IDM Service Configuration
Introduction
The Infinite Scale IDM service provides a minimal LDAP Service for Infinite Scale. It is started as part of the the runtime and serves as a central place for storing user and group information. The IDM Service is based on LibreGraph Identity Management.
Services are under development because of the  stage of Infinite Scale. Their service, environment variables and configuration may change. Forgive us if there are mistakes or information is missing. Feel free to report issues and we’ll take care of them as soon as possible on github. You want to fix them yourself? We’d appreciate that even more.
|
| It is mainly targeted at small Infinite Scale installations. For larger setups it is recommended to replace the IDM service with a “real” LDAP server or to switch to an external Identity Management Solution. |
The IDM service is limited in its functionality. It only supports a subset of the LDAP operations (namely BIND, SEARCH, ADD, MODIFY and DELETE). Also IDM currently does not do any schema verification (e.g. structural vs. auxiliary object classes, require and option attributes, syntax checks, …). It is not meant as a general purpose LDAP server.
|
Default Values
-
IDM listens on port 9325 by default.
-
In the default configuration it only accepts TLS-protected connections (LDAPS).
-
The BaseDN of the LDAP tree is
o=libregraph-idm. -
IDM gives LDAP write permissions to a single user
(DN:uid=libregraph,ou=sysusers,o=libregraph-idm). Any other authenticated user has read-only access. -
IDM stores its data in a
boltdbfileidm/ocis.boltdbinside the Infinite Scale base data directory.
Configuration Hints
TLS Server Certificates
By default, IDM generates a self-signed certificate and key on first startup to be able to provide TLS-protected services. The certificate is stored in idm/ldap.crt inside the Infinite Scale base data directory. The key is in idm/ldap.key in the same directory. You can use a custom server certificate by setting the IDM_LDAPS_CERT and IDM_LDAPS_KEY.
Default and Demo Users
On startup, IDM creates a set of default service users that are needed internally to provide access to IDM to other Infinite Scale services. These users are stored in a separate subtree.
The base DN of that subtree is: ou=sysusers,o=libregraph-idm.
The service users are:
-
uid=libregraph,ou=sysusers,o=libregraph-idm
This is the only user with write access to the LDAP tree. It is used by the Graph service to look up, create, delete and modify users and groups. -
uid=idp,ou=sysusers,o=libregraph-idm
This user is used by the IDP service to perform user lookups for authentication. -
uid=reva,ou=sysusers,o=libregraph-idm
This user is used by the "reva" servicesuser,groupandauth-basic.
IDM is also able to create Demo Users upon startup.
Access via LDAP Command Line Tools
For testing purposes it is sometimes helpful to query IDM using the ldap command line clients. To e.g. list all users, this command can be used:
ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
-D uid=libregraph,ou=sysusers,o=libregraph-idm \
-w idm -b o=libregraph-idm objectclass=inetorgpersonWhen using the default configuration with the self-signed server certificate, you might need to switch off the certificate validation using the LDAPTL_REQCERT env variable:
LDAPTLS_REQCERT=never \
ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
-D uid=libregraph,ou=sysusers,o=libregraph-idm \
-w idm -b o=libregraph-idm objectclass=inetorgpersonConfiguration
Environment Variables
The idm extension is configured via the following environment variables:
| Name | Type | Default Value | Description |
|---|---|---|---|
|
bool |
false |
Activates tracing. |
|
string |
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
|
string |
The endpoint of the tracing agent. |
|
|
string |
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
string |
The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace". |
|
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
The path to the log file. Activates logging to this file if set. |
|
|
string |
127.0.0.1:9239 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
Token to secure the metrics endpoint |
|
|
bool |
false |
Enables pprof, which can be used for profiling |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:9235 |
Listen address for the ldaps listener (ip-addr:port) |
|
string |
~/.ocis/idm/ldap.crt |
File name of the TLS server certificate for the ldaps listener |
|
string |
~/.ocis/idm/ldap.key |
File name for the TLS certificate key for the server certificate |
|
string |
~/.ocis/idm/ocis.boltdb |
Full path to the idm backend database |
|
bool |
false |
Flag to enabe/disable the creation of the demo users |
|
string |
Password to set for the ocis "admin" user. Either cleartext or an argon2id hash |
|
|
string |
Password to set for the "idm" service user. Either cleartext or an argon2id hash |
|
|
string |
Password to set for the "reva" service user. Either cleartext or an argon2id hash |
|
|
string |
Password to set for the "idp" service user. Either cleartext or an argon2id hash |
|
|
string |
ID of a user, that should receive admin privileges. |
Since Version: + added, - deprecated
YAML Example
# Autogenerated
# Filename: idm-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9239
token: ""
pprof: false
zpages: false
idm:
ldaps_addr: 127.0.0.1:9235
cert: ~/.ocis/idm/ldap.crt
key: ~/.ocis/idm/ldap.key
database: ~/.ocis/idm/ocis.boltdb
create_demo_users: false
service_user_passwords:
admin_password: ""
idm_password: ""
reva_password: ""
idp_password: ""
admin_user_id: ""