ownCloud
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. ownCloud
  2. /
  3. Services
  4. /
  5. IDM
Edit page

IDM

Abstract

The IDM service provides a minimal LDAP Service, based on Libregraph idm, for oCIS. It is started as part of the default configuration and serves as a central place for storing user and group information.

It is mainly targeted at small oCIS installations. For larger setups it is recommended to replace IDM with a “real” LDAP server or to switch to an external identity management solution.

IDM listens on port 9235 by default. In the default configuration it only accepts TLS-protected connections (LDAPS). The BaseDN of the LDAP tree is o=libregraph-idm. IDM gives LDAP write permissions to a single user (DN: uid=libregraph,ou=sysusers,o=libregraph-idm). Any other authenticated user has read-only access. IDM stores its data in a boltdb file idm/ocis.boltdb inside the oCIS base data directory.

Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY, DELETE). Also, IDM currently does not do any schema verification (like. structural vs. auxiliary object classes, require and option attributes, syntax checks, …). Therefore it is not meant as a general purpose LDAP server.

Table of Contents

Example Yaml Config 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# Autogenerated
# Filename: idm-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9239
  token: ""
  pprof: false
  zpages: false
idm:
  ldaps_addr: 127.0.0.1:9235
  cert: /var/lib/ocis/idm/ldap.crt
  key: /var/lib/ocis/idm/ldap.key
  database: /var/lib/ocis/idm/ocis.boltdb
create_demo_users: false
demo_users_issuer_url: https://localhost:9200
service_user_passwords:
  admin_password: ""
  idm_password: ""
  reva_password: ""
  idp_password: ""
admin_user_id: ""

Environment Variables

Name Type Default Value Description
OCIS_TRACING_ENABLED
IDM_TRACING_ENABLED		 bool false Activates tracing.
OCIS_TRACING_TYPE
IDM_TRACING_TYPE		 string The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’, ‘otlp’ and ’’ as of now.
OCIS_TRACING_ENDPOINT
IDM_TRACING_ENDPOINT		 string The endpoint of the tracing agent.
OCIS_TRACING_COLLECTOR
IDM_TRACING_COLLECTOR		 string The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
OCIS_LOG_LEVEL
IDM_LOG_LEVEL		 string The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’.
OCIS_LOG_PRETTY
IDM_LOG_PRETTY		 bool false Activates pretty log output.
OCIS_LOG_COLOR
IDM_LOG_COLOR		 bool false Activates colorized log output.
OCIS_LOG_FILE
IDM_LOG_FILE		 string The path to the log file. Activates logging to this file if set.
IDM_DEBUG_ADDR string 127.0.0.1:9239 Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
IDM_DEBUG_TOKEN string Token to secure the metrics endpoint.
IDM_DEBUG_PPROF bool false Enables pprof, which can be used for profiling.
IDM_DEBUG_ZPAGES bool false Enables zpages, which can be used for collecting and viewing in-memory traces.
IDM_LDAPS_ADDR string 127.0.0.1:9235 Listen address for the LDAPS listener (ip-addr:port).
IDM_LDAPS_CERT string /var/lib/ocis/idm/ldap.crt File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
IDM_LDAPS_KEY string /var/lib/ocis/idm/ldap.key File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
IDM_DATABASE_PATH string /var/lib/ocis/idm/ocis.boltdb Full path to the IDM backend database. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm.
IDM_CREATE_DEMO_USERS bool false Flag to enable or disable the creation of the demo users.
OCIS_URL
OCIS_OIDC_ISSUER		 string https://localhost:9200 The OIDC issuer URL to assign to the demo users.
IDM_ADMIN_PASSWORD string Password to set for the oCIS ‘admin’ user. Either cleartext or an argon2id hash.
IDM_SVC_PASSWORD string Password to set for the ‘idm’ service user. Either cleartext or an argon2id hash.
IDM_REVASVC_PASSWORD string Password to set for the ‘reva’ service user. Either cleartext or an argon2id hash.
IDM_IDPSVC_PASSWORD string Password to set for the ‘idp’ service user. Either cleartext or an argon2id hash.
OCIS_ADMIN_USER_ID
IDM_ADMIN_USER_ID		 string ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.
gdoc_arrow_left_alt Service Configuration Resetting a lost administrator password gdoc_arrow_right_alt