IDM Service Configuration

Introduction

The Infinite Scale IDM service provides a minimal LDAP service for Infinite Scale. It is started as part of the runtime and serves as a central place for storing user and group information. The IDM Service is based on LibreGraph Identity Management.

  • IDM is mainly targeted at small Infinite Scale installations or testing.

  • For larger setups or production environments, it is highly recommended to use a “real” LDAP server or to switch to an external Identity Management Solution instead.

The IDM service is by design limited in its functionality:

  • IDM only supports a subset of the LDAP operations
    namely BIND, SEARCH, ADD, MODIFY and DELETE.

  • IDM currently does not do any LDAP schema verification like
    structural vs. auxiliary object classes,
    require and option attributes,
    syntax checks, …

  • IDM currently does not support features like 2FA and device management.

  • Check the Restrict Username Patterns documentation.

Therefore the IDM service is not meant to replace a general purpose LDAP server.

Default Values

  • IDM listens on port 9325 by default.

  • In the default configuration it only accepts TLS-protected connections (LDAPS).

  • The BaseDN of the LDAP tree is o=libregraph-idm.

  • IDM gives LDAP write permissions to a single user
    (DN: uid=libregraph,ou=sysusers,o=libregraph-idm). Any other authenticated user has read-only access.

  • IDM stores its data in a boltdb file idm/ocis.boltdb inside the Infinite Scale Base Data Directory.

Configuration Hints

TLS Server Certificates

By default, IDM generates a self-signed certificate and key on first startup to be able to provide TLS-protected services. The certificate is stored in idm/ldap.crt inside the Infinite Scale Base Data Directory. The key is in idm/ldap.key in the same directory. You can use a custom server certificate by setting the IDM_LDAPS_CERT and IDM_LDAPS_KEY.

Default and Demo Users

On startup, IDM creates a set of default service users that are needed internally to provide access to IDM to other Infinite Scale services. These users are stored in a separate subtree.

The base DN of that subtree is: ou=sysusers,o=libregraph-idm.

The service users are:

  • uid=libregraph,ou=sysusers,o=libregraph-idm
    This is the only user with write access to the LDAP tree. It is used by the Graph service to look up, create, delete and modify users and groups.

  • uid=idp,ou=sysusers,o=libregraph-idm
    This user is used by the IDP service to perform user lookups for authentication.

  • uid=reva,ou=sysusers,o=libregraph-idm
    This user is used by the "reva" services user, group and auth-basic.

IDM is also able to create Demo Users upon startup.

Access via LDAP Command Line Tools

For testing purposes it is sometimes helpful to query IDM using the ldap command line clients. To e.g. list all users, this command can be used:

ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
    -D uid=libregraph,ou=sysusers,o=libregraph-idm \
    -W -b o=libregraph-idm objectclass=inetorgperson

When using the default configuration with the self-signed server certificate, you might need to switch off the certificate validation using the LDAPTL_REQCERT env variable:

LDAPTLS_REQCERT=never \
    ldapsearch -x -H ldaps://127.0.0.1:9235 -x \
    -D uid=libregraph,ou=sysusers,o=libregraph-idm \
    -W -b o=libregraph-idm objectclass=inetorgperson

Extract the idm_password password to enter from the ocis.yaml

Configuration

Environment Variables

The idm service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.

  • master

Environment variables for the idm service
Name Type Default Value Description

OCIS_TRACING_ENABLED
IDM_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
IDM_TRACING_TYPE

string

The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.

OCIS_TRACING_ENDPOINT
IDM_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
IDM_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
IDM_LOG_LEVEL

string

The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.

OCIS_LOG_PRETTY
IDM_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
IDM_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
IDM_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

IDM_DEBUG_ADDR

string

127.0.0.1:9239

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

IDM_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

IDM_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

IDM_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

IDM_LDAPS_ADDR

string

127.0.0.1:9235

Listen address for the LDAPS listener (ip-addr:port).

IDM_LDAPS_CERT

string

/var/lib/ocis/idm/ldap.crt

File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.

IDM_LDAPS_KEY

string

/var/lib/ocis/idm/ldap.key

File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.

IDM_DATABASE_PATH

string

/var/lib/ocis/idm/ocis.boltdb

Full path to the IDM backend database. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.

IDM_CREATE_DEMO_USERS

bool

false

Flag to enable or disable the creation of the demo users.

IDM_ADMIN_PASSWORD

string

Password to set for the oCIS 'admin' user. Either cleartext or an argon2id hash.

IDM_SVC_PASSWORD

string

Password to set for the 'idm' service user. Either cleartext or an argon2id hash.

IDM_REVASVC_PASSWORD

string

Password to set for the 'reva' service user. Either cleartext or an argon2id hash.

IDM_IDPSVC_PASSWORD

string

Password to set for the 'idp' service user. Either cleartext or an argon2id hash.

OCIS_ADMIN_USER_ID
IDM_ADMIN_USER_ID

string

ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.

YAML Example

  • master

# Autogenerated
# Filename: idm-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9239
  token: ""
  pprof: false
  zpages: false
idm:
  ldaps_addr: 127.0.0.1:9235
  cert: /var/lib/ocis/idm/ldap.crt
  key: /var/lib/ocis/idm/ldap.key
  database: /var/lib/ocis/idm/ocis.boltdb
create_demo_users: false
service_user_passwords:
  admin_password: ""
  idm_password: ""
  reva_password: ""
  idp_password: ""
admin_user_id: ""