Groups Service Configuration

Introduction

The Infinite Scale Group service provides

Configuration

Environment Variables

The groups extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the groups service
Name Type Default Value Description

OCIS_TRACING_ENABLED
GROUPS_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
GROUPS_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
GROUPS_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
GROUPS_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
GROUPS_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
GROUPS_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
GROUPS_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
GROUPS_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

GROUPS_DEBUG_ADDR

string

127.0.0.1:9161

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

GROUPS_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

GROUPS_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

GROUPS_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

GROUPS_GRPC_ADDR

string

127.0.0.1:9160

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

GROUPS_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
GROUPS_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

GROUPS_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the loading of user’s group memberships from the reva access token.

GROUPS_DRIVER

string

ldap

The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.

LDAP_URI
GROUPS_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
GROUPS_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
GROUPS_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
GROUPS_LDAP_BIND_DN

string

uid=reva,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
GROUPS_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
GROUPS_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_GROUP_BASE_DN
GROUPS_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_USER_SCOPE
GROUPS_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_SCOPE
GROUPS_LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_SUBSTRING_FILTER_TYPE
GROUP_LDAP_GROUP_SUBSTRING_FILTER_TYPE

string

any

Type of substring search filter to use for substring searches for groups. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches

LDAP_USER_FILTER
GROUPS_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_GROUP_FILTER
GROUPS_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_USER_OBJECTCLASS
GROUPS_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_GROUP_OBJECTCLASS
GROUPS_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

OCIS_URL
OCIS_OIDC_ISSUER
GROUPS_IDP_URL

string

https://localhost:9200

The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.

LDAP_USER_SCHEMA_ID
GROUPS_LDAP_USER_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user id’s.

LDAP_USER_SCHEMA_MAIL
GROUPS_LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAYNAME
GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
GROUPS_LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_GROUP_SCHEMA_ID
GROUPS_LDAP_GROUP_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s.

LDAP_GROUP_SCHEMA_MAIL
GROUPS_LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_DISPLAYNAME
GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME
GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_MEMBER
GROUPS_LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

GROUPS_OWNCLOUDSQL_DB_USERNAME

string

owncloud

Database user to use for authenticating with the owncloud database.

GROUPS_OWNCLOUDSQL_DB_PASSWORD

string

Password for the database user.

GROUPS_OWNCLOUDSQL_DB_HOST

string

mysql

Hostname of the database server.

GROUPS_OWNCLOUDSQL_DB_PORT

int

3306

Network port to use for the database connection.

GROUPS_OWNCLOUDSQL_DB_NAME

string

owncloud

Name of the owncloud database.

GROUPS_OWNCLOUDSQL_IDP

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

GROUPS_OWNCLOUDSQL_NOBODY

int64

90

Fallback number if no numeric UID and GID properties are provided.

GROUPS_OWNCLOUDSQL_JOIN_USERNAME

bool

false

Join the user properties table to read usernames.

GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID

bool

false

Join the user properties table to read user IDs.

GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH

bool

false

Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.

Environment variables for the groups service
Name Type Default Value Description

OCIS_TRACING_ENABLED
GROUPS_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
GROUPS_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
GROUPS_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
GROUPS_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
GROUPS_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
GROUPS_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
GROUPS_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
GROUPS_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

GROUPS_DEBUG_ADDR

string

127.0.0.1:9161

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

GROUPS_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

GROUPS_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

GROUPS_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

GROUPS_GRPC_ADDR

string

127.0.0.1:9160

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

GROUPS_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
GROUPS_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

GROUPS_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the loading of user’s group memberships from the reva access token.

GROUPS_DRIVER

string

ldap

The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.

LDAP_URI
GROUPS_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
GROUPS_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
GROUPS_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
GROUPS_LDAP_BIND_DN

string

uid=reva,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
GROUPS_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_USER_BASE_DN
GROUPS_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_GROUP_BASE_DN
GROUPS_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_USER_SCOPE
GROUPS_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_SCOPE
GROUPS_LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_SUBSTRING_FILTER_TYPE
GROUP_LDAP_GROUP_SUBSTRING_FILTER_TYPE

string

any

Type of substring search filter to use for substring searches for groups. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches

LDAP_USER_FILTER
GROUPS_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_GROUP_FILTER
GROUPS_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_USER_OBJECTCLASS
GROUPS_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_GROUP_OBJECTCLASS
GROUPS_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

OCIS_URL
OCIS_OIDC_ISSUER
GROUPS_IDP_URL

string

https://localhost:9200

The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.

LDAP_USER_SCHEMA_ID
GROUPS_LDAP_USER_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING
GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user id’s.

LDAP_USER_SCHEMA_MAIL
GROUPS_LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAYNAME
GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
GROUPS_LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_GROUP_SCHEMA_ID
GROUPS_LDAP_GROUP_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING
GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s.

LDAP_GROUP_SCHEMA_MAIL
GROUPS_LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_DISPLAYNAME
GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME
GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_MEMBER
GROUPS_LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

GROUPS_OWNCLOUDSQL_DB_USERNAME

string

owncloud

Database user to use for authenticating with the owncloud database.

GROUPS_OWNCLOUDSQL_DB_PASSWORD

string

Password for the database user.

GROUPS_OWNCLOUDSQL_DB_HOST

string

mysql

Hostname of the database server.

GROUPS_OWNCLOUDSQL_DB_PORT

int

3306

Network port to use for the database connection.

GROUPS_OWNCLOUDSQL_DB_NAME

string

owncloud

Name of the owncloud database.

GROUPS_OWNCLOUDSQL_IDP

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

GROUPS_OWNCLOUDSQL_NOBODY

int64

90

Fallback number if no numeric UID and GID properties are provided.

GROUPS_OWNCLOUDSQL_JOIN_USERNAME

bool

false

Join the user properties table to read usernames.

GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID

bool

false

Join the user properties table to read user IDs.

GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH

bool

false

Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: groups-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9161
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9160
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
driver: ldap
drivers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    group_substring_filter_type: any
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    idp: https://localhost:9200
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false
    enable_medial_search: false
# Autogenerated
# Filename: groups-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9161
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9160
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
driver: ldap
drivers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    group_substring_filter_type: any
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    idp: https://localhost:9200
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false
    enable_medial_search: false