IDM Service Configuration
Introduction
The Infinite Scale IDM service provides a minimal LDAP service for Infinite Scale. It is started as part of the runtime and serves as a central place for storing user and group information. The IDM Service is based on LibreGraph Identity Management.
|
The IDM service is by design limited in its functionality:
Therefore the IDM service is not meant to replace a general purpose LDAP server. |
Default Values
-
IDM listens on port 9325 by default.
-
In the default configuration it only accepts TLS-protected connections (LDAPS).
-
The BaseDN of the LDAP tree is
o=libregraph-idm
. -
IDM gives LDAP write permissions to a single user
(DN:uid=libregraph,ou=sysusers,o=libregraph-idm
). Any other authenticated user has read-only access. -
IDM stores its data in a
boltdb
fileidm/ocis.boltdb
inside the Infinite Scale Base Data Directory.
Configuration Hints
TLS Server Certificates
By default, IDM generates a self-signed certificate and key on first startup to be able to provide TLS-protected services. The certificate is stored in idm/ldap.crt
inside the Infinite Scale Base Data Directory. The key is in idm/ldap.key
in the same directory. You can use a custom server certificate by setting the IDM_LDAPS_CERT
and IDM_LDAPS_KEY
.
Default and Demo Users
On startup, IDM creates a set of default service users that are needed internally to provide access to IDM to other Infinite Scale services. These users are stored in a separate subtree.
The base DN of that subtree is: ou=sysusers,o=libregraph-idm
.
The service users are:
-
uid=libregraph,ou=sysusers,o=libregraph-idm
This is the only user with write access to the LDAP tree. It is used by the Graph service to look up, create, delete and modify users and groups. -
uid=idp,ou=sysusers,o=libregraph-idm
This user is used by the IDP service to perform user lookups for authentication. -
uid=reva,ou=sysusers,o=libregraph-idm
This user is used by the "reva" servicesuser
,group
andauth-basic
.
IDM is also able to create Demo Users upon startup.
Access via LDAP Command Line Tools
For testing purposes it is sometimes helpful to query IDM using the ldap command line clients. To e.g. list all users, this command can be used:
ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
-D uid=libregraph,ou=sysusers,o=libregraph-idm \
-W -b o=libregraph-idm objectclass=inetorgperson
When using the default configuration with the self-signed server certificate, you might need to switch off the certificate validation using the LDAPTL_REQCERT
env variable:
LDAPTLS_REQCERT=never \
ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
-D uid=libregraph,ou=sysusers,o=libregraph-idm \
-W -b o=libregraph-idm objectclass=inetorgperson
Extract the idm_password
password to enter from the ocis.yaml
config file which is located in the Infinite Scale configuration directory.
Configuration
Environment Variables
The idm
service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV
shows with which release the environment variable has been introduced.
Name | IV | Type | Default Value | Description |
---|---|---|---|---|
|
pre5.0 |
bool |
false |
Activates tracing. |
|
pre5.0 |
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
pre5.0 |
string |
|
The endpoint of the tracing agent. |
|
pre5.0 |
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
pre5.0 |
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
pre5.0 |
bool |
false |
Activates pretty log output. |
|
pre5.0 |
bool |
false |
Activates colorized log output. |
|
pre5.0 |
string |
|
The path to the log file. Activates logging to this file if set. |
|
pre5.0 |
string |
127.0.0.1:9239 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
pre5.0 |
string |
|
Token to secure the metrics endpoint. |
|
pre5.0 |
bool |
false |
Enables pprof, which can be used for profiling. |
|
pre5.0 |
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
pre5.0 |
string |
127.0.0.1:9235 |
Listen address for the LDAPS listener (ip-addr:port). |
|
pre5.0 |
string |
/var/lib/ocis/idm/ldap.crt |
File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm. |
|
pre5.0 |
string |
/var/lib/ocis/idm/ldap.key |
File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm. |
|
pre5.0 |
string |
/var/lib/ocis/idm/ocis.boltdb |
Full path to the IDM backend database. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/idm. |
|
pre5.0 |
bool |
false |
Flag to enable or disable the creation of the demo users. |
|
pre5.0 |
string |
https://localhost:9200 |
The OIDC issuer URL to assign to the demo users. |
|
pre5.0 |
string |
|
Password to set for the oCIS 'admin' user. Either cleartext or an argon2id hash. |
|
pre5.0 |
string |
|
Password to set for the 'idm' service user. Either cleartext or an argon2id hash. |
|
pre5.0 |
string |
|
Password to set for the 'reva' service user. Either cleartext or an argon2id hash. |
|
pre5.0 |
string |
|
Password to set for the 'idp' service user. Either cleartext or an argon2id hash. |
|
pre5.0 |
string |
|
ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |
YAML Example
-
Note the file shown below must be renamed and placed in the correct folder according to the Configuration File Naming conventions to be effective.
-
See the Notes for Environment Variables if you want to use environment variables in the yaml file.
# Autogenerated
# Filename: idm-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9239
token: ""
pprof: false
zpages: false
idm:
ldaps_addr: 127.0.0.1:9235
cert: /var/lib/ocis/idm/ldap.crt
key: /var/lib/ocis/idm/ldap.key
database: /var/lib/ocis/idm/ocis.boltdb
create_demo_users: false
demo_users_issuer_url: https://localhost:9200
service_user_passwords:
admin_password: ""
idm_password: ""
reva_password: ""
idp_password: ""
admin_user_id: ""