Graph
The graph service provides the Graph API which is a RESTful web API used to access Infinite Scale resources. It is inspired by the Microsoft Graph API and can be used by clients or other services or extensions. Visit the Libre Graph API for a detailed specification of the API implemented by the graph service.
- Sequence Diagram
- Users and Groups API
- Query Filters Provided by the Graph API
- Caching
- Keycloak Configuration For The Personal Data Export
- Translations
- Default Language
- Unified Role Management
- Example Yaml Config
The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.
The graph service provides endpoints for querying users and groups. It features two different backend implementations:
ldap
: This is currently the default backend. It queries user and group information from an LDAP server. Depending on the configuration, it can also be used to manage (create, update, delete) users and groups provided by an LDAP server.cs3
: This backend queries users and groups using the CS3 identity APIs as implemented by theusers
andgroups
service. This backend is currently still experimental and only implements a subset of the Libre Graph API. It should not be used in production.
The LDAP backend is configured using a set of environment variables. A detailed list of all the
available configuration options can be found in the documentation.
The LDAP related options are prefixed with OCIS_LDAP_
(or GRAPH_LDAP_
for settings specific to graph service).
To connect the graph service to an existing LDAP server, set OCIS_LDAP_SERVER_WRITE_ENABLED
to
false
to prevent the graph service from sending write operations to the LDAP server. Also set the
various OCIS_LDAP_*
environment variables to match the configuration of the LDAP server you are connecting
to. An example configuration for connecting oCIS to an instance of Microsoft Active Directory is
available here.
To use the graph service for managing (create, update, delete) users and groups, a write enabled LDAP
server is required. In the default configuration, the graph service will use the simple LDAP server
that is bundled with oCIS in the idm
service which provides all the required features.
It is also possible to setup up an external LDAP server with write access for use with oCIS. It is
recommend to use OpenLDAP for this. The LDAP server needs to fulfill a couple of requirements with
respect to the available schema:
- The LDAP server must provide the
inetOrgPerson
object class for users and thegroupOfNames
object class for groups. - The graph service maintains a few additional attributes for users and groups that are not available in the standard LDAP schema. An schema file, ready to use with OpenLDAP, defining those additional attributes is available here.
Some API endpoints provided by the graph service allow to specify query filters. The filter syntax is based on the OData Specification. See the Libre Graph API for examples on the filters supported when querying users.
The graph
service can use a configured store via GRAPH_CACHE_STORE
. Possible stores are:
memory
: Basic in-memory store and the default.redis-sentinel
: Stores data in a configured Redis Sentinel cluster.nats-js-kv
: Stores data using key-value-store feature of nats jetstreamnoop
: Stores nothing. Useful for testing. Not recommended in production environments.
Other store types may work but are not supported currently.
Note: The service can only be scaled if not using memory
store and the stores are configured identically over all instances!
Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version.
Store specific notes:
- When using
redis-sentinel
, the Redis master to use is configured via e.g.OCIS_CACHE_STORE_NODES
in the form of<sentinel-host>:<sentinel-port>/<redis-master>
like10.10.0.200:26379/mymaster
. - When using
nats-js-kv
it is recommended to setOCIS_CACHE_STORE_NODES
to the same value asOCIS_EVENTS_ENDPOINT
. That way the cache uses the same nats instance as the event bus. - When using the
nats-js-kv
store, it is possible to setOCIS_CACHE_DISABLE_PERSISTENCE
to instruct nats to not persist cache data on disc.
If Keycloak is used for authentication, GDPR regulations require to add all personal identifiable information that Keycloak has about the user to the personal data export. To do this, the following environment variables must be set:
OCIS_KEYCLOAK_BASE_PATH
- The URL to the keycloak instance.OCIS_KEYCLOAK_CLIENT_ID
- The client ID of the client that is used to authenticate with keycloak, this client has to be able to list users and get the credential data.OCIS_KEYCLOAK_CLIENT_SECRET
- The client secret of the client that is used to authenticate with keycloak.OCIS_KEYCLOAK_CLIENT_REALM
- The realm the client is defined in.OCIS_KEYCLOAK_USER_REALM
- The realm the oCIS users are defined in.OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY
- If set to true, the TLS certificate of the keycloak instance is not verified.
For more details see the User-Triggered GDPR Report in the ocis admin documentation.
The client that is used to authenticate with keycloak has to be able to list users and get the credential data. To do this, the following roles have to be assigned to the client and they have to be about the realm that contains the oCIS users:
view-users
view-identity-providers
view-realm
view-clients
view-events
view-authorization
Note that these roles are only available to assign if the client is in the master
realm.
The graph
service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the GRAPH_TRANSLATION_PATH
environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the graph service, a shared storage is recommended. Translation files must be of type .po or .mo. For each language, the filename needs to be graph.po
(or graph.mo
) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be:
{GRAPH_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/graph.po
The language code pattern is composed of language[_territory]
where language
is the base language and _territory
is optional and defines a country.
For example, for the language de
, one needs to place the corresponding translation files to {GRAPH_TRANSLATION_PATH}/de_DE/LC_MESSAGES/graph.po
.
Important: For the time being, the embedded ownCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code language_territory
, the web frontend does not see it as it only requests language
. In consequence, any translations made must exist in the requested language
to avoid a fallback to the default.
- If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code
de_DE
is not available, the service tries to fall back to translations in thede
folder. - If the base language
de
is also not available, the service falls back to the system’s default English (en
), which is the source of the texts provided by the code.
The default language can be defined via the OCIS_DEFAULT_LANGUAGE
environment variable. See the settings
service for a detailed description.
Unified Roles are roles granted a user for sharing and can be enabled or disabled. A CLI command is provided to list existing roles and their state among other data.
Note that a disabled role does not lose previously assigned permissions. It only means that the role is not available for new assignments.
The following roles are enabled by default:
UnifiedRoleViewerID
UnifiedRoleSpaceViewer
UnifiedRoleEditor
UnifiedRoleSpaceEditor
UnifiedRoleFileEditor
UnifiedRoleEditorLite
UnifiedRoleManager
The following role is disabled by default:
UnifiedRoleSecureViewer
To enable disabled roles like the UnifiedRoleSecureViewer
, you must provide the UID(s) by one of the following methods:
- Using the
GRAPH_AVAILABLE_ROLES
environment variable. - Setting the
available_roles
configuration value.
The following CLI command simplifies the process of finding out which UID belongs to which role:
ocis graph list-unified-roles
The output of this command includes the following information for each role:
UID
The unique identifier of the role.Enabled
Whether the role is enabled or not.Description
A short description of the role.Condition
Allowed resource actions
Example output (shortned)
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| UID | ENABLED | DESCRIPTION | CONDITION | ALLOWED RESOURCE ACTIONS |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
| a8d5fe5e-96e3-418d-825b-534dbdf22b99 | enabled | View and download. | exists @Resource.Root | libre.graph/driveItem/path/read |
| | | | | libre.graph/driveItem/quota/read |
| | | | | libre.graph/driveItem/content/read |
| | | | | libre.graph/driveItem/permissions/read |
| | | | | libre.graph/driveItem/children/read |
| | | | | libre.graph/driveItem/deleted/read |
| | | | | libre.graph/driveItem/basic/read |
+--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+
|
|
Name | Type | Default Value | Description |
---|---|---|---|
OCIS_TRACING_ENABLED GRAPH_TRACING_ENABLED |
bool | false | Activates tracing. |
OCIS_TRACING_TYPE GRAPH_TRACING_TYPE |
string | The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now. | |
OCIS_TRACING_ENDPOINT GRAPH_TRACING_ENDPOINT |
string | The endpoint of the tracing agent. | |
OCIS_TRACING_COLLECTOR GRAPH_TRACING_COLLECTOR |
string | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | |
OCIS_LOG_LEVEL GRAPH_LOG_LEVEL |
string | The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’. | |
OCIS_LOG_PRETTY GRAPH_LOG_PRETTY |
bool | false | Activates pretty log output. |
OCIS_LOG_COLOR GRAPH_LOG_COLOR |
bool | false | Activates colorized log output. |
OCIS_LOG_FILE GRAPH_LOG_FILE |
string | The path to the log file. Activates logging to this file if set. | |
OCIS_CACHE_STORE GRAPH_CACHE_STORE |
string | memory | The type of the cache store. Supported values are: ‘memory’, ‘redis-sentinel’, ’nats-js-kv’, ’noop’. See the text description for details. |
OCIS_CACHE_STORE_NODES GRAPH_CACHE_STORE_NODES |
[]string | [127.0.0.1:9233] | A list of nodes to access the configured store. This has no effect when ‘memory’ store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. |
GRAPH_CACHE_STORE_DATABASE | string | cache-roles | The database name the configured store should use. |
GRAPH_CACHE_STORE_TABLE | string | The database table the store should use. | |
OCIS_CACHE_TTL GRAPH_CACHE_TTL |
Duration | 336h0m0s | Time to live for cache records in the graph. Defaults to ‘336h’ (2 weeks). See the Environment Variable Types description for more details. |
OCIS_CACHE_DISABLE_PERSISTENCE GRAPH_CACHE_DISABLE_PERSISTENCE |
bool | false | Disables persistence of the cache. Only applies when store type ’nats-js-kv’ is configured. Defaults to false. |
OCIS_CACHE_AUTH_USERNAME GRAPH_CACHE_AUTH_USERNAME |
string | The username to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured. | |
OCIS_CACHE_AUTH_PASSWORD GRAPH_CACHE_AUTH_PASSWORD |
string | The password to authenticate with the cache. Only applies when store type ’nats-js-kv’ is configured. | |
GRAPH_DEBUG_ADDR | string | 127.0.0.1:9124 | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
GRAPH_DEBUG_TOKEN | string | Token to secure the metrics endpoint. | |
GRAPH_DEBUG_PPROF | bool | false | Enables pprof, which can be used for profiling. |
GRAPH_DEBUG_ZPAGES | bool | false | Enables zpages, which can be used for collecting and viewing in-memory traces. |
GRAPH_HTTP_ADDR | string | 127.0.0.1:9120 | The bind address of the HTTP service. |
GRAPH_HTTP_ROOT | string | /graph | Subdirectory that serves as the root for this HTTP service. |
OCIS_HTTP_TLS_ENABLED | bool | false | Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
OCIS_HTTP_TLS_CERTIFICATE | string | Path/File name of the TLS server certificate (in PEM format) for the http services. | |
OCIS_HTTP_TLS_KEY | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. | |
GRAPH_HTTP_API_TOKEN | string | An optional API bearer token | |
OCIS_CORS_ALLOW_ORIGINS GRAPH_CORS_ALLOW_ORIGINS |
[]string | [*] | A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_METHODS GRAPH_CORS_ALLOW_METHODS |
[]string | [GET POST PUT PATCH DELETE OPTIONS] | A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_HEADERS GRAPH_CORS_ALLOW_HEADERS |
[]string | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore] | A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. |
OCIS_CORS_ALLOW_CREDENTIALS GRAPH_CORS_ALLOW_CREDENTIALS |
bool | true | Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
GRAPH_GROUP_MEMBERS_PATCH_LIMIT | int | 20 | The amount of group members allowed to be added with a single patch request. |
GRAPH_USERNAME_MATCH | string | default | Apply restrictions to usernames. Supported values are ‘default’ and ’none’. When set to ‘default’, user names must not start with a number and are restricted to ASCII characters. When set to ’none’, no restrictions are applied. The default value is ‘default’. |
GRAPH_ASSIGN_DEFAULT_USER_ROLE | bool | true | Whether to assign newly created users the default role ‘User’. Set this to ‘false’ if you want to assign roles manually, or if the role assignment should happen at first login. Set this to ’true’ (the default) to assign the role ‘User’ when creating a new user. |
GRAPH_IDENTITY_SEARCH_MIN_LENGTH | int | 3 | The minimum length the search term needs to have for unprivileged users when searching for users or groups. |
OCIS_SHOW_USER_EMAIL_IN_RESULTS | bool | false | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. |
OCIS_REVA_GATEWAY | string | com.owncloud.api.gateway | The CS3 gateway endpoint. |
OCIS_GRPC_CLIENT_TLS_MODE | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are ‘off’, ‘insecure’ and ‘on’. ‘off’: disables transport security for the clients. ‘insecure’ allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). ‘on’ enables transport security, including server certificate verification. | |
OCIS_GRPC_CLIENT_TLS_CACERT | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | |
OCIS_JWT_SECRET GRAPH_JWT_SECRET |
string | The secret to mint and validate jwt tokens. | |
GRAPH_APPLICATION_ID | string | The ocis application ID shown in the graph. All app roles are tied to this ID. | |
GRAPH_APPLICATION_DISPLAYNAME | string | ownCloud Infinite Scale | The ocis application name. |
OCIS_URL GRAPH_SPACES_WEBDAV_BASE |
string | https://localhost:9200 | The public facing URL of WebDAV. |
GRAPH_SPACES_WEBDAV_PATH | string | /dav/spaces/ | The WebDAV sub-path for spaces. |
GRAPH_SPACES_DEFAULT_QUOTA | string | 1000000000 | The default quota in bytes. |
GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL | int | 60000000000 | Max TTL in seconds for the spaces property cache. |
GRAPH_SPACES_USERS_CACHE_TTL | int | 60000000000 | Max TTL in seconds for the spaces users cache. |
GRAPH_SPACES_GROUPS_CACHE_TTL | int | 60000000000 | Max TTL in seconds for the spaces groups cache. |
GRAPH_SPACES_STORAGE_USERS_ADDRESS | string | com.owncloud.api.storage-users | The address of the storage-users service. |
OCIS_DEFAULT_LANGUAGE | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | |
OCIS_TRANSLATION_PATH GRAPH_TRANSLATION_PATH |
string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | |
GRAPH_IDENTITY_BACKEND | string | ldap | The user identity backend to use. Supported backend types are ’ldap’ and ‘cs3’. |
OCIS_LDAP_URI GRAPH_LDAP_URI |
string | ldaps://localhost:9235 | URI of the LDAP Server to connect to. Supported URI schemes are ’ldaps://’ and ’ldap://’ |
OCIS_LDAP_CACERT GRAPH_LDAP_CACERT |
string | /var/lib/ocis/idm/ldap.crt | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm. |
OCIS_LDAP_INSECURE GRAPH_LDAP_INSECURE |
bool | false | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
OCIS_LDAP_BIND_DN GRAPH_LDAP_BIND_DN |
string | uid=libregraph,ou=sysusers,o=libregraph-idm | LDAP DN to use for simple bind authentication with the target LDAP server. |
OCIS_LDAP_BIND_PASSWORD GRAPH_LDAP_BIND_PASSWORD |
string | Password to use for authenticating the ‘bind_dn’. | |
GRAPH_LDAP_SERVER_UUID | bool | false | If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using ’entryUUID’ as the user ID attribute. |
GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP | bool | true | Use the ‘Password Modify Extended Operation’ for updating user passwords. |
OCIS_LDAP_SERVER_WRITE_ENABLED GRAPH_LDAP_SERVER_WRITE_ENABLED |
bool | true | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to ’true’ when keeping default settings for the LDAP user and group attribute types (the ‘OCIS_LDAP_USER_SCHEMA_* and ‘OCIS_LDAP_GROUP_SCHEMA_* variables). |
GRAPH_LDAP_REFINT_ENABLED | bool | false | Signals that the server has the refint plugin enabled, which makes some actions not needed. |
OCIS_LDAP_USER_BASE_DN GRAPH_LDAP_USER_BASE_DN |
string | ou=users,o=libregraph-idm | Search base DN for looking up LDAP users. |
OCIS_LDAP_USER_SCOPE GRAPH_LDAP_USER_SCOPE |
string | sub | LDAP search scope to use when looking up users. Supported scopes are ‘base’, ‘one’ and ‘sub’. |
OCIS_LDAP_USER_FILTER GRAPH_LDAP_USER_FILTER |
string | LDAP filter to add to the default filters for user search like ‘(objectclass=ownCloud)’. | |
OCIS_LDAP_USER_OBJECTCLASS GRAPH_LDAP_USER_OBJECTCLASS |
string | inetOrgPerson | The object class to use for users in the default user search filter (‘inetOrgPerson’). |
OCIS_LDAP_USER_SCHEMA_MAIL GRAPH_LDAP_USER_EMAIL_ATTRIBUTE |
string | LDAP Attribute to use for the email address of users. | |
OCIS_LDAP_USER_SCHEMA_DISPLAYNAME LDAP_USER_SCHEMA_DISPLAY_NAME GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE |
string | displayName | LDAP Attribute to use for the display name of users. |
OCIS_LDAP_USER_SCHEMA_USERNAME GRAPH_LDAP_USER_NAME_ATTRIBUTE |
string | uid | LDAP Attribute to use for username of users. |
OCIS_LDAP_USER_SCHEMA_ID GRAPH_LDAP_USER_UID_ATTRIBUTE |
string | owncloudUUID | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. |
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING |
bool | false | Set this to true if the defined ‘ID’ attribute for users is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the user ID’s. |
OCIS_LDAP_USER_SCHEMA_USER_TYPE GRAPH_LDAP_USER_TYPE_ATTRIBUTE |
string | ownCloudUserType | LDAP Attribute to distinguish between ‘Member’ and ‘Guest’ users. Default is ‘ownCloudUserType’. |
OCIS_LDAP_USER_ENABLED_ATTRIBUTE GRAPH_USER_ENABLED_ATTRIBUTE |
string | ownCloudUserEnabled | LDAP Attribute to use as a flag telling if the user is enabled or disabled. |
OCIS_LDAP_DISABLE_USER_MECHANISM GRAPH_DISABLE_USER_MECHANISM |
string | attribute | An option to control the behavior for disabling users. Supported options are ’none’, ‘attribute’ and ‘group’. If set to ‘group’, disabling a user via API will add the user to the configured group for disabled users, if set to ‘attribute’ this will be done in the ldap user entry, if set to ’none’ the disable request is not processed. Default is ‘attribute’. |
OCIS_LDAP_DISABLED_USERS_GROUP_DN GRAPH_DISABLED_USERS_GROUP_DN |
string | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm | The distinguished name of the group to which added users will be classified as disabled when ‘disable_user_mechanism’ is set to ‘group’. |
OCIS_LDAP_GROUP_BASE_DN GRAPH_LDAP_GROUP_BASE_DN |
string | ou=groups,o=libregraph-idm | Search base DN for looking up LDAP groups. |
GRAPH_LDAP_GROUP_CREATE_BASE_DN | string | ou=groups,o=libregraph-idm | Parent DN under which new groups are created. This DN needs to be subordinate to the ‘GRAPH_LDAP_GROUP_BASE_DN’. This setting is only relevant when ‘GRAPH_LDAP_SERVER_WRITE_ENABLED’ is ’true’. It defaults to the value of ‘GRAPH_LDAP_GROUP_BASE_DN’. All groups outside of this subtree are treated as readonly groups and cannot be updated. |
OCIS_LDAP_GROUP_SCOPE GRAPH_LDAP_GROUP_SEARCH_SCOPE |
string | sub | LDAP search scope to use when looking up groups. Supported scopes are ‘base’, ‘one’ and ‘sub’. |
OCIS_LDAP_GROUP_FILTER GRAPH_LDAP_GROUP_FILTER |
string | LDAP filter to add to the default filters for group searches. | |
OCIS_LDAP_GROUP_OBJECTCLASS GRAPH_LDAP_GROUP_OBJECTCLASS |
string | groupOfNames | The object class to use for groups in the default group search filter (‘groupOfNames’). |
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME GRAPH_LDAP_GROUP_NAME_ATTRIBUTE |
string | cn | LDAP Attribute to use for the name of groups. |
OCIS_LDAP_GROUP_SCHEMA_MEMBER GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE |
string | member | LDAP Attribute that is used for group members. |
OCIS_LDAP_GROUP_SCHEMA_ID GRAPH_LDAP_GROUP_ID_ATTRIBUTE |
string | owncloudUUID | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. |
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING |
bool | false | Set this to true if the defined ‘ID’ attribute for groups is of the ‘OCTETSTRING’ syntax. This is required when using the ‘objectGUID’ attribute of Active Directory for the group ID’s. |
GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED | bool | false | Enable LDAP support for managing education related resources. |
GRAPH_LDAP_SCHOOL_BASE_DN | string | Search base DN for looking up LDAP schools. | |
GRAPH_LDAP_SCHOOL_SEARCH_SCOPE | string | LDAP search scope to use when looking up schools. Supported scopes are ‘base’, ‘one’ and ‘sub’. | |
GRAPH_LDAP_SCHOOL_FILTER | string | LDAP filter to add to the default filters for school searches. | |
GRAPH_LDAP_SCHOOL_OBJECTCLASS | string | The object class to use for schools in the default school search filter. | |
GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE | string | LDAP Attribute to use for the name of a school. | |
GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE | string | LDAP Attribute to use for the number of a school. | |
GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE | string | LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID. | |
GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS | int | 0 | When setting a ’terminationDate’ for a school, require the date to be at least this number of days in the future. |
OCIS_ENABLE_OCM GRAPH_INCLUDE_OCM_SHAREES |
bool | false | Include OCM sharees when listing users. |
OCIS_EVENTS_ENDPOINT GRAPH_EVENTS_ENDPOINT |
string | 127.0.0.1:9233 | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. |
OCIS_EVENTS_CLUSTER GRAPH_EVENTS_CLUSTER |
string | ocis-cluster | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
OCIS_INSECURE GRAPH_EVENTS_TLS_INSECURE |
bool | false | Whether to verify the server TLS certificates. |
OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE |
string | The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false. | |
OCIS_EVENTS_ENABLE_TLS GRAPH_EVENTS_ENABLE_TLS |
bool | false | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. |
OCIS_EVENTS_AUTH_USERNAME GRAPH_EVENTS_AUTH_USERNAME |
string | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | |
OCIS_EVENTS_AUTH_PASSWORD GRAPH_EVENTS_AUTH_PASSWORD |
string | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | |
GRAPH_AVAILABLE_ROLES | []string | [b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049] | A comma separated list of roles that are available for assignment. |
OCIS_MAX_CONCURRENCY GRAPH_MAX_CONCURRENCY |
int | 20 | The maximum number of concurrent requests the service will handle. |
OCIS_KEYCLOAK_BASE_PATH GRAPH_KEYCLOAK_BASE_PATH |
string | The URL to access keycloak. | |
OCIS_KEYCLOAK_CLIENT_ID GRAPH_KEYCLOAK_CLIENT_ID |
string | The client id to authenticate with keycloak. | |
OCIS_KEYCLOAK_CLIENT_SECRET GRAPH_KEYCLOAK_CLIENT_SECRET |
string | The client secret to use in authentication. | |
OCIS_KEYCLOAK_CLIENT_REALM GRAPH_KEYCLOAK_CLIENT_REALM |
string | The realm the client is defined in. | |
OCIS_KEYCLOAK_USER_REALM GRAPH_KEYCLOAK_USER_REALM |
string | The realm users are defined. | |
OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY |
bool | false | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. |
OCIS_SERVICE_ACCOUNT_ID GRAPH_SERVICE_ACCOUNT_ID |
string | The ID of the service account the service should use. See the ‘auth-service’ service description for more details. | |
OCIS_SERVICE_ACCOUNT_SECRET GRAPH_SERVICE_ACCOUNT_SECRET |
string | The service account secret. |