Graph Service Configuration

Table of Contents

Introduction
Default Values
Restrict Username Patterns
Manual Filters
Sequence Diagram
Caching
Keycloak Configuration for the Personal Data Export
- Keycloak Client Configuration
Configuration
- Environment Variables
- YAML Example

Introduction

The Infinite Scale Graph service provides a simple graph world API which can be used by clients or other services or extensions.

Default Values

Graph listens on port 9120 by default.

Restrict Username Patterns

Usernames can be restricted to follow certain patterns. Such patterns can be neccessary when using the internal IDM for example to align with local Unix username restrictions. Username restrictions can also be handled with an external IDM like Keycloak. The environment variable GRAPH_USERNAME_MATCH can be set to the following values to define where and how these restriction are handled:

none
There is no internal username checking. Restrictions, if any, are defined in the external IDM like Keycloak.
default
Usernames are restricted by the following criteria:
- ASCII standard charset, no UTF-8
- The username must start with either
  - an _ (underscore) or
  - a letter where there is no distinction between lower- and uppercase.
- More characters from the ASCII charset including numbers, aligning to the Unix user namespace.
- optionally an @ character followed by a domain name

Manual Filters

Using the API, you can manually filter like for users. See the Libre Graph API for examples in the developer documentation. Note that you can use and and or to refine results.

Sequence Diagram

The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.

Caching

The graph service can use a configured store via GRAPH_CACHE_STORE. Possible stores are:

Store Type Description

Store Type	Description
`memory`	Basic in-memory store and the default.
`ocmem`	Advanced in-memory store allowing max size.
`redis`	Stores data in a configured Redis cluster.
`redis-sentinel`	Stores data in a configured Redis Sentinel cluster.
`etcd`	Stores data in a configured etcd cluster.
`nats-js`	Stores data using the key-value-store feature of NATS JetStream.
`noop`	Stores nothing. Useful for testing. Not recommended in production environments.

memory

Basic in-memory store and the default.

ocmem

Advanced in-memory store allowing max size.

redis

Stores data in a configured Redis cluster.

redis-sentinel

Stores data in a configured Redis Sentinel cluster.

etcd

Stores data in a configured etcd cluster.

nats-js

Stores data using the key-value-store feature of NATS JetStream.

noop

Stores nothing. Useful for testing. Not recommended in production environments.

Note that in-memory stores are by nature not reboot-persistent.
Though usually not necessary, a database name and a database table can be configured for event stores if the event store supports this. Generally not applicable for stores of type in-memory. These settings are blank by default which means that the standard settings of the configured store apply.
The graph service can be scaled if not using in-memory stores and the stores are configured identically over all instances.
When using redis-sentinel, the Redis master to use is configured via GRAPH_CACHE_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.

Keycloak Configuration for the Personal Data Export

If Keycloak is used for authentication, GDPR regulations require to add all personal identifiable information that Keycloak has about the user to the personal data export. To do this, the following environment variables must be set:

Environment Variable Description

Environment Variable	Description
`OCIS_KEYCLOAK_BASE_PATH`	The URL to the Keycloak instance.
`OCIS_KEYCLOAK_CLIENT_ID`	The client ID of the client that is used to authenticate with Keycloak. This client has to be able to list users and get the credential data.
`OCIS_KEYCLOAK_CLIENT_SECRET`	The client secret of the client that is used to authenticate with Keycloak.
`OCIS_KEYCLOAK_CLIENT_REALM`	The realm the client is defined in.
`OCIS_KEYCLOAK_USER_REALM`	The realm Infinite Scale users are defined in.
`OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY`	If set to true, the TLS certificate of the Keycloak instance is not verified.

OCIS_KEYCLOAK_BASE_PATH

The URL to the Keycloak instance.

OCIS_KEYCLOAK_CLIENT_ID

The client ID of the client that is used to authenticate with Keycloak. This client has to be able to list users and get the credential data.

OCIS_KEYCLOAK_CLIENT_SECRET

The client secret of the client that is used to authenticate with Keycloak.

OCIS_KEYCLOAK_CLIENT_REALM

The realm the client is defined in.

OCIS_KEYCLOAK_USER_REALM

The realm Infinite Scale users are defined in.

OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY

If set to true, the TLS certificate of the Keycloak instance is not verified.

Keycloak Client Configuration

The client that is used to authenticate with Keycloak has to be able to list users and get the credential data. To do this, the following roles have to be assigned to the client and they have to be about the realm that contains the Infinite Scale users:

view-users
view-identity-providers
view-realm
view-clients
view-events
view-authorization

Note that these roles are only available to assign if the client is in the master realm.

Configuration

Environment Variables

The graph service is configured via the following environment variables:

latest
4.0.1
3.0.0

Deprecation notes for the graph service
Deprecation Info	Deprecation Version	Removal Version	Deprecation Replacement
LDAP_BIND_PASSWORD changing name for consistency	4.0.2	5.0.0	OCIS_LDAP_BIND_PASSWORD

Environment variables for the graph service
Name	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `GRAPH_TRACING_ENABLED`	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `GRAPH_TRACING_TYPE`	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `GRAPH_TRACING_ENDPOINT`	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `GRAPH_TRACING_COLLECTOR`	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `GRAPH_LOG_LEVEL`	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `GRAPH_LOG_PRETTY`	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `GRAPH_LOG_COLOR`	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `GRAPH_LOG_FILE`	string		The path to the log file. Activates logging to this file if set.
`OCIS_CACHE_STORE` `GRAPH_CACHE_STORE`	string	memory	The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details.
`OCIS_CACHE_STORE_NODES` `GRAPH_CACHE_STORE_NODES`	[]string	[]	A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store.
`GRAPH_CACHE_STORE_DATABASE`	string	ocis	The database name the configured store should use.
`GRAPH_CACHE_STORE_TABLE`	string	roles	The database table the store should use.
`OCIS_CACHE_TTL` `GRAPH_CACHE_TTL`	Duration	336h0m0s	Time to live for cache records in the graph. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks).
`OCIS_CACHE_SIZE` `GRAPH_CACHE_SIZE`	int	0	The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512.
`GRAPH_DEBUG_ADDR`	string	127.0.0.1:9124	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`GRAPH_DEBUG_TOKEN`	string		Token to secure the metrics endpoint.
`GRAPH_DEBUG_PPROF`	bool	false	Enables pprof, which can be used for profiling.
`GRAPH_DEBUG_ZPAGES`	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`GRAPH_HTTP_ADDR`	string	127.0.0.1:9120	The bind address of the HTTP service.
`GRAPH_HTTP_ROOT`	string	/graph	Subdirectory that serves as the root for this HTTP service.
`OCIS_HTTP_TLS_ENABLED`	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
`OCIS_HTTP_TLS_CERTIFICATE`	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
`OCIS_HTTP_TLS_KEY`	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
`GRAPH_HTTP_API_TOKEN`	string		An optional API bearer token
`OCIS_CORS_ALLOW_ORIGINS` `GRAPH_CORS_ALLOW_ORIGINS`	[]string	[*]	A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
`OCIS_CORS_ALLOW_METHODS` `GRAPH_CORS_ALLOW_METHODS`	[]string	[GET POST PUT PATCH DELETE OPTIONS]	A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
`OCIS_CORS_ALLOW_HEADERS` `GRAPH_CORS_ALLOW_HEADERS`	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]	A blank or comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
`OCIS_CORS_ALLOW_CREDENTIALS` `GRAPH_CORS_ALLOW_CREDENTIALS`	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`	int	20	The amount of group members allowed to be added with a single patch request.
`GRAPH_USERNAME_MATCH`	string	default	Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.
`GRAPH_ASSIGN_DEFAULT_USER_ROLE`	bool	true	Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.
`OCIS_REVA_GATEWAY`	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
`OCIS_GRPC_CLIENT_TLS_MODE`	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
`OCIS_GRPC_CLIENT_TLS_CACERT`	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
`OCIS_JWT_SECRET` `GRAPH_JWT_SECRET`	string		The secret to mint and validate jwt tokens.
`GRAPH_APPLICATION_ID`	string		The ocis application ID shown in the graph. All app roles are tied to this ID.
`GRAPH_APPLICATION_DISPLAYNAME`	string	ownCloud Infinite Scale	The oCIS application name
`OCIS_URL` `GRAPH_SPACES_WEBDAV_BASE`	string	https://localhost:9200	The public facing URL of WebDAV.
`GRAPH_SPACES_WEBDAV_PATH`	string	/dav/spaces/	The WebDAV subpath for spaces.
`GRAPH_SPACES_DEFAULT_QUOTA`	string	1000000000	The default quota in bytes.
`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces property cache.
`GRAPH_SPACES_USERS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces users cache.
`GRAPH_SPACES_GROUPS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces groups cache.
`GRAPH_IDENTITY_BACKEND`	string	ldap	The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.
`OCIS_LDAP_URI` `GRAPH_LDAP_URI`	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'
`OCIS_LDAP_CACERT` `GRAPH_LDAP_CACERT`	string	~/.ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.
`OCIS_LDAP_INSECURE` `GRAPH_LDAP_INSECURE`	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
`OCIS_LDAP_BIND_DN` `GRAPH_LDAP_BIND_DN`	string	uid=libregraph,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
`OCIS_LDAP_BIND_PASSWORD` `LDAP_BIND_PASSWORD` `GRAPH_LDAP_BIND_PASSWORD` Deprecation Note	string		Password to use for authenticating the 'bind_dn'.
`GRAPH_LDAP_SERVER_UUID`	bool	false	If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.
`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`	bool	true	Use the 'Password Modify Extended Operation' for updating user passwords.
`OCIS_LDAP_SERVER_WRITE_ENABLED` `GRAPH_LDAP_SERVER_WRITE_ENABLED`	bool	true	Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables).
`GRAPH_LDAP_REFINT_ENABLED`	bool	false	Signals that the server has the refint plugin enabled, which makes some actions not needed.
`OCIS_LDAP_USER_BASE_DN` `GRAPH_LDAP_USER_BASE_DN`	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
`OCIS_LDAP_USER_SCOPE` `GRAPH_LDAP_USER_SCOPE`	string	sub	LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_USER_FILTER` `GRAPH_LDAP_USER_FILTER`	string		LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
`OCIS_LDAP_USER_OBJECTCLASS` `GRAPH_LDAP_USER_OBJECTCLASS`	string	inetOrgPerson	The object class to use for users in the default user search filter ('inetOrgPerson').
`OCIS_LDAP_USER_SCHEMA_MAIL` `GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`	string	mail	LDAP Attribute to use for the email address of users.
`LDAP_USER_SCHEMA_DISPLAY_NAME` `GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`	string	displayName	LDAP Attribute to use for the displayname of users.
`OCIS_LDAP_USER_SCHEMA_USERNAME` `GRAPH_LDAP_USER_NAME_ATTRIBUTE`	string	uid	LDAP Attribute to use for username of users.
`OCIS_LDAP_USER_SCHEMA_ID` `GRAPH_LDAP_USER_UID_ATTRIBUTE`	string	owncloudUUID	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID’s.
`OCIS_LDAP_USER_SCHEMA_USER_TYPE` `GRAPH_LDAP_USER_TYPE_ATTRIBUTE`	string	ownCloudUserType	LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
`OCIS_LDAP_USER_ENABLED_ATTRIBUTE` `GRAPH_USER_ENABLED_ATTRIBUTE`	string	ownCloudUserEnabled	LDAP Attribute to use as a flag telling if the user is enabled or disabled.
`OCIS_LDAP_DISABLE_USER_MECHANISM` `GRAPH_DISABLE_USER_MECHANISM`	string	attribute	An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.
`OCIS_LDAP_DISABLED_USERS_GROUP_DN` `GRAPH_DISABLED_USERS_GROUP_DN`	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.
`OCIS_LDAP_GROUP_BASE_DN` `GRAPH_LDAP_GROUP_BASE_DN`	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
`GRAPH_LDAP_GROUP_CREATE_BASE_DN`	string	ou=groups,o=libregraph-idm	Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.
`OCIS_LDAP_GROUP_SCOPE` `GRAPH_LDAP_GROUP_SEARCH_SCOPE`	string	sub	LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_GROUP_FILTER` `GRAPH_LDAP_GROUP_FILTER`	string		LDAP filter to add to the default filters for group searches.
`OCIS_LDAP_GROUP_OBJECTCLASS` `GRAPH_LDAP_GROUP_OBJECTCLASS`	string	groupOfNames	The object class to use for groups in the default group search filter ('groupOfNames').
`OCIS_LDAP_GROUP_SCHEMA_GROUPNAME` `GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`	string	cn	LDAP Attribute to use for the name of groups.
`OCIS_LDAP_GROUP_SCHEMA_MEMBER` `GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`	string	member	LDAP Attribute that is used for group members.
`OCIS_LDAP_GROUP_SCHEMA_ID` `GRAPH_LDAP_GROUP_ID_ATTRIBUTE`	string	owncloudUUID	LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID’s.
`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`	bool	false	Enable LDAP support for managing education related resources.
`GRAPH_LDAP_SCHOOL_BASE_DN`	string		Search base DN for looking up LDAP schools.
`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`	string		LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.
`GRAPH_LDAP_SCHOOL_FILTER`	string		LDAP filter to add to the default filters for school searches.
`GRAPH_LDAP_SCHOOL_OBJECTCLASS`	string		The object class to use for schools in the default school search filter.
`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`	string		LDAP Attribute to use for the name of a school.
`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`	string		LDAP Attribute to use for the number of a school.
`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`	string		LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.
`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`	int	0	When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.
`OCIS_EVENTS_ENDPOINT` `GRAPH_EVENTS_ENDPOINT`	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
`OCIS_EVENTS_CLUSTER` `GRAPH_EVENTS_CLUSTER`	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
`OCIS_INSECURE` `GRAPH_EVENTS_TLS_INSECURE`	bool	false	Whether to verify the server TLS certificates.
`OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE` `GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`	string		The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.
`OCIS_EVENTS_ENABLE_TLS` `GRAPH_EVENTS_ENABLE_TLS`	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
`OCIS_KEYCLOAK_BASE_PATH` `GRAPH_KEYCLOAK_BASE_PATH`	string		The URL to access keycloak.
`OCIS_KEYCLOAK_CLIENT_ID` `GRAPH_KEYCLOAK_CLIENT_ID`	string		The client id to authenticate with keycloak.
`OCIS_KEYCLOAK_CLIENT_SECRET` `GRAPH_KEYCLOAK_CLIENT_SECRET`	string		The client secret to use in authentication.
`OCIS_KEYCLOAK_CLIENT_REALM` `GRAPH_KEYCLOAK_CLIENT_REALM`	string		The realm the client is defined in.
`OCIS_KEYCLOAK_USER_REALM` `GRAPH_KEYCLOAK_USER_REALM`	string		The realm users are defined.
`OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY` `GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`	bool	false	Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.
`OCIS_SERVICE_ACCOUNT_ID` `GRAPH_SERVICE_ACCOUNT_ID`	string		The ID of the service account the service should use. See the 'auth-service' service description for more details.
`OCIS_SERVICE_ACCOUNT_SECRET` `GRAPH_SERVICE_ACCOUNT_SECRET`	string		The service account secret.

Deprecation notes for the graph service
Deprecation Info	Deprecation Version	Removal Version	Deprecation Replacement
LDAP_BIND_PASSWORD changing name for consistency	4.0.2	5.0.0	OCIS_LDAP_BIND_PASSWORD

Environment variables for the graph service
Name	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `GRAPH_TRACING_ENABLED`	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `GRAPH_TRACING_TYPE`	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `GRAPH_TRACING_ENDPOINT`	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `GRAPH_TRACING_COLLECTOR`	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `GRAPH_LOG_LEVEL`	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `GRAPH_LOG_PRETTY`	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `GRAPH_LOG_COLOR`	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `GRAPH_LOG_FILE`	string		The path to the log file. Activates logging to this file if set.
`OCIS_CACHE_STORE` `GRAPH_CACHE_STORE`	string	memory	The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details.
`OCIS_CACHE_STORE_NODES` `GRAPH_CACHE_STORE_NODES`	[]string	[]	A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store.
`GRAPH_CACHE_STORE_DATABASE`	string	ocis	The database name the configured store should use.
`GRAPH_CACHE_STORE_TABLE`	string	roles	The database table the store should use.
`OCIS_CACHE_TTL` `GRAPH_CACHE_TTL`	Duration	336h0m0s	Time to live for cache records in the graph. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks).
`OCIS_CACHE_SIZE` `GRAPH_CACHE_SIZE`	int	0	The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512.
`GRAPH_DEBUG_ADDR`	string	127.0.0.1:9124	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`GRAPH_DEBUG_TOKEN`	string		Token to secure the metrics endpoint.
`GRAPH_DEBUG_PPROF`	bool	false	Enables pprof, which can be used for profiling.
`GRAPH_DEBUG_ZPAGES`	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`GRAPH_HTTP_ADDR`	string	127.0.0.1:9120	The bind address of the HTTP service.
`GRAPH_HTTP_ROOT`	string	/graph	Subdirectory that serves as the root for this HTTP service.
`OCIS_HTTP_TLS_ENABLED`	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
`OCIS_HTTP_TLS_CERTIFICATE`	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
`OCIS_HTTP_TLS_KEY`	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
`GRAPH_HTTP_API_TOKEN`	string		An optional API bearer token
`OCIS_CORS_ALLOW_ORIGINS` `GRAPH_CORS_ALLOW_ORIGINS`	[]string	[*]	A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
`OCIS_CORS_ALLOW_METHODS` `GRAPH_CORS_ALLOW_METHODS`	[]string	[GET POST PUT PATCH DELETE OPTIONS]	A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
`OCIS_CORS_ALLOW_HEADERS` `GRAPH_CORS_ALLOW_HEADERS`	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]	A blank or comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
`OCIS_CORS_ALLOW_CREDENTIALS` `GRAPH_CORS_ALLOW_CREDENTIALS`	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`	int	20	The amount of group members allowed to be added with a single patch request.
`GRAPH_USERNAME_MATCH`	string	default	Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.
`GRAPH_ASSIGN_DEFAULT_USER_ROLE`	bool	true	Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.
`OCIS_REVA_GATEWAY`	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
`OCIS_GRPC_CLIENT_TLS_MODE`	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
`OCIS_GRPC_CLIENT_TLS_CACERT`	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
`OCIS_JWT_SECRET` `GRAPH_JWT_SECRET`	string		The secret to mint and validate jwt tokens.
`GRAPH_APPLICATION_ID`	string		The ocis application ID shown in the graph. All app roles are tied to this ID.
`GRAPH_APPLICATION_DISPLAYNAME`	string	ownCloud Infinite Scale	The oCIS application name
`OCIS_URL` `GRAPH_SPACES_WEBDAV_BASE`	string	https://localhost:9200	The public facing URL of WebDAV.
`GRAPH_SPACES_WEBDAV_PATH`	string	/dav/spaces/	The WebDAV subpath for spaces.
`GRAPH_SPACES_DEFAULT_QUOTA`	string	1000000000	The default quota in bytes.
`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces property cache.
`GRAPH_SPACES_USERS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces users cache.
`GRAPH_SPACES_GROUPS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces groups cache.
`GRAPH_IDENTITY_BACKEND`	string	ldap	The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.
`OCIS_LDAP_URI` `GRAPH_LDAP_URI`	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'
`OCIS_LDAP_CACERT` `GRAPH_LDAP_CACERT`	string	~/.ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.
`OCIS_LDAP_INSECURE` `GRAPH_LDAP_INSECURE`	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
`OCIS_LDAP_BIND_DN` `GRAPH_LDAP_BIND_DN`	string	uid=libregraph,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
`OCIS_LDAP_BIND_PASSWORD` `LDAP_BIND_PASSWORD` `GRAPH_LDAP_BIND_PASSWORD` Deprecation Note	string		Password to use for authenticating the 'bind_dn'.
`GRAPH_LDAP_SERVER_UUID`	bool	false	If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.
`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`	bool	true	Use the 'Password Modify Extended Operation' for updating user passwords.
`OCIS_LDAP_SERVER_WRITE_ENABLED` `GRAPH_LDAP_SERVER_WRITE_ENABLED`	bool	true	Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables).
`GRAPH_LDAP_REFINT_ENABLED`	bool	false	Signals that the server has the refint plugin enabled, which makes some actions not needed.
`OCIS_LDAP_USER_BASE_DN` `GRAPH_LDAP_USER_BASE_DN`	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
`OCIS_LDAP_USER_SCOPE` `GRAPH_LDAP_USER_SCOPE`	string	sub	LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_USER_FILTER` `GRAPH_LDAP_USER_FILTER`	string		LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
`OCIS_LDAP_USER_OBJECTCLASS` `GRAPH_LDAP_USER_OBJECTCLASS`	string	inetOrgPerson	The object class to use for users in the default user search filter ('inetOrgPerson').
`OCIS_LDAP_USER_SCHEMA_MAIL` `GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`	string	mail	LDAP Attribute to use for the email address of users.
`LDAP_USER_SCHEMA_DISPLAY_NAME` `GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`	string	displayName	LDAP Attribute to use for the displayname of users.
`OCIS_LDAP_USER_SCHEMA_USERNAME` `GRAPH_LDAP_USER_NAME_ATTRIBUTE`	string	uid	LDAP Attribute to use for username of users.
`OCIS_LDAP_USER_SCHEMA_ID` `GRAPH_LDAP_USER_UID_ATTRIBUTE`	string	owncloudUUID	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID’s.
`OCIS_LDAP_USER_SCHEMA_USER_TYPE` `GRAPH_LDAP_USER_TYPE_ATTRIBUTE`	string	ownCloudUserType	LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
`OCIS_LDAP_USER_ENABLED_ATTRIBUTE` `GRAPH_USER_ENABLED_ATTRIBUTE`	string	ownCloudUserEnabled	LDAP Attribute to use as a flag telling if the user is enabled or disabled.
`OCIS_LDAP_DISABLE_USER_MECHANISM` `GRAPH_DISABLE_USER_MECHANISM`	string	attribute	An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.
`OCIS_LDAP_DISABLED_USERS_GROUP_DN` `GRAPH_DISABLED_USERS_GROUP_DN`	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.
`OCIS_LDAP_GROUP_BASE_DN` `GRAPH_LDAP_GROUP_BASE_DN`	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
`GRAPH_LDAP_GROUP_CREATE_BASE_DN`	string	ou=groups,o=libregraph-idm	Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.
`OCIS_LDAP_GROUP_SCOPE` `GRAPH_LDAP_GROUP_SEARCH_SCOPE`	string	sub	LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_GROUP_FILTER` `GRAPH_LDAP_GROUP_FILTER`	string		LDAP filter to add to the default filters for group searches.
`OCIS_LDAP_GROUP_OBJECTCLASS` `GRAPH_LDAP_GROUP_OBJECTCLASS`	string	groupOfNames	The object class to use for groups in the default group search filter ('groupOfNames').
`OCIS_LDAP_GROUP_SCHEMA_GROUPNAME` `GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`	string	cn	LDAP Attribute to use for the name of groups.
`OCIS_LDAP_GROUP_SCHEMA_MEMBER` `GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`	string	member	LDAP Attribute that is used for group members.
`OCIS_LDAP_GROUP_SCHEMA_ID` `GRAPH_LDAP_GROUP_ID_ATTRIBUTE`	string	owncloudUUID	LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID’s.
`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`	bool	false	Enable LDAP support for managing education related resources.
`GRAPH_LDAP_SCHOOL_BASE_DN`	string		Search base DN for looking up LDAP schools.
`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`	string		LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.
`GRAPH_LDAP_SCHOOL_FILTER`	string		LDAP filter to add to the default filters for school searches.
`GRAPH_LDAP_SCHOOL_OBJECTCLASS`	string		The object class to use for schools in the default school search filter.
`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`	string		LDAP Attribute to use for the name of a school.
`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`	string		LDAP Attribute to use for the number of a school.
`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`	string		LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.
`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`	int	0	When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.
`OCIS_EVENTS_ENDPOINT` `GRAPH_EVENTS_ENDPOINT`	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
`OCIS_EVENTS_CLUSTER` `GRAPH_EVENTS_CLUSTER`	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
`OCIS_INSECURE` `GRAPH_EVENTS_TLS_INSECURE`	bool	false	Whether to verify the server TLS certificates.
`OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE` `GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`	string		The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.
`OCIS_EVENTS_ENABLE_TLS` `GRAPH_EVENTS_ENABLE_TLS`	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
`OCIS_MACHINE_AUTH_API_KEY` `USERLOG_MACHINE_AUTH_API_KEY`	string		Machine auth API key used to validate internal requests necessary to access resources from other services.
`OCIS_KEYCLOAK_BASE_PATH` `GRAPH_KEYCLOAK_BASE_PATH`	string		The URL to access keycloak.
`OCIS_KEYCLOAK_CLIENT_ID` `GRAPH_KEYCLOAK_CLIENT_ID`	string		The client id to authenticate with keycloak.
`OCIS_KEYCLOAK_CLIENT_SECRET` `GRAPH_KEYCLOAK_CLIENT_SECRET`	string		The client secret to use in authentication.
`OCIS_KEYCLOAK_CLIENT_REALM` `GRAPH_KEYCLOAK_CLIENT_REALM`	string		The realm the client is defined in.
`OCIS_KEYCLOAK_USER_REALM` `GRAPH_KEYCLOAK_USER_REALM`	string		The realm users are defined.
`OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY` `GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`	bool	false	Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.

Deprecation notes for the graph service
Deprecation Info	Deprecation Version	Removal Version	Deprecation Replacement
REVA_GATEWAY changing name for consistency	3.0	4.0.0	OCIS_REVA_GATEWAY
LDAP_URI changing name for consistency	3.0	4.0.0	OCIS_LDAP_URI
LDAP_CACERT changing name for consistency	3.0	4.0.0	OCIS_LDAP_CACERT
LDAP_INSECURE changing name for consistency	3.0	4.0.0	OCIS_LDAP_INSECURE
LDAP_BIND_DN changing name for consistency	3.0	4.0.0	OCIS_LDAP_BIND_DN
LDAP_USER_BASE_DN changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_BASE_DN
LDAP_USER_SCOPE changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_SCOPE
LDAP_USER_FILTER changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_FILTER
LDAP_USER_OBJECTCLASS changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_OBJECTCLASS
LDAP_USER_SCHEMA_MAIL changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_SCHEMA_MAIL
LDAP_USER_SCHEMA_USERNAME changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_SCHEMA_USERNAME
LDAP_USER_SCHEMA_ID changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_SCHEMA_ID
LDAP_USER_SCHEMA_USER_TYPE changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_SCHEMA_USER_TYPE
LDAP_USER_ENABLED_ATTRIBUTE changing name for consistency	3.0	4.0.0	OCIS_LDAP_USER_ENABLED_ATTRIBUTE
LDAP_DISABLE_USER_MECHANISM changing name for consistency	3.0	4.0.0	OCIS_LDAP_DISABLE_USER_MECHANISM
LDAP_DISABLED_USERS_GROUP_DN changing name for consistency	3.0	4.0.0	OCIS_LDAP_DISABLED_USERS_GROUP_DN
LDAP_GROUP_BASE_DN changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_BASE_DN
LDAP_GROUP_SCOPE changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_SCOPE
LDAP_GROUP_FILTER changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_FILTER
LDAP_GROUP_OBJECTCLASS changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_OBJECTCLASS
LDAP_GROUP_SCHEMA_GROUPNAME changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_SCHEMA_GROUPNAME
LDAP_GROUP_SCHEMA_ID changing name for consistency	3.0	4.0.0	OCIS_LDAP_GROUP_SCHEMA_ID

Environment variables for the graph service
Name	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `GRAPH_TRACING_ENABLED`	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `GRAPH_TRACING_TYPE`	string		The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.
`OCIS_TRACING_ENDPOINT` `GRAPH_TRACING_ENDPOINT`	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `GRAPH_TRACING_COLLECTOR`	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `GRAPH_LOG_LEVEL`	string		The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".
`OCIS_LOG_PRETTY` `GRAPH_LOG_PRETTY`	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `GRAPH_LOG_COLOR`	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `GRAPH_LOG_FILE`	string		The path to the log file. Activates logging to this file if set.
`OCIS_CACHE_STORE` `GRAPH_CACHE_STORE`	string	memory	The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details.
`OCIS_CACHE_STORE_NODES` `GRAPH_CACHE_STORE_NODES`	[]string	[]	A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store.
`GRAPH_CACHE_STORE_DATABASE`	string	ocis	The database name the configured store should use.
`GRAPH_CACHE_STORE_TABLE`	string	roles	The database table the store should use.
`OCIS_CACHE_TTL` `GRAPH_CACHE_TTL`	Duration	336h0m0s	Time to live for cache records in the graph. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks).
`OCIS_CACHE_SIZE` `GRAPH_CACHE_SIZE`	int	0	The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512.
`GRAPH_DEBUG_ADDR`	string	127.0.0.1:9124	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`GRAPH_DEBUG_TOKEN`	string		Token to secure the metrics endpoint.
`GRAPH_DEBUG_PPROF`	bool	false	Enables pprof, which can be used for profiling.
`GRAPH_DEBUG_ZPAGES`	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`GRAPH_HTTP_ADDR`	string	127.0.0.1:9120	The bind address of the HTTP service.
`GRAPH_HTTP_ROOT`	string	/graph	Subdirectory that serves as the root for this HTTP service.
`OCIS_HTTP_TLS_ENABLED`	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
`OCIS_HTTP_TLS_CERTIFICATE`	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
`OCIS_HTTP_TLS_KEY`	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
`GRAPH_HTTP_API_TOKEN`	string		An optional API bearer token
`OCIS_CORS_ALLOW_ORIGINS` `GRAPH_CORS_ALLOW_ORIGINS`	[]string	[*]	A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
`OCIS_CORS_ALLOW_METHODS` `GRAPH_CORS_ALLOW_METHODS`	[]string	[GET POST PUT PATCH DELETE OPTIONS]	A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method
`OCIS_CORS_ALLOW_HEADERS` `GRAPH_CORS_ALLOW_HEADERS`	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]	A comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.
`OCIS_CORS_ALLOW_CREDENTIALS` `GRAPH_CORS_ALLOW_CREDENTIALS`	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`	int	20	The amount of group members allowed to be added with a single patch request.
`GRAPH_USERNAME_MATCH`	string	default	Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.
`GRAPH_ASSIGN_DEFAULT_USER_ROLE`	bool	true	Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.
`OCIS_REVA_GATEWAY` `REVA_GATEWAY` Deprecation Note	string	127.0.0.1:9142	The CS3 gateway endpoint.
`OCIS_GRPC_CLIENT_TLS_MODE`	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
`OCIS_GRPC_CLIENT_TLS_CACERT`	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
`OCIS_JWT_SECRET` `GRAPH_JWT_SECRET`	string		The secret to mint and validate jwt tokens.
`GRAPH_APPLICATION_ID`	string		The ocis application id shown in the graph. All app roles are tied to this.
`GRAPH_APPLICATION_DISPLAYNAME`	string	ownCloud Infinite Scale	The oCIS application name
`OCIS_URL` `GRAPH_SPACES_WEBDAV_BASE`	string	https://localhost:9200	The public facing URL of WebDAV.
`GRAPH_SPACES_WEBDAV_PATH`	string	/dav/spaces/	The WebDAV subpath for spaces.
`GRAPH_SPACES_DEFAULT_QUOTA`	string	1000000000	The default quota in bytes.
`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces property cache.
`GRAPH_SPACES_USERS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces users cache.
`GRAPH_SPACES_GROUPS_CACHE_TTL`	int	60000000000	Max TTL in seconds for the spaces groups cache.
`GRAPH_IDENTITY_BACKEND`	string	ldap	The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.
`OCIS_LDAP_URI` `LDAP_URI` `GRAPH_LDAP_URI` Deprecation Note	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'
`OCIS_LDAP_CACERT` `LDAP_CACERT` `GRAPH_LDAP_CACERT` Deprecation Note	string	~/.ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.
`OCIS_LDAP_INSECURE` `LDAP_INSECURE` `GRAPH_LDAP_INSECURE` Deprecation Note	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
`OCIS_LDAP_BIND_DN` `LDAP_BIND_DN` `GRAPH_LDAP_BIND_DN` Deprecation Note	string	uid=libregraph,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
`LDAP_BIND_PASSWORD` `GRAPH_LDAP_BIND_PASSWORD`	string		Password to use for authenticating the 'bind_dn'.
`GRAPH_LDAP_SERVER_UUID`	bool	false	If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.
`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`	bool	true	Use the 'Password Modify Extended Operation' for updating user passwords.
`OCIS_LDAP_SERVER_WRITE_ENABLED` `GRAPH_LDAP_SERVER_WRITE_ENABLED`	bool	true	Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables).
`GRAPH_LDAP_REFINT_ENABLED`	bool	false	Signals that the server has the refint plugin enabled, which makes some actions not needed.
`OCIS_LDAP_USER_BASE_DN` `LDAP_USER_BASE_DN` `GRAPH_LDAP_USER_BASE_DN` Deprecation Note	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
`OCIS_LDAP_USER_SCOPE` `LDAP_USER_SCOPE` `GRAPH_LDAP_USER_SCOPE` Deprecation Note	string	sub	LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_USER_FILTER` `LDAP_USER_FILTER` `GRAPH_LDAP_USER_FILTER` Deprecation Note	string		LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
`OCIS_LDAP_USER_OBJECTCLASS` `LDAP_USER_OBJECTCLASS` `GRAPH_LDAP_USER_OBJECTCLASS` Deprecation Note	string	inetOrgPerson	The object class to use for users in the default user search filter ('inetOrgPerson').
`OCIS_LDAP_USER_SCHEMA_MAIL` `LDAP_USER_SCHEMA_MAIL` `GRAPH_LDAP_USER_EMAIL_ATTRIBUTE` Deprecation Note	string	mail	LDAP Attribute to use for the email address of users.
`LDAP_USER_SCHEMA_DISPLAY_NAME` `GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`	string	displayName	LDAP Attribute to use for the displayname of users.
`OCIS_LDAP_USER_SCHEMA_USERNAME` `LDAP_USER_SCHEMA_USERNAME` `GRAPH_LDAP_USER_NAME_ATTRIBUTE` Deprecation Note	string	uid	LDAP Attribute to use for username of users.
`OCIS_LDAP_USER_SCHEMA_ID` `LDAP_USER_SCHEMA_ID` `GRAPH_LDAP_USER_UID_ATTRIBUTE` Deprecation Note	string	owncloudUUID	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID’s.
`OCIS_LDAP_USER_SCHEMA_USER_TYPE` `LDAP_USER_SCHEMA_USER_TYPE` `GRAPH_LDAP_USER_TYPE_ATTRIBUTE` Deprecation Note	string	ownCloudUserType	LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
`OCIS_LDAP_USER_ENABLED_ATTRIBUTE` `LDAP_USER_ENABLED_ATTRIBUTE` `GRAPH_USER_ENABLED_ATTRIBUTE` Deprecation Note	string	ownCloudUserEnabled	LDAP Attribute to use as a flag telling if the user is enabled or disabled.
`OCIS_LDAP_DISABLE_USER_MECHANISM` `LDAP_DISABLE_USER_MECHANISM` `GRAPH_DISABLE_USER_MECHANISM` Deprecation Note	string	attribute	An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.
`OCIS_LDAP_DISABLED_USERS_GROUP_DN` `LDAP_DISABLED_USERS_GROUP_DN` `GRAPH_DISABLED_USERS_GROUP_DN` Deprecation Note	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.
`OCIS_LDAP_GROUP_BASE_DN` `LDAP_GROUP_BASE_DN` `GRAPH_LDAP_GROUP_BASE_DN` Deprecation Note	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
`GRAPH_LDAP_GROUP_CREATE_BASE_DN`	string	ou=groups,o=libregraph-idm	Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.
`OCIS_LDAP_GROUP_SCOPE` `LDAP_GROUP_SCOPE` `GRAPH_LDAP_GROUP_SEARCH_SCOPE` Deprecation Note	string	sub	LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.
`OCIS_LDAP_GROUP_FILTER` `LDAP_GROUP_FILTER` `GRAPH_LDAP_GROUP_FILTER` Deprecation Note	string		LDAP filter to add to the default filters for group searches.
`OCIS_LDAP_GROUP_OBJECTCLASS` `LDAP_GROUP_OBJECTCLASS` `GRAPH_LDAP_GROUP_OBJECTCLASS` Deprecation Note	string	groupOfNames	The object class to use for groups in the default group search filter ('groupOfNames').
`OCIS_LDAP_GROUP_SCHEMA_GROUPNAME` `LDAP_GROUP_SCHEMA_GROUPNAME` `GRAPH_LDAP_GROUP_NAME_ATTRIBUTE` Deprecation Note	string	cn	LDAP Attribute to use for the name of groups.
`OCIS_LDAP_GROUP_SCHEMA_ID` `LDAP_GROUP_SCHEMA_ID` `GRAPH_LDAP_GROUP_ID_ATTRIBUTE` Deprecation Note	string	owncloudUUID	LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` `GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID’s.
`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`	bool	false	Enable LDAP support for managing education related resources.
`GRAPH_LDAP_SCHOOL_BASE_DN`	string		Search base DN for looking up LDAP schools.
`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`	string		LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.
`GRAPH_LDAP_SCHOOL_FILTER`	string		LDAP filter to add to the default filters for school searches.
`GRAPH_LDAP_SCHOOL_OBJECTCLASS`	string		The object class to use for schools in the default school search filter.
`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`	string		LDAP Attribute to use for the name of a school.
`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`	string		LDAP Attribute to use for the number of a school.
`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`	string		LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.
`OCIS_EVENTS_ENDPOINT` `GRAPH_EVENTS_ENDPOINT`	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.
`OCIS_EVENTS_CLUSTER` `GRAPH_EVENTS_CLUSTER`	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
`OCIS_INSECURE` `GRAPH_EVENTS_TLS_INSECURE`	bool	false	Whether to verify the server TLS certificates.
`OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE` `GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`	string		The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.
`OCIS_EVENTS_ENABLE_TLS` `GRAPH_EVENTS_ENABLE_TLS`	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..
`OCIS_MACHINE_AUTH_API_KEY` `USERLOG_MACHINE_AUTH_API_KEY`	string		Machine auth API key used to validate internal requests necessary to access resources from other services.
`OCIS_KEYCLOAK_BASE_PATH` `GRAPH_KEYCLOAK_BASE_PATH`	string		The URL to access keycloak.
`OCIS_KEYCLOAK_CLIENT_ID` `GRAPH_KEYCLOAK_CLIENT_ID`	string		The client id to authenticate with keycloak.
`OCIS_KEYCLOAK_CLIENT_SECRET` `GRAPH_KEYCLOAK_CLIENT_SECRET`	string		The client secret to use in authentication.
`OCIS_KEYCLOAK_CLIENT_REALM` `GRAPH_KEYCLOAK_CLIENT_REALM`	string		The realm the client is defined in.
`OCIS_KEYCLOAK_USER_REALM` `GRAPH_KEYCLOAK_USER_REALM`	string		The realm users are defined.
`OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY` `GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`	bool	false	Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.

YAML Example

Note that the filename shown below has been chosen on purpose.
See the Configuration File Naming for details when setting up your own configuration.

latest
4.0.1
3.0.0

# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache:
  store: memory
  nodes: []
  database: ocis
  table: roles
  ttl: 336h0m0s
  size: 0
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
  apitoken: ""
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Purge
    - Restore
    allow_credentials: true
api:
  group_members_patch_limit: 20
  graph_username_match: default
  graph_assign_default_user_role: true
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls: null
application:
  id: ""
  displayname: ownCloud Infinite Scale
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 60000000000
  users_cache_ttl: 60000000000
  groups_cache_ttl: 60000000000
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    refint_enabled: false
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    user_id_is_octet_string: false
    user_type_attribute: ownCloudUserType
    user_enabled_attribute: ownCloudUserEnabled
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    group_create_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_member_attribute: member
    group_id_attribute: owncloudUUID
    group_id_is_octet_string: false
    education_resources_enabled: false
    educationconfig:
      school_base_dn: ""
      school_search_scope: ""
      school_filter: ""
      school_objectclass: ""
      school_name_attribute: ""
      school_number_attribute: ""
      school_id_attribute: ""
      school_termination_min_grace_days: 0
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
keycloak:
  base_path: ""
  client_id: ""
  client_secret: ""
  client_realm: ""
  user_realm: ""
  insecure_skip_verify: false
service_account:
  service_account_id: ""
  service_account_secret: ""

# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache:
  store: memory
  nodes: []
  database: ocis
  table: roles
  ttl: 336h0m0s
  size: 0
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
  apitoken: ""
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Purge
    - Restore
    allow_credentials: true
api:
  group_members_patch_limit: 20
  graph_username_match: default
  graph_assign_default_user_role: true
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls: null
application:
  id: ""
  displayname: ownCloud Infinite Scale
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 60000000000
  users_cache_ttl: 60000000000
  groups_cache_ttl: 60000000000
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    refint_enabled: false
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    user_id_is_octet_string: false
    user_type_attribute: ownCloudUserType
    user_enabled_attribute: ownCloudUserEnabled
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    group_create_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_member_attribute: member
    group_id_attribute: owncloudUUID
    group_id_is_octet_string: false
    education_resources_enabled: false
    educationconfig:
      school_base_dn: ""
      school_search_scope: ""
      school_filter: ""
      school_objectclass: ""
      school_name_attribute: ""
      school_number_attribute: ""
      school_id_attribute: ""
      school_termination_min_grace_days: 0
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
machine_auth_api_key: ""
keycloak:
  base_path: ""
  client_id: ""
  client_secret: ""
  client_realm: ""
  user_realm: ""
  insecure_skip_verify: false

# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache:
  store: memory
  nodes: []
  database: ocis
  table: roles
  ttl: 336h0m0s
  size: 0
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
  apitoken: ""
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Purge
    - Restore
    allow_credentials: true
api:
  group_members_patch_limit: 20
  graph_username_match: default
  graph_assign_default_user_role: true
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls: null
application:
  id: ""
  displayname: ownCloud Infinite Scale
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 60000000000
  users_cache_ttl: 60000000000
  groups_cache_ttl: 60000000000
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    refint_enabled: false
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    user_id_is_octet_string: false
    user_type_attribute: ownCloudUserType
    user_enabled_attribute: ownCloudUserEnabled
    disable_user_mechanism: attribute
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    group_create_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_id_attribute: owncloudUUID
    group_id_is_octet_string: false
    education_resources_enabled: false
    educationconfig:
      school_base_dn: ""
      school_search_scope: ""
      school_filter: ""
      school_objectclass: ""
      school_name_attribute: ""
      school_number_attribute: ""
      school_id_attribute: ""
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
machine_auth_api_key: ""
keycloak:
  base_path: ""
  client_id: ""
  client_secret: ""
  client_realm: ""
  user_realm: ""
  insecure_skip_verify: false