Graph

Abstract

The graph service provides the Graph API which is a RESTful web API used to access Infinite Scale resources. It is inspired by the Microsoft Graph API and can be used by clients or other services or extensions. Visit the Libre Graph API for a detailed specification of the API implemented by the graph service.

Sequence Diagram
Users and Groups API
- LDAP Configuration
  - Read-Only Access to Existing LDAP Servers
  - Using a Write Enabled LDAP Server
Query Filters Provided by the Graph API
Caching
Keycloak Configuration For The Personal Data Export
- Keycloak Client Configuration
Translations
- Translation Rules
Default Language
Unified Role Management
Example Yaml Config

Sequence Diagram

The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.

Users and Groups API

The graph service provides endpoints for querying users and groups. It features two different backend implementations:

ldap: This is currently the default backend. It queries user and group information from an LDAP server. Depending on the configuration, it can also be used to manage (create, update, delete) users and groups provided by an LDAP server.
cs3: This backend queries users and groups using the CS3 identity APIs as implemented by the users and groups service. This backend is currently still experimental and only implements a subset of the Libre Graph API. It should not be used in production.

LDAP Configuration

The LDAP backend is configured using a set of environment variables. A detailed list of all the available configuration options can be found in the documentation. The LDAP related options are prefixed with OCIS_LDAP_ (or GRAPH_LDAP_ for settings specific to graph service).

Read-Only Access to Existing LDAP Servers

To connect the graph service to an existing LDAP server, set OCIS_LDAP_SERVER_WRITE_ENABLED to false to prevent the graph service from sending write operations to the LDAP server. Also set the various OCIS_LDAP_* environment variables to match the configuration of the LDAP server you are connecting to. An example configuration for connecting oCIS to an instance of Microsoft Active Directory is available here.

Using a Write Enabled LDAP Server

To use the graph service for managing (create, update, delete) users and groups, a write enabled LDAP server is required. In the default configuration, the graph service will use the simple LDAP server that is bundled with oCIS in the idm service which provides all the required features. It is also possible to setup up an external LDAP server with write access for use with oCIS. It is recommend to use OpenLDAP for this. The LDAP server needs to fulfill a couple of requirements with respect to the available schema:

The LDAP server must provide the inetOrgPerson object class for users and the groupOfNames object class for groups.
The graph service maintains a few additional attributes for users and groups that are not available in the standard LDAP schema. An schema file, ready to use with OpenLDAP, defining those additional attributes is available here.

Query Filters Provided by the Graph API

Some API endpoints provided by the graph service allow to specify query filters. The filter syntax is based on the OData Specification. See the Libre Graph API for examples on the filters supported when querying users.

Caching

The graph service can use a configured store via GRAPH_CACHE_STORE. Possible stores are:

memory: Basic in-memory store and the default.
redis-sentinel: Stores data in a configured Redis Sentinel cluster.
nats-js-kv: Stores data using key-value-store feature of nats jetstream
noop: Stores nothing. Useful for testing. Not recommended in production environments.

Other store types may work but are not supported currently.

Note: The service can only be scaled if not using memory store and the stores are configured identically over all instances!

Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version.

Store specific notes:

When using redis-sentinel, the Redis master to use is configured via e.g. OCIS_CACHE_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.
When using nats-js-kv it is recommended to set OCIS_CACHE_STORE_NODES to the same value as OCIS_EVENTS_ENDPOINT. That way the cache uses the same nats instance as the event bus.
When using the nats-js-kv store, it is possible to set OCIS_CACHE_DISABLE_PERSISTENCE to instruct nats to not persist cache data on disc.

Keycloak Configuration For The Personal Data Export

If Keycloak is used for authentication, GDPR regulations require to add all personal identifiable information that Keycloak has about the user to the personal data export. To do this, the following environment variables must be set:

OCIS_KEYCLOAK_BASE_PATH - The URL to the keycloak instance.
OCIS_KEYCLOAK_CLIENT_ID - The client ID of the client that is used to authenticate with keycloak, this client has to be able to list users and get the credential data.
OCIS_KEYCLOAK_CLIENT_SECRET - The client secret of the client that is used to authenticate with keycloak.
OCIS_KEYCLOAK_CLIENT_REALM - The realm the client is defined in.
OCIS_KEYCLOAK_USER_REALM - The realm the oCIS users are defined in.
OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY - If set to true, the TLS certificate of the keycloak instance is not verified.

For more details see the User-Triggered GDPR Report in the ocis admin documentation.

Keycloak Client Configuration

The client that is used to authenticate with keycloak has to be able to list users and get the credential data. To do this, the following roles have to be assigned to the client and they have to be about the realm that contains the oCIS users:

view-users
view-identity-providers
view-realm
view-clients
view-events
view-authorization

Note that these roles are only available to assign if the client is in the master realm.

Translations

The graph service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the GRAPH_TRANSLATION_PATH environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the graph service, a shared storage is recommended. Translation files must be of type .po or .mo. For each language, the filename needs to be graph.po (or graph.mo) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be:

{GRAPH_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/graph.po

The language code pattern is composed of language[_territory] where language is the base language and _territory is optional and defines a country.

For example, for the language de, one needs to place the corresponding translation files to {GRAPH_TRANSLATION_PATH}/de_DE/LC_MESSAGES/graph.po.

Important: For the time being, the embedded ownCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code language_territory, the web frontend does not see it as it only requests language. In consequence, any translations made must exist in the requested language to avoid a fallback to the default.

Translation Rules

If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code de_DE is not available, the service tries to fall back to translations in the de folder.
If the base language de is also not available, the service falls back to the system’s default English (en), which is the source of the texts provided by the code.

Default Language

The default language can be defined via the OCIS_DEFAULT_LANGUAGE environment variable. See the settings service for a detailed description.

Unified Role Management

Unified Roles are roles granted a user for sharing and can be enabled or disabled. A CLI command is provided to list existing roles and their state among other data.

Note that a disabled role does not lose previously assigned permissions. It only means that the role is not available for new assignments.

The following roles are enabled by default:

UnifiedRoleViewerID
UnifiedRoleSpaceViewer
UnifiedRoleEditor
UnifiedRoleSpaceEditor
UnifiedRoleFileEditor
UnifiedRoleEditorLite
UnifiedRoleManager

The following role is disabled by default:

UnifiedRoleSecureViewer

To enable disabled roles like the UnifiedRoleSecureViewer, you must provide the UID(s) by one of the following methods:

Using the GRAPH_AVAILABLE_ROLES environment variable.
Setting the available_roles configuration value.

The following CLI command simplifies the process of finding out which UID belongs to which role:

ocis graph list-unified-roles

The output of this command includes the following information for each role:

UID
The unique identifier of the role.
Enabled
Whether the role is enabled or not.
Description
A short description of the role.
Condition
Allowed resource actions

Example output (shortned)

+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
|                 UID                  | ENABLED  |          DESCRIPTION           |           CONDITION            |         ALLOWED RESOURCE ACTIONS         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled  | View and download.             | exists @Resource.Root          | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/read   |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+

Example Yaml Config

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155


# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache:
  store: memory
  nodes:
  - 127.0.0.1:9233
  database: cache-roles
  table: ""
  ttl: 336h0m0s
  disable_persistence: false
  username: ""
  password: ""
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
  apitoken: ""
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Purge
    - Restore
    allow_credentials: true
api:
  group_members_patch_limit: 20
  graph_username_match: default
  graph_assign_default_user_role: true
  graph_identity_search_min_length: 3
  show_email_in_results: false
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls: null
application:
  id: ""
  displayname: ownCloud Infinite Scale
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 60000000000
  users_cache_ttl: 60000000000
  groups_cache_ttl: 60000000000
  storage_users_address: com.owncloud.api.storage-users
  default_language: ""
  translation_path: ""
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: /var/lib/ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    refint_enabled: false
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    user_id_is_octet_string: false
    user_type_attribute: ownCloudUserType
    user_enabled_attribute: ownCloudUserEnabled
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    group_create_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_member_attribute: member
    group_id_attribute: owncloudUUID
    group_id_is_octet_string: false
    education_resources_enabled: false
    educationconfig:
      school_base_dn: ""
      school_search_scope: ""
      school_filter: ""
      school_objectclass: ""
      school_name_attribute: ""
      school_number_attribute: ""
      school_id_attribute: ""
      school_termination_min_grace_days: 0
include_ocm_sharees: false
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
  username: ""
  password: ""
unified_roles:
  available_roles:
  - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5
  - a8d5fe5e-96e3-418d-825b-534dbdf22b99
  - fb6c3e19-e378-47e5-b277-9732f9de6e21
  - 58c63c02-1d89-4572-916a-870abc5a1b7d
  - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a
  - 1c996275-f1c9-4e71-abdf-a42f6495e960
  - 312c0871-5ef7-4b3a-85b6-0e4074c64049
keycloak:
  base_path: ""
  client_id: ""
  client_secret: ""
  client_realm: ""
  user_realm: ""
  insecure_skip_verify: false
service_account:
  service_account_id: ""
  service_account_secret: ""

Environment Variables

Name	Type	Default Value	Description
OCIS_TRACING_ENABLED GRAPH_TRACING_ENABLED	bool	false	Activates tracing.
OCIS_TRACING_TYPE GRAPH_TRACING_TYPE	string		The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now.
OCIS_TRACING_ENDPOINT GRAPH_TRACING_ENDPOINT	string		The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR GRAPH_TRACING_COLLECTOR	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL GRAPH_LOG_LEVEL	string		The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY GRAPH_LOG_PRETTY	bool	false	Activates pretty log output.
OCIS_LOG_COLOR GRAPH_LOG_COLOR	bool	false	Activates colorized log output.
OCIS_LOG_FILE GRAPH_LOG_FILE	string		The path to the log file. Activates logging to this file if set.
OCIS_CACHE_STORE GRAPH_CACHE_STORE	string	memory	The type of the cache store. Supported values are: ‘memory’, ‘redis-sentinel’, ’nats-js-kv’, ’noop’. See the text description for details.
OCIS_CACHE_STORE_NODES GRAPH_CACHE_STORE_NODES	[]string	[127.0.0.1:9233]	A list of nodes to access the configured store. This has no effect when ‘memory’ store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
GRAPH_CACHE_STORE_DATABASE	string	cache-roles	The database name the configured store should use.
GRAPH_CACHE_STORE_TABLE	string		The database table the store should use.
OCIS_CACHE_TTL GRAPH_CACHE_TTL	Duration	336h0m0s	Time to live for cache records in the graph. Defaults to ‘336h’ (2 weeks). See the Environment Variable Types description for more details.
OCIS_CACHE_DISABLE_PERSISTENCE GRAPH_CACHE_DISABLE_PERSISTENCE	bool	false	Disables persistence of the cache. Only applies when store type ’nats-js-kv’ is configured. Defaults to false.
OCIS_CACHE_AUTH_USERNAME GRAPH_CACHE_AUTH_USERNAME	string		The username to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
OCIS_CACHE_AUTH_PASSWORD GRAPH_CACHE_AUTH_PASSWORD	string		The password to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
GRAPH_DEBUG_ADDR	string	127.0.0.1:9124	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
GRAPH_DEBUG_TOKEN	string		Token to secure the metrics endpoint.
GRAPH_DEBUG_PPROF	bool	false	Enables pprof, which can be used for profiling.
GRAPH_DEBUG_ZPAGES	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
GRAPH_HTTP_ADDR	string	127.0.0.1:9120	The bind address of the HTTP service.
GRAPH_HTTP_ROOT	string	/graph	Subdirectory that serves as the root for this HTTP service.
OCIS_HTTP_TLS_ENABLED	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
OCIS_HTTP_TLS_CERTIFICATE	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
OCIS_HTTP_TLS_KEY	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
GRAPH_HTTP_API_TOKEN	string		An optional API bearer token
OCIS_CORS_ALLOW_ORIGINS GRAPH_CORS_ALLOW_ORIGINS	[]string	[*]	A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_METHODS GRAPH_CORS_ALLOW_METHODS	[]string	[GET POST PUT PATCH DELETE OPTIONS]	A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_HEADERS GRAPH_CORS_ALLOW_HEADERS	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]	A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_CREDENTIALS GRAPH_CORS_ALLOW_CREDENTIALS	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
GRAPH_GROUP_MEMBERS_PATCH_LIMIT	int	20	The amount of group members allowed to be added with a single patch request.
GRAPH_USERNAME_MATCH	string	default	Apply restrictions to usernames. Supported values are ‘default’ and ’none’. When set to ‘default’, user names must not start with a number and are restricted to ASCII characters. When set to ’none’, no restrictions are applied. The default value is ‘default’.
GRAPH_ASSIGN_DEFAULT_USER_ROLE	bool	true	Whether to assign newly created users the default role ‘User’. Set this to ‘false’ if you want to assign roles manually, or if the role assignment should happen at first login. Set this to ’true’ (the default) to assign the role ‘User’ when creating a new user.
GRAPH_IDENTITY_SEARCH_MIN_LENGTH	int	3	The minimum length the search term needs to have for unprivileged users when searching for users or groups.
OCIS_SHOW_USER_EMAIL_IN_RESULTS	bool	false	Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.
OCIS_REVA_GATEWAY	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
OCIS_GRPC_CLIENT_TLS_MODE	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification.
OCIS_GRPC_CLIENT_TLS_CACERT	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
OCIS_JWT_SECRET GRAPH_JWT_SECRET	string		The secret to mint and validate jwt tokens.
GRAPH_APPLICATION_ID	string		The ocis application ID shown in the graph. All app roles are tied to this ID.
GRAPH_APPLICATION_DISPLAYNAME	string	ownCloud Infinite Scale	The ocis application name.
OCIS_URL GRAPH_SPACES_WEBDAV_BASE	string	https://localhost:9200	The public facing URL of WebDAV.
GRAPH_SPACES_WEBDAV_PATH	string	/dav/spaces/	The WebDAV sub-path for spaces.
GRAPH_SPACES_DEFAULT_QUOTA	string	1000000000	The default quota in bytes.
GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL	int	60000000000	Max TTL in seconds for the spaces property cache.
GRAPH_SPACES_USERS_CACHE_TTL	int	60000000000	Max TTL in seconds for the spaces users cache.
GRAPH_SPACES_GROUPS_CACHE_TTL	int	60000000000	Max TTL in seconds for the spaces groups cache.
GRAPH_SPACES_STORAGE_USERS_ADDRESS	string	com.owncloud.api.storage-users	The address of the storage-users service.
OCIS_DEFAULT_LANGUAGE	string		The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.
OCIS_TRANSLATION_PATH GRAPH_TRANSLATION_PATH	string		(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.
GRAPH_IDENTITY_BACKEND	string	ldap	The user identity backend to use. Supported backend types are ’ldap’ and ‘cs3’.
OCIS_LDAP_URI GRAPH_LDAP_URI	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are ’ldaps://’ and ’ldap://’
OCIS_LDAP_CACERT GRAPH_LDAP_CACERT	string	/var/lib/ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
OCIS_LDAP_INSECURE GRAPH_LDAP_INSECURE	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
OCIS_LDAP_BIND_DN GRAPH_LDAP_BIND_DN	string	uid=libregraph,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
OCIS_LDAP_BIND_PASSWORD GRAPH_LDAP_BIND_PASSWORD	string		Password to use for authenticating the ‘bind_dn’.
GRAPH_LDAP_SERVER_UUID	bool	false	If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using ’entryUUID’ as the user ID attribute.
GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP	bool	true	Use the ‘Password Modify Extended Operation’ for updating user passwords.
OCIS_LDAP_SERVER_WRITE_ENABLED GRAPH_LDAP_SERVER_WRITE_ENABLED	bool	true	Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to ’true’ when keeping default settings for the LDAP user and group attribute types (the ‘OCIS_LDAP_USER_SCHEMA_* and ‘OCIS_LDAP_GROUP_SCHEMA_* variables).
GRAPH_LDAP_REFINT_ENABLED	bool	false	Signals that the server has the refint plugin enabled, which makes some actions not needed.
OCIS_LDAP_USER_BASE_DN GRAPH_LDAP_USER_BASE_DN	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
OCIS_LDAP_USER_SCOPE GRAPH_LDAP_USER_SCOPE	string	sub	LDAP search scope to use when looking up users. Supported scopes are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_USER_FILTER GRAPH_LDAP_USER_FILTER	string		LDAP filter to add to the default filters for user search like ‘(objectclass=ownCloud)’.
OCIS_LDAP_USER_OBJECTCLASS GRAPH_LDAP_USER_OBJECTCLASS	string	inetOrgPerson	The object class to use for users in the default user search filter (‘inetOrgPerson’).
OCIS_LDAP_USER_SCHEMA_MAIL GRAPH_LDAP_USER_EMAIL_ATTRIBUTE	string	mail	LDAP Attribute to use for the email address of users.
OCIS_LDAP_USER_SCHEMA_DISPLAYNAME LDAP_USER_SCHEMA_DISPLAY_NAME GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE	string	displayName	LDAP Attribute to use for the display name of users.
OCIS_LDAP_USER_SCHEMA_USERNAME GRAPH_LDAP_USER_NAME_ATTRIBUTE	string	uid	LDAP Attribute to use for username of users.
OCIS_LDAP_USER_SCHEMA_ID GRAPH_LDAP_USER_UID_ATTRIBUTE	string	owncloudUUID	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING	bool	false	Set this to true if the defined ‘ID’ attribute for users is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the user ID’s.
OCIS_LDAP_USER_SCHEMA_USER_TYPE GRAPH_LDAP_USER_TYPE_ATTRIBUTE	string	ownCloudUserType	LDAP Attribute to distinguish between ‘Member’ and ‘Guest’ users. Default is ‘ownCloudUserType’.
OCIS_LDAP_USER_ENABLED_ATTRIBUTE GRAPH_USER_ENABLED_ATTRIBUTE	string	ownCloudUserEnabled	LDAP Attribute to use as a flag telling if the user is enabled or disabled.
OCIS_LDAP_DISABLE_USER_MECHANISM GRAPH_DISABLE_USER_MECHANISM	string	attribute	An option to control the behavior for disabling users. Supported options are ’none’, ‘attribute’ and ‘group’. If set to ‘group’, disabling a user via API will add the user to the configured group for disabled users, if set to ‘attribute’ this will be done in the ldap user entry, if set to ’none’ the disable request is not processed. Default is ‘attribute’.
OCIS_LDAP_DISABLED_USERS_GROUP_DN GRAPH_DISABLED_USERS_GROUP_DN	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when ‘disable_user_mechanism’ is set to ‘group’.
OCIS_LDAP_GROUP_BASE_DN GRAPH_LDAP_GROUP_BASE_DN	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
GRAPH_LDAP_GROUP_CREATE_BASE_DN	string	ou=groups,o=libregraph-idm	Parent DN under which new groups are created. This DN needs to be subordinate to the ‘GRAPH_LDAP_GROUP_BASE_DN’. This setting is only relevant when ‘GRAPH_LDAP_SERVER_WRITE_ENABLED’ is ’true’. It defaults to the value of ‘GRAPH_LDAP_GROUP_BASE_DN’. All groups outside of this subtree are treated as readonly groups and cannot be updated.
OCIS_LDAP_GROUP_SCOPE GRAPH_LDAP_GROUP_SEARCH_SCOPE	string	sub	LDAP search scope to use when looking up groups. Supported scopes are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_GROUP_FILTER GRAPH_LDAP_GROUP_FILTER	string		LDAP filter to add to the default filters for group searches.
OCIS_LDAP_GROUP_OBJECTCLASS GRAPH_LDAP_GROUP_OBJECTCLASS	string	groupOfNames	The object class to use for groups in the default group search filter (‘groupOfNames’).
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME GRAPH_LDAP_GROUP_NAME_ATTRIBUTE	string	cn	LDAP Attribute to use for the name of groups.
OCIS_LDAP_GROUP_SCHEMA_MEMBER GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE	string	member	LDAP Attribute that is used for group members.
OCIS_LDAP_GROUP_SCHEMA_ID GRAPH_LDAP_GROUP_ID_ATTRIBUTE	string	owncloudUUID	LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING	bool	false	Set this to true if the defined ‘ID’ attribute for groups is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the group ID’s.
GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED	bool	false	Enable LDAP support for managing education related resources.
GRAPH_LDAP_SCHOOL_BASE_DN	string		Search base DN for looking up LDAP schools.
GRAPH_LDAP_SCHOOL_SEARCH_SCOPE	string		LDAP search scope to use when looking up schools. Supported scopes are ‘base’, ‘one’ and ‘sub’.
GRAPH_LDAP_SCHOOL_FILTER	string		LDAP filter to add to the default filters for school searches.
GRAPH_LDAP_SCHOOL_OBJECTCLASS	string		The object class to use for schools in the default school search filter.
GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE	string		LDAP Attribute to use for the name of a school.
GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE	string		LDAP Attribute to use for the number of a school.
GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE	string		LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.
GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS	int	0	When setting a ’terminationDate’ for a school, require the date to be at least this number of days in the future.
OCIS_ENABLE_OCM GRAPH_INCLUDE_OCM_SHAREES	bool	false	Include OCM sharees when listing users.
OCIS_EVENTS_ENDPOINT GRAPH_EVENTS_ENDPOINT	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
OCIS_EVENTS_CLUSTER GRAPH_EVENTS_CLUSTER	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
OCIS_INSECURE GRAPH_EVENTS_TLS_INSECURE	bool	false	Whether to verify the server TLS certificates.
OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE	string		The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.
OCIS_EVENTS_ENABLE_TLS GRAPH_EVENTS_ENABLE_TLS	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_USERNAME GRAPH_EVENTS_AUTH_USERNAME	string		The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_PASSWORD GRAPH_EVENTS_AUTH_PASSWORD	string		The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
GRAPH_AVAILABLE_ROLES	[]string	[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]	A comma separated list of roles that are available for assignment.
OCIS_KEYCLOAK_BASE_PATH GRAPH_KEYCLOAK_BASE_PATH	string		The URL to access keycloak.
OCIS_KEYCLOAK_CLIENT_ID GRAPH_KEYCLOAK_CLIENT_ID	string		The client id to authenticate with keycloak.
OCIS_KEYCLOAK_CLIENT_SECRET GRAPH_KEYCLOAK_CLIENT_SECRET	string		The client secret to use in authentication.
OCIS_KEYCLOAK_CLIENT_REALM GRAPH_KEYCLOAK_CLIENT_REALM	string		The realm the client is defined in.
OCIS_KEYCLOAK_USER_REALM GRAPH_KEYCLOAK_USER_REALM	string		The realm users are defined.
OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY	bool	false	Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.
OCIS_SERVICE_ACCOUNT_ID GRAPH_SERVICE_ACCOUNT_ID	string		The ID of the service account the service should use. See the ‘auth-service’ service description for more details.
OCIS_SERVICE_ACCOUNT_SECRET GRAPH_SERVICE_ACCOUNT_SECRET	string		The service account secret.