--- services: opencloud: environment: # Ldap IDP specific configuration OC_LDAP_URI: ldaps://ldap-server:1636 OC_LDAP_INSECURE: "true" OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu" OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu" OC_LDAP_GROUP_SCHEMA_ID: "entryUUID" OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu" OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)" OC_LDAP_USER_SCHEMA_ID: "entryUUID" OC_LDAP_DISABLE_USER_MECHANISM: "none" GRAPH_LDAP_SERVER_UUID: "true" GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu" GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled. FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments" OC_LDAP_SERVER_WRITE_ENABLED: "false" # the ldap is managed by Keycloak, so it is not writable by OpenCloud # This specifies to start all services except idm and idp. These are replaced by external services. OC_EXCLUDE_RUN_SERVICES: idm,idp # Keycloak IDP specific configuration PROXY_AUTOPROVISION_ACCOUNTS: "false" PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud PROXY_OIDC_REWRITE_WELLKNOWN: "true" WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} PROXY_USER_OIDC_CLAIM: "uuid" PROXY_USER_CS3_CLAIM: "userid" WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account" # admin and demo accounts must be created in Keycloak OC_ADMIN_USER_ID: "" SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false" GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" GRAPH_USERNAME_MATCH: "none" # This is needed to set the correct CSP rules for OpenCloud IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} ldap-server: image: bitnamilegacy/openldap:2.6 networks: opencloud-net: entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ] environment: BITNAMI_DEBUG: true LDAP_TLS_VERIFY_CLIENT: never LDAP_ENABLE_TLS: "yes" LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key LDAP_ROOT: "dc=opencloud,dc=eu" LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} volumes: - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif - ./config/ldap/ldif/50_acls.ldif:/opt/bitnami/openldap/etc/schema/50_acls.ldif - ./config/ldap/init-ldap-acls.sh:/docker-entrypoint-initdb.d/init-ldap-acls.sh - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh - ldap-certs:/opt/bitnami/openldap/share - ldap-data:/bitnami/openldap logging: driver: ${LOG_DRIVER:-local} restart: always postgres: image: postgres:17-alpine networks: opencloud-net: volumes: - keycloak_postgres_data:/var/lib/postgresql/data environment: POSTGRES_DB: keycloak POSTGRES_USER: ${KC_DB_USERNAME:-keycloak} POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak} logging: driver: ${LOG_DRIVER:-local} restart: always keycloak: image: quay.io/keycloak/keycloak:26.3.3 networks: opencloud-net: command: [ "start", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ] entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ] volumes: - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/openCloud-realm.json" - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud" environment: LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin} OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test} KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} KC_DB: postgres KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak} KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak} KC_FEATURES: impersonation KC_PROXY_HEADERS: xforwarded KC_HTTP_ENABLED: true KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin} KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} depends_on: - postgres logging: driver: ${LOG_DRIVER:-local} restart: always volumes: keycloak_postgres_data: ldap-certs: ldap-data: