ownCloud
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Graph

Abstract

The graph service provides the Graph API which is a RESTful web API used to access Infinite Scale resources. It is inspired by the Microsoft Graph API and can be used by clients or other services or extensions. Visit the Libre Graph API for a detailed specification of the API implemented by the graph service.

Table of Contents

Sequence Diagram

The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.

Users and Groups API

The graph service provides endpoints for querying users and groups. It features two different backend implementations:

  • ldap: This is currently the default backend. It queries user and group information from an LDAP server. Depending on the configuration, it can also be used to manage (create, update, delete) users and groups provided by an LDAP server.
  • cs3: This backend queries users and groups using the CS3 identity APIs as implemented by the users and groups service. This backend is currently still experimental and only implements a subset of the Libre Graph API. It should not be used in production.

LDAP Configuration

The LDAP backend is configured using a set of environment variables. A detailed list of all the available configuration options can be found in the documentation. The LDAP related options are prefixed with OCIS_LDAP_ (or GRAPH_LDAP_ for settings specific to graph service).

Read-Only Access to Existing LDAP Servers

To connect the graph service to an existing LDAP server, set OCIS_LDAP_SERVER_WRITE_ENABLED to false to prevent the graph service from sending write operations to the LDAP server. Also set the various OCIS_LDAP_* environment variables to match the configuration of the LDAP server you are connecting to. An example configuration for connecting oCIS to an instance of Microsoft Active Directory is available here.

Using a Write Enabled LDAP Server

To use the graph service for managing (create, update, delete) users and groups, a write enabled LDAP server is required. In the default configuration, the graph service will use the simple LDAP server that is bundled with oCIS in the idm service which provides all the required features. It is also possible to setup up an external LDAP server with write access for use with oCIS. It is recommend to use OpenLDAP for this. The LDAP server needs to fulfill a couple of requirements with respect to the available schema:

  • The LDAP server must provide the inetOrgPerson object class for users and the groupOfNames object class for groups.
  • The graph service maintains a few additional attributes for users and groups that are not available in the standard LDAP schema. An schema file, ready to use with OpenLDAP, defining those additional attributes is available here.

Query Filters Provided by the Graph API

Some API endpoints provided by the graph service allow to specify query filters. The filter syntax is based on the OData Specification. See the Libre Graph API for examples on the filters supported when querying users.

Caching

The graph service can use a configured store via GRAPH_CACHE_STORE. Possible stores are:

  • memory: Basic in-memory store and the default.
  • redis-sentinel: Stores data in a configured Redis Sentinel cluster.
  • nats-js-kv: Stores data using key-value-store feature of nats jetstream
  • noop: Stores nothing. Useful for testing. Not recommended in production environments.

Other store types may work but are not supported currently.

Note: The service can only be scaled if not using memory store and the stores are configured identically over all instances!

Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version.

Store specific notes:

  • When using redis-sentinel, the Redis master to use is configured via e.g. OCIS_CACHE_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.
  • When using nats-js-kv it is recommended to set OCIS_CACHE_STORE_NODES to the same value as OCIS_EVENTS_ENDPOINT. That way the cache uses the same nats instance as the event bus.
  • When using the nats-js-kv store, it is possible to set OCIS_CACHE_DISABLE_PERSISTENCE to instruct nats to not persist cache data on disc.

Keycloak Configuration For The Personal Data Export

If Keycloak is used for authentication, GDPR regulations require to add all personal identifiable information that Keycloak has about the user to the personal data export. To do this, the following environment variables must be set:

  • OCIS_KEYCLOAK_BASE_PATH - The URL to the keycloak instance.
  • OCIS_KEYCLOAK_CLIENT_ID - The client ID of the client that is used to authenticate with keycloak, this client has to be able to list users and get the credential data.
  • OCIS_KEYCLOAK_CLIENT_SECRET - The client secret of the client that is used to authenticate with keycloak.
  • OCIS_KEYCLOAK_CLIENT_REALM - The realm the client is defined in.
  • OCIS_KEYCLOAK_USER_REALM - The realm the oCIS users are defined in.
  • OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY - If set to true, the TLS certificate of the keycloak instance is not verified.

For more details see the User-Triggered GDPR Report in the ocis admin documentation.

Keycloak Client Configuration

The client that is used to authenticate with keycloak has to be able to list users and get the credential data. To do this, the following roles have to be assigned to the client and they have to be about the realm that contains the oCIS users:

  • view-users
  • view-identity-providers
  • view-realm
  • view-clients
  • view-events
  • view-authorization

Note that these roles are only available to assign if the client is in the master realm.

Translations

The graph service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the GRAPH_TRANSLATION_PATH environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the graph service, a shared storage is recommended. Translation files must be of type .po or .mo. For each language, the filename needs to be graph.po (or graph.mo) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be:

{GRAPH_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/graph.po

The language code pattern is composed of language[_territory] where language is the base language and _territory is optional and defines a country.

For example, for the language de, one needs to place the corresponding translation files to {GRAPH_TRANSLATION_PATH}/de_DE/LC_MESSAGES/graph.po.

Important: For the time being, the embedded ownCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code language_territory, the web frontend does not see it as it only requests language. In consequence, any translations made must exist in the requested language to avoid a fallback to the default.

Translation Rules

  • If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code de_DE is not available, the service tries to fall back to translations in the de folder.
  • If the base language de is also not available, the service falls back to the system’s default English (en), which is the source of the texts provided by the code.

Default Language

The default language can be defined via the OCIS_DEFAULT_LANGUAGE environment variable. See the settings service for a detailed description.

Unified Role Management

Unified Roles are roles granted a user for sharing and can be enabled or disabled. A CLI command is provided to list existing roles and their state among other data.

Note that a disabled role does not lose previously assigned permissions. It only means that the role is not available for new assignments.

The following roles are enabled by default:

  • UnifiedRoleViewerID
  • UnifiedRoleSpaceViewer
  • UnifiedRoleEditor
  • UnifiedRoleSpaceEditor
  • UnifiedRoleFileEditor
  • UnifiedRoleEditorLite
  • UnifiedRoleManager

The following role is disabled by default:

  • UnifiedRoleSecureViewer

To enable disabled roles like the UnifiedRoleSecureViewer, you must provide the UID(s) by one of the following methods:

  • Using the GRAPH_AVAILABLE_ROLES environment variable.
  • Setting the available_roles configuration value.

The following CLI command simplifies the process of finding out which UID belongs to which role:

ocis graph list-unified-roles

The output of this command includes the following information for each role:

  • UID
    The unique identifier of the role.
  • Enabled
    Whether the role is enabled or not.
  • Description
    A short description of the role.
  • Condition
  • Allowed resource actions

Example output (shortned)

+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
|                 UID                  | ENABLED  |          DESCRIPTION           |           CONDITION            |         ALLOWED RESOURCE ACTIONS         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled  | View and download.             | exists @Resource.Root          | libre.graph/driveItem/path/read          |
|                                      |          |                                |                                | libre.graph/driveItem/quota/read         |
|                                      |          |                                |                                | libre.graph/driveItem/content/read       |
|                                      |          |                                |                                | libre.graph/driveItem/permissions/read   |
|                                      |          |                                |                                | libre.graph/driveItem/children/read      |
|                                      |          |                                |                                | libre.graph/driveItem/deleted/read       |
|                                      |          |                                |                                | libre.graph/driveItem/basic/read         |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+

Example Yaml Config

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache:
  store: memory
  nodes:
  - 127.0.0.1:9233
  database: cache-roles
  table: ""
  ttl: 336h0m0s
  disable_persistence: false
  username: ""
  password: ""
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
  apitoken: ""
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Purge
    - Restore
    allow_credentials: true
api:
  group_members_patch_limit: 20
  graph_username_match: default
  graph_assign_default_user_role: true
  graph_identity_search_min_length: 3
  show_email_in_results: false
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls: null
application:
  id: ""
  displayname: ownCloud Infinite Scale
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 60000000000
  users_cache_ttl: 60000000000
  groups_cache_ttl: 60000000000
  storage_users_address: com.owncloud.api.storage-users
  default_language: ""
  translation_path: ""
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: /var/lib/ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    refint_enabled: false
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    user_id_is_octet_string: false
    user_type_attribute: ownCloudUserType
    user_enabled_attribute: ownCloudUserEnabled
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    group_create_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_member_attribute: member
    group_id_attribute: owncloudUUID
    group_id_is_octet_string: false
    education_resources_enabled: false
    educationconfig:
      school_base_dn: ""
      school_search_scope: ""
      school_filter: ""
      school_objectclass: ""
      school_name_attribute: ""
      school_number_attribute: ""
      school_id_attribute: ""
      school_termination_min_grace_days: 0
include_ocm_sharees: false
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
  username: ""
  password: ""
unified_roles:
  available_roles:
  - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5
  - a8d5fe5e-96e3-418d-825b-534dbdf22b99
  - fb6c3e19-e378-47e5-b277-9732f9de6e21
  - 58c63c02-1d89-4572-916a-870abc5a1b7d
  - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a
  - 1c996275-f1c9-4e71-abdf-a42f6495e960
  - 312c0871-5ef7-4b3a-85b6-0e4074c64049
max_concurrency: 20
keycloak:
  base_path: ""
  client_id: ""
  client_secret: ""
  client_realm: ""
  user_realm: ""
  insecure_skip_verify: false
service_account:
  service_account_id: ""
  service_account_secret: ""

Environment Variables

Name Type Default Value Description
OCIS_TRACING_ENABLED
GRAPH_TRACING_ENABLED
bool false Activates tracing.
OCIS_TRACING_TYPE
GRAPH_TRACING_TYPE
string The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now.
OCIS_TRACING_ENDPOINT
GRAPH_TRACING_ENDPOINT
string The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR
GRAPH_TRACING_COLLECTOR
string The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL
GRAPH_LOG_LEVEL
string The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY
GRAPH_LOG_PRETTY
bool false Activates pretty log output.
OCIS_LOG_COLOR
GRAPH_LOG_COLOR
bool false Activates colorized log output.
OCIS_LOG_FILE
GRAPH_LOG_FILE
string The path to the log file. Activates logging to this file if set.
OCIS_CACHE_STORE
GRAPH_CACHE_STORE
string memory The type of the cache store. Supported values are: ‘memory’, ‘redis-sentinel’, ’nats-js-kv’, ’noop’. See the text description for details.
OCIS_CACHE_STORE_NODES
GRAPH_CACHE_STORE_NODES
[]string [127.0.0.1:9233] A list of nodes to access the configured store. This has no effect when ‘memory’ store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
GRAPH_CACHE_STORE_DATABASE string cache-roles The database name the configured store should use.
GRAPH_CACHE_STORE_TABLE string The database table the store should use.
OCIS_CACHE_TTL
GRAPH_CACHE_TTL
Duration 336h0m0s Time to live for cache records in the graph. Defaults to ‘336h’ (2 weeks). See the Environment Variable Types description for more details.
OCIS_CACHE_DISABLE_PERSISTENCE
GRAPH_CACHE_DISABLE_PERSISTENCE
bool false Disables persistence of the cache. Only applies when store type ’nats-js-kv’ is configured. Defaults to false.
OCIS_CACHE_AUTH_USERNAME
GRAPH_CACHE_AUTH_USERNAME
string The username to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
OCIS_CACHE_AUTH_PASSWORD
GRAPH_CACHE_AUTH_PASSWORD
string The password to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured.
GRAPH_DEBUG_ADDR string 127.0.0.1:9124 Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
GRAPH_DEBUG_TOKEN string Token to secure the metrics endpoint.
GRAPH_DEBUG_PPROF bool false Enables pprof, which can be used for profiling.
GRAPH_DEBUG_ZPAGES bool false Enables zpages, which can be used for collecting and viewing in-memory traces.
GRAPH_HTTP_ADDR string 127.0.0.1:9120 The bind address of the HTTP service.
GRAPH_HTTP_ROOT string /graph Subdirectory that serves as the root for this HTTP service.
OCIS_HTTP_TLS_ENABLED bool false Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
OCIS_HTTP_TLS_CERTIFICATE string Path/File name of the TLS server certificate (in PEM format) for the http services.
OCIS_HTTP_TLS_KEY string Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
GRAPH_HTTP_API_TOKEN string An optional API bearer token
OCIS_CORS_ALLOW_ORIGINS
GRAPH_CORS_ALLOW_ORIGINS
[]string [*] A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_METHODS
GRAPH_CORS_ALLOW_METHODS
[]string [GET POST PUT PATCH DELETE OPTIONS] A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_HEADERS
GRAPH_CORS_ALLOW_HEADERS
[]string [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore] A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.
OCIS_CORS_ALLOW_CREDENTIALS
GRAPH_CORS_ALLOW_CREDENTIALS
bool true Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
GRAPH_GROUP_MEMBERS_PATCH_LIMIT int 20 The amount of group members allowed to be added with a single patch request.
GRAPH_USERNAME_MATCH string default Apply restrictions to usernames. Supported values are ‘default’ and ’none’. When set to ‘default’, user names must not start with a number and are restricted to ASCII characters. When set to ’none’, no restrictions are applied. The default value is ‘default’.
GRAPH_ASSIGN_DEFAULT_USER_ROLE bool true Whether to assign newly created users the default role ‘User’. Set this to ‘false’ if you want to assign roles manually, or if the role assignment should happen at first login. Set this to ’true’ (the default) to assign the role ‘User’ when creating a new user.
GRAPH_IDENTITY_SEARCH_MIN_LENGTH int 3 The minimum length the search term needs to have for unprivileged users when searching for users or groups.
OCIS_SHOW_USER_EMAIL_IN_RESULTS bool false Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.
OCIS_REVA_GATEWAY string com.owncloud.api.gateway The CS3 gateway endpoint.
OCIS_GRPC_CLIENT_TLS_MODE string TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification.
OCIS_GRPC_CLIENT_TLS_CACERT string Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
OCIS_JWT_SECRET
GRAPH_JWT_SECRET
string The secret to mint and validate jwt tokens.
GRAPH_APPLICATION_ID string The ocis application ID shown in the graph. All app roles are tied to this ID.
GRAPH_APPLICATION_DISPLAYNAME string ownCloud Infinite Scale The ocis application name.
OCIS_URL
GRAPH_SPACES_WEBDAV_BASE
string https://localhost:9200 The public facing URL of WebDAV.
GRAPH_SPACES_WEBDAV_PATH string /dav/spaces/ The WebDAV sub-path for spaces.
GRAPH_SPACES_DEFAULT_QUOTA string 1000000000 The default quota in bytes.
GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL int 60000000000 Max TTL in seconds for the spaces property cache.
GRAPH_SPACES_USERS_CACHE_TTL int 60000000000 Max TTL in seconds for the spaces users cache.
GRAPH_SPACES_GROUPS_CACHE_TTL int 60000000000 Max TTL in seconds for the spaces groups cache.
GRAPH_SPACES_STORAGE_USERS_ADDRESS string com.owncloud.api.storage-users The address of the storage-users service.
OCIS_DEFAULT_LANGUAGE string The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.
OCIS_TRANSLATION_PATH
GRAPH_TRANSLATION_PATH
string (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.
GRAPH_IDENTITY_BACKEND string ldap The user identity backend to use. Supported backend types are ’ldap’ and ‘cs3’.
OCIS_LDAP_URI
GRAPH_LDAP_URI
string ldaps://localhost:9235 URI of the LDAP Server to connect to. Supported URI schemes are ’ldaps://’ and ’ldap://’
OCIS_LDAP_CACERT
GRAPH_LDAP_CACERT
string /var/lib/ocis/idm/ldap.crt Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
OCIS_LDAP_INSECURE
GRAPH_LDAP_INSECURE
bool false Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
OCIS_LDAP_BIND_DN
GRAPH_LDAP_BIND_DN
string uid=libregraph,ou=sysusers,o=libregraph-idm LDAP DN to use for simple bind authentication with the target LDAP server.
OCIS_LDAP_BIND_PASSWORD
GRAPH_LDAP_BIND_PASSWORD
string Password to use for authenticating the ‘bind_dn’.
GRAPH_LDAP_SERVER_UUID bool false If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using ’entryUUID’ as the user ID attribute.
GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP bool true Use the ‘Password Modify Extended Operation’ for updating user passwords.
OCIS_LDAP_SERVER_WRITE_ENABLED
GRAPH_LDAP_SERVER_WRITE_ENABLED
bool true Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to ’true’ when keeping default settings for the LDAP user and group attribute types (the ‘OCIS_LDAP_USER_SCHEMA_* and ‘OCIS_LDAP_GROUP_SCHEMA_* variables).
GRAPH_LDAP_REFINT_ENABLED bool false Signals that the server has the refint plugin enabled, which makes some actions not needed.
OCIS_LDAP_USER_BASE_DN
GRAPH_LDAP_USER_BASE_DN
string ou=users,o=libregraph-idm Search base DN for looking up LDAP users.
OCIS_LDAP_USER_SCOPE
GRAPH_LDAP_USER_SCOPE
string sub LDAP search scope to use when looking up users. Supported scopes are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_USER_FILTER
GRAPH_LDAP_USER_FILTER
string LDAP filter to add to the default filters for user search like ‘(objectclass=ownCloud)’.
OCIS_LDAP_USER_OBJECTCLASS
GRAPH_LDAP_USER_OBJECTCLASS
string inetOrgPerson The object class to use for users in the default user search filter (‘inetOrgPerson’).
OCIS_LDAP_USER_SCHEMA_MAIL
GRAPH_LDAP_USER_EMAIL_ATTRIBUTE
string mail LDAP Attribute to use for the email address of users.
OCIS_LDAP_USER_SCHEMA_DISPLAYNAME
LDAP_USER_SCHEMA_DISPLAY_NAME
GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE
string displayName LDAP Attribute to use for the display name of users.
OCIS_LDAP_USER_SCHEMA_USERNAME
GRAPH_LDAP_USER_NAME_ATTRIBUTE
string uid LDAP Attribute to use for username of users.
OCIS_LDAP_USER_SCHEMA_ID
GRAPH_LDAP_USER_UID_ATTRIBUTE
string owncloudUUID LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
bool false Set this to true if the defined ‘ID’ attribute for users is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the user ID’s.
OCIS_LDAP_USER_SCHEMA_USER_TYPE
GRAPH_LDAP_USER_TYPE_ATTRIBUTE
string ownCloudUserType LDAP Attribute to distinguish between ‘Member’ and ‘Guest’ users. Default is ‘ownCloudUserType’.
OCIS_LDAP_USER_ENABLED_ATTRIBUTE
GRAPH_USER_ENABLED_ATTRIBUTE
string ownCloudUserEnabled LDAP Attribute to use as a flag telling if the user is enabled or disabled.
OCIS_LDAP_DISABLE_USER_MECHANISM
GRAPH_DISABLE_USER_MECHANISM
string attribute An option to control the behavior for disabling users. Supported options are ’none’, ‘attribute’ and ‘group’. If set to ‘group’, disabling a user via API will add the user to the configured group for disabled users, if set to ‘attribute’ this will be done in the ldap user entry, if set to ’none’ the disable request is not processed. Default is ‘attribute’.
OCIS_LDAP_DISABLED_USERS_GROUP_DN
GRAPH_DISABLED_USERS_GROUP_DN
string cn=DisabledUsersGroup,ou=groups,o=libregraph-idm The distinguished name of the group to which added users will be classified as disabled when ‘disable_user_mechanism’ is set to ‘group’.
OCIS_LDAP_GROUP_BASE_DN
GRAPH_LDAP_GROUP_BASE_DN
string ou=groups,o=libregraph-idm Search base DN for looking up LDAP groups.
GRAPH_LDAP_GROUP_CREATE_BASE_DN string ou=groups,o=libregraph-idm Parent DN under which new groups are created. This DN needs to be subordinate to the ‘GRAPH_LDAP_GROUP_BASE_DN’. This setting is only relevant when ‘GRAPH_LDAP_SERVER_WRITE_ENABLED’ is ’true’. It defaults to the value of ‘GRAPH_LDAP_GROUP_BASE_DN’. All groups outside of this subtree are treated as readonly groups and cannot be updated.
OCIS_LDAP_GROUP_SCOPE
GRAPH_LDAP_GROUP_SEARCH_SCOPE
string sub LDAP search scope to use when looking up groups. Supported scopes are ‘base’, ‘one’ and ‘sub’.
OCIS_LDAP_GROUP_FILTER
GRAPH_LDAP_GROUP_FILTER
string LDAP filter to add to the default filters for group searches.
OCIS_LDAP_GROUP_OBJECTCLASS
GRAPH_LDAP_GROUP_OBJECTCLASS
string groupOfNames The object class to use for groups in the default group search filter (‘groupOfNames’).
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME
GRAPH_LDAP_GROUP_NAME_ATTRIBUTE
string cn LDAP Attribute to use for the name of groups.
OCIS_LDAP_GROUP_SCHEMA_MEMBER
GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE
string member LDAP Attribute that is used for group members.
OCIS_LDAP_GROUP_SCHEMA_ID
GRAPH_LDAP_GROUP_ID_ATTRIBUTE
string owncloudUUID LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
bool false Set this to true if the defined ‘ID’ attribute for groups is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the group ID’s.
GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED bool false Enable LDAP support for managing education related resources.
GRAPH_LDAP_SCHOOL_BASE_DN string Search base DN for looking up LDAP schools.
GRAPH_LDAP_SCHOOL_SEARCH_SCOPE string LDAP search scope to use when looking up schools. Supported scopes are ‘base’, ‘one’ and ‘sub’.
GRAPH_LDAP_SCHOOL_FILTER string LDAP filter to add to the default filters for school searches.
GRAPH_LDAP_SCHOOL_OBJECTCLASS string The object class to use for schools in the default school search filter.
GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE string LDAP Attribute to use for the name of a school.
GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE string LDAP Attribute to use for the number of a school.
GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE string LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.
GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS int 0 When setting a ’terminationDate’ for a school, require the date to be at least this number of days in the future.
OCIS_ENABLE_OCM
GRAPH_INCLUDE_OCM_SHAREES
bool false Include OCM sharees when listing users.
OCIS_EVENTS_ENDPOINT
GRAPH_EVENTS_ENDPOINT
string 127.0.0.1:9233 The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
OCIS_EVENTS_CLUSTER
GRAPH_EVENTS_CLUSTER
string ocis-cluster The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
OCIS_INSECURE
GRAPH_EVENTS_TLS_INSECURE
bool false Whether to verify the server TLS certificates.
OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE
GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE
string The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.
OCIS_EVENTS_ENABLE_TLS
GRAPH_EVENTS_ENABLE_TLS
bool false Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_USERNAME
GRAPH_EVENTS_AUTH_USERNAME
string The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
OCIS_EVENTS_AUTH_PASSWORD
GRAPH_EVENTS_AUTH_PASSWORD
string The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
GRAPH_AVAILABLE_ROLES []string [b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049] A comma separated list of roles that are available for assignment.
OCIS_MAX_CONCURRENCY
GRAPH_MAX_CONCURRENCY
int 20 The maximum number of concurrent requests the service will handle.
OCIS_KEYCLOAK_BASE_PATH
GRAPH_KEYCLOAK_BASE_PATH
string The URL to access keycloak.
OCIS_KEYCLOAK_CLIENT_ID
GRAPH_KEYCLOAK_CLIENT_ID
string The client id to authenticate with keycloak.
OCIS_KEYCLOAK_CLIENT_SECRET
GRAPH_KEYCLOAK_CLIENT_SECRET
string The client secret to use in authentication.
OCIS_KEYCLOAK_CLIENT_REALM
GRAPH_KEYCLOAK_CLIENT_REALM
string The realm the client is defined in.
OCIS_KEYCLOAK_USER_REALM
GRAPH_KEYCLOAK_USER_REALM
string The realm users are defined.
OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY
GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY
bool false Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.
OCIS_SERVICE_ACCOUNT_ID
GRAPH_SERVICE_ACCOUNT_ID
string The ID of the service account the service should use. See the ‘auth-service’ service description for more details.
OCIS_SERVICE_ACCOUNT_SECRET
GRAPH_SERVICE_ACCOUNT_SECRET
string The service account secret.