Auth Basic Service Configuration

Introduction

The Infinite Scale Auth Basic service provides basic authentication for those clients who cannot handle OIDC. This is a rare case, is usually not necessary and mainly used for tests or development.

The auth-basic service is responsible for validating authentication of incoming requests. To do so, it will use the configured auth manager, see the Auth Managers section. Only HTTP basic auth requests to ocis will involve the auth-basic service.

To enable auth-basic, you first must set PROXY_ENABLE_BASIC_AUTH to true.

Default Values

  • Auth Basic listens on port 9146 by default.

Auth Managers

Since the auth-basic service does not do any validation itself, it needs to be configured with an authentication manager. One can use the AUTH_BASIC_AUTH_PROVIDER environment variable to configure this.

LDAP Auth Manager

Setting AUTH_BASIC_AUTH_PROVIDER to "ldap" will configure the auth-basic service to use LDAP as auth manager. This is the recommended option for running in a production and testing environment. More details on how to configure LDAP with ocis can be found in the admin docs.

Other Auth Managers

The possible auth mangers which can be selected are "ldap" and "owncloudsql". Those are tested and usable though "ldap" is the recommend manager. Refer to the admin docs for additional information about those.

Scalability

Scalability, just like memory and CPU consumption, are highly dependent on the configured auth manager. When using the recommended one which is "ldap", there is no persistance as requests will just be forwarded to the LDAP server. Therefore, multiple instances of the auth-basic service can be started without further configuration. Be aware, that other auth managers might not allow that.

Configuration

Environment Variables

The auth-basic extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the auth-basic service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_BASIC_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_BASIC_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_BASIC_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_BASIC_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_BASIC_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_BASIC_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_BASIC_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_BASIC_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_BASIC_DEBUG_ADDR

string

127.0.0.1:9147

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_BASIC_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_BASIC_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_BASIC_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing traces in-memory.

AUTH_BASIC_GRPC_ADDR

string

127.0.0.1:9146

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_BASIC_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_BASIC_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

AUTH_BASIC_AUTH_MANAGER

string

ldap

The authentication manager to check if credentials are valid. Supported value is 'ldap'.

LDAP_URI
AUTH_BASIC_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
AUTH_BASIC_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
AUTH_BASIC_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
AUTH_BASIC_LDAP_BIND_DN

string

uid=reva,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
AUTH_BASIC_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
AUTH_BASIC_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_GROUP_BASE_DN
AUTH_BASIC_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_USER_SCOPE
AUTH_BASIC_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.

LDAP_GROUP_SCOPE
AUTH_BASIC_LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.

LDAP_USER_FILTER
AUTH_BASIC_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_GROUP_FILTER
AUTH_BASIC_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_USER_OBJECTCLASS
AUTH_BASIC_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_GROUP_OBJECTCLASS
AUTH_BASIC_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_LOGIN_ATTRIBUTES
AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES

[]string

[uid]

The user object attributes, that can be used for login.

OCIS_URL
OCIS_OIDC_ISSUER
AUTH_BASIC_IDP_URL

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

LDAP_USER_SCHEMA_ID
AUTH_BASIC_LDAP_USER_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for users. This should be a stable globally unique ID like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.

LDAP_USER_SCHEMA_MAIL
AUTH_BASIC_LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAYNAME
AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_GROUP_SCHEMA_ID
AUTH_BASIC_LDAP_GROUP_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.

LDAP_GROUP_SCHEMA_MAIL
AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_DISPLAYNAME
AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME
AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_MEMBER
AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME

string

owncloud

Database user to use for authenticating with the owncloud database.

AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD

string

Password for the database user.

AUTH_BASIC_OWNCLOUDSQL_DB_HOST

string

mysql

Hostname of the database server.

AUTH_BASIC_OWNCLOUDSQL_DB_PORT

int

3306

Network port to use for the database connection.

AUTH_BASIC_OWNCLOUDSQL_DB_NAME

string

owncloud

Name of the owncloud database.

AUTH_BASIC_OWNCLOUDSQL_IDP

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

AUTH_BASIC_OWNCLOUDSQL_NOBODY

int64

90

Fallback number if no numeric UID and GID properties are provided.

AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME

bool

false

Join the user properties table to read usernames

AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID

bool

false

Join the user properties table to read user ID’s.

Environment variables for the auth-basic service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_BASIC_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_BASIC_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_BASIC_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_BASIC_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_BASIC_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_BASIC_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_BASIC_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_BASIC_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_BASIC_DEBUG_ADDR

string

127.0.0.1:9147

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_BASIC_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_BASIC_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_BASIC_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing traces in-memory.

AUTH_BASIC_GRPC_ADDR

string

127.0.0.1:9146

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_BASIC_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_BASIC_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

AUTH_BASIC_AUTH_MANAGER

string

ldap

The authentication manager to check if credentials are valid. Supported value is 'ldap'.

LDAP_URI
AUTH_BASIC_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
AUTH_BASIC_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
AUTH_BASIC_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
AUTH_BASIC_LDAP_BIND_DN

string

uid=reva,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
AUTH_BASIC_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
AUTH_BASIC_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_GROUP_BASE_DN
AUTH_BASIC_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_USER_SCOPE
AUTH_BASIC_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.

LDAP_GROUP_SCOPE
AUTH_BASIC_LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.

LDAP_USER_FILTER
AUTH_BASIC_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_GROUP_FILTER
AUTH_BASIC_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_USER_OBJECTCLASS
AUTH_BASIC_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_GROUP_OBJECTCLASS
AUTH_BASIC_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_LOGIN_ATTRIBUTES
AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES

[]string

[uid]

The user object attributes, that can be used for login.

OCIS_URL
OCIS_OIDC_ISSUER
AUTH_BASIC_IDP_URL

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

LDAP_USER_SCHEMA_ID
AUTH_BASIC_LDAP_USER_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for users. This should be a stable globally unique ID like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.

LDAP_USER_SCHEMA_MAIL
AUTH_BASIC_LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAYNAME
AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_GROUP_SCHEMA_ID
AUTH_BASIC_LDAP_GROUP_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.

LDAP_GROUP_SCHEMA_MAIL
AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_DISPLAYNAME
AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME
AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_MEMBER
AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME

string

owncloud

Database user to use for authenticating with the owncloud database.

AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD

string

Password for the database user.

AUTH_BASIC_OWNCLOUDSQL_DB_HOST

string

mysql

Hostname of the database server.

AUTH_BASIC_OWNCLOUDSQL_DB_PORT

int

3306

Network port to use for the database connection.

AUTH_BASIC_OWNCLOUDSQL_DB_NAME

string

owncloud

Name of the owncloud database.

AUTH_BASIC_OWNCLOUDSQL_IDP

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

AUTH_BASIC_OWNCLOUDSQL_NOBODY

int64

90

Fallback number if no numeric UID and GID properties are provided.

AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME

bool

false

Join the user properties table to read usernames

AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID

bool

false

Join the user properties table to read user ID’s.

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: auth-basic-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9147
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9146
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
auth_provider: ldap
auth_providers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    login_attributes:
    - uid
    idp: https://localhost:9200
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false
# Autogenerated
# Filename: auth-basic-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9147
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9146
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
auth_provider: ldap
auth_providers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    login_attributes:
    - uid
    idp: https://localhost:9200
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false