initial commit

idm/external-idp.yml

@@ -0,0 +1,72 @@
+---
+services:
+  opencloud:
+    environment:
+      # Ldap IDP specific configuration
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
+      GRAPH_LDAP_SERVER_UUID: "false"
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
+      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
+      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
+      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      OC_OIDC_ISSUER: ${IDP_ISSUER_URL:-https://keycloak.opencloud.test/realms/openCloud}
+      # This specifies to start all services except idm and idp. These are replaced by external services.
+      OC_EXCLUDE_RUN_SERVICES: idm,idp
+      # IdP specific configuration for auto-provisioning
+      OC_LDAP_SERVER_WRITE_ENABLED: "true"
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      # Use the `sub` claim from the IdP for the user ID
+      # Most IdPs use the internal user ID as the `sub` claim
+      PROXY_USER_OIDC_CLAIM: "sub"
+      # Use the `sub` claim as identifier during autoprovisioning
+      # That mitigates problems when a user is renamed in the IdP
+      PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
+      PROXY_USER_CS3_CLAIM: "username"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_USER_SCHEMA_ID: "opencloudUUID"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_GROUP_SCHEMA_ID: "opencloudUUID"
+      # This is the default value, we need to set it here because we overwrite the values
+      OC_LDAP_DISABLE_USER_MECHANISM: "attribute"
+      OC_ADMIN_USER_ID: ""
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      GRAPH_USERNAME_MATCH: "none"
+      # We need to set the IDP_DOMAIN to allow the CSP rules to be set correctly
+      IDP_DOMAIN: ${IDP_DOMAIN:-keycloak.opencloud.test}
+      # The openCloud users need to be able to edit their account in the externa IdP
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: ${IDP_ACCOUNT_URL}
+  ldap-server:
+    image: bitnamilegacy/openldap:2.6
+    networks:
+      opencloud-net:
+    entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
+    environment:
+      BITNAMI_DEBUG: true
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_ENABLE_TLS: "yes"
+      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
+      LDAP_ROOT: "dc=opencloud,dc=eu"
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    volumes:
+      # Only use the base ldif file to create the base structure
+      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
+      # Use the custom schema from opencloud because we are in full control of the ldap server
+      - ./config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ${LDAP_CERTS_DIR:-ldap-certs}:/opt/bitnami/openldap/share
+      - ${LDAP_DATA_DIR:-ldap-data}:/bitnami/openldap
+    restart: always
+
+volumes:
+  ldap-certs:
+  ldap-data: