:
enabled: true
adminUUID: "whidix"
oidc:
issuerURI: "https://auth.example.com/realms/production"
webClientID: "owncloud"
userIDClaim: preferred_username
userIDClaimAttributeMapping: username
roleAssignment:
enabled: false
ldap:
writeable: false
uri: ldap://ldap.example.com
certTrusted: true
insecure: true
bindDN: uid=client-consult,ou=scripts,o=org,dc=example,dc=com
useServerUUID: false
user:
schema:
id: uid
idIsOctetString: false
mail: mail
displayName: displayname
userName: uid
baseDN: dc=example,dc=com
scope: sub
substringFilterType: any
filter:
objectClass: inetOrgPerson
group:
schema:
id: cn
idIsOctetString: false
mail: mailAlias
displayName: displayName
groupName: displayName
member: memberUid
baseDN: dc=example,dc=com
scope: sub
filter:
objectClass: ClubAfter some debugging I have this error which means that no users called whidix exist, which is normal since it's my first connection. May be the mapping is broken ?
2023-10-19T21:23:14Z INF access-log bytes=2494 duration=3.196537 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:31 method=GET path=/ocs/v1.php/cloud/capabilities proto=HTTP/1.1 remote-addr=x.x.x.x request-id=00ddaed2-628f-4b44-9aa7-ef273622d9ce service=proxy status=200
2023-10-19T21:23:14Z DBG User by claim not found claim=preferred_username line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:118 service=proxy value=whidix │
2023-10-19T21:23:14Z DBG Autoprovisioning disabled claims="marshaling error: json: unsupported type: map[interface {}]interface {}" line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:120 service=proxy
2023-10-19T21:23:14Z INF access-log bytes=0 duration=11.138444 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:31 method=GET path=/ocs/v1.php/cloud/user proto=HTTP/1.1 remote-addr=x.x.x.x.x request-id=986bde56-73fb-4538-9038-3265488a78dd service=proxy status=401 The log confirms, that it takes the value whidix from the preferred_username claim.
But the user could not be found in your LDAP.
Could you please try manually to find the user via uid in the ldap?
Eg. ldapsearch -b dc=example,dc=com uid=whidix
Whidix
commented
9 months ago Sorry I didn't update my previous message, I fixed the issue with the ldap (mainly due to mapping error and using ldaps instead of ldap), but there is a new one with oicd roles (which are supposed to be disabled but looks mandatory according to the logs).
2023-10-20T06:53:51Z INF access-log bytes=0 duration=88.54707 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:31 method=POST path=/api/v0/settings/values-list proto=HTTP/1.1 remote-addr=x.x.x.x request-id=f8cbaf9d-de5b-4a7a-b3af-6efad7749132 service=proxy status=500
2023-10-20T06:53:51.287991990Z 2023-10-20T06:53:51Z DBG director found line=github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:222 method=GET path=/ocs/v1.php/cloud/user policy=ocis prefix=/ocs/ routeType=prefix service=proxy
2023-10-20T06:53:51.288039840Z 2023-10-20T06:53:51Z DBG cache hit for userinfo claims="marshaling error: json: unsupported type: map[interface {}]interface {}" line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:67 service=proxy
2023-10-20T06:53:51.288112447Z 2023-10-20T06:53:51Z DBG successfully authenticated request authenticator=oidc line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:171 path=/ocs/v1.php/cloud/user service=proxy
2023-10-20T06:53:51.293730428Z 2023-10-20T06:53:51Z ERR Could not load roles error="{\"id\":\"ocis-settings\",\"code\":400,\"detail\":\"cannot be blank\",\"status\":\"Bad Request\"}" line=github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/defaultrole.go:38 service=proxy
2023-10-20T06:53:51.293759039Z 2023-10-20T06:53:51Z ERR Could not get user roles error="{\"id\":\"ocis-settings\",\"code\":400,\"detail\":\"cannot be blank\",\"status\":\"Bad Request\"}" line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:154 service=proxyHere is the file that throw me the error defaultrole
wkloucek
commented
9 months ago is set to false, right?
I also assume that you have no custom roles:
From your configuration, I see that you have configured the adminUUID:
Can a user login which is not configured there?
Whidix
commented
9 months ago I tried to unset adminUUID without results, I can confirm that I have no custom roles and that roleAssignment is set to false.
Whidix
commented
7 months ago Hello again, now I'm able to connect with my user but all groups are empty. In my ldap, I use memberUid to store users uid. Any idea ?
wkloucek
commented
2 months ago @Whidix sorry that you didn't receive a response for such a long time! Did you meanwhile manage to get it running?
Hello,
I'm trying to set up owncloud with ldap authentication, but I'm unable to make it work. Owncloud always try to authenticate me with oidc on https://idp.owncloud.test/realms/ocis/.well-known/openid-configuration.
Here are some important values that I edited, maybe am I missing something ?
Thanks for your help.