Users Service Configuration

Table of Contents

Introduction
Default Values
Configuration
- Environment Variables
- YAML Example

Introduction

The Infinite Scale User service

Default Values

Users listens on port 9144 by default.

Configuration

Environment Variables

The users service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.

master

Environment variables for the users service
Name	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `USERS_TRACING_ENABLED`	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `USERS_TRACING_TYPE`	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `USERS_TRACING_ENDPOINT`	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `USERS_TRACING_COLLECTOR`	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `USERS_LOG_LEVEL`	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `USERS_LOG_PRETTY`	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `USERS_LOG_COLOR`	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `USERS_LOG_FILE`	string		The path to the log file. Activates logging to this file if set.
`USERS_DEBUG_ADDR`	string	127.0.0.1:9145	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`USERS_DEBUG_TOKEN`	string		Token to secure the metrics endpoint.
`USERS_DEBUG_PPROF`	bool	false	Enables pprof, which can be used for profiling.
`USERS_DEBUG_ZPAGES`	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`USERS_GRPC_ADDR`	string	127.0.0.1:9144	The bind address of the GRPC service.
`USERS_GRPC_PROTOCOL`	string	tcp	The transport protocol of the GPRC service.
`OCIS_JWT_SECRET` `USERS_JWT_SECRET`	string		The secret to mint and validate jwt tokens.
`OCIS_REVA_GATEWAY`	string	com.owncloud.api.gateway	The CS3 gateway endpoint.
`OCIS_GRPC_CLIENT_TLS_MODE`	string		TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.
`OCIS_GRPC_CLIENT_TLS_CACERT`	string		Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.
`USERS_SKIP_USER_GROUPS_IN_TOKEN`	bool	false	Disables the loading of user’s group memberships from the reva access token.
`USERS_DRIVER`	string	ldap	The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.
`OCIS_LDAP_URI` `USERS_LDAP_URI`	string	ldaps://localhost:9235	URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'
`OCIS_LDAP_CACERT` `USERS_LDAP_CACERT`	string	/var/lib/ocis/idm/ldap.crt	Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.
`OCIS_LDAP_INSECURE` `USERS_LDAP_INSECURE`	bool	false	Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.
`OCIS_LDAP_BIND_DN` `USERS_LDAP_BIND_DN`	string	uid=reva,ou=sysusers,o=libregraph-idm	LDAP DN to use for simple bind authentication with the target LDAP server.
`OCIS_LDAP_BIND_PASSWORD` `USERS_LDAP_BIND_PASSWORD`	string		Password to use for authenticating the 'bind_dn'.
`OCIS_LDAP_USER_BASE_DN` `USERS_LDAP_USER_BASE_DN`	string	ou=users,o=libregraph-idm	Search base DN for looking up LDAP users.
`OCIS_LDAP_GROUP_BASE_DN` `USERS_LDAP_GROUP_BASE_DN`	string	ou=groups,o=libregraph-idm	Search base DN for looking up LDAP groups.
`OCIS_LDAP_USER_SCOPE` `USERS_LDAP_USER_SCOPE`	string	sub	LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.
`OCIS_LDAP_GROUP_SCOPE` `USERS_LDAP_GROUP_SCOPE`	string	sub	LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.
`LDAP_USER_SUBSTRING_FILTER_TYPE` `USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`	string	any	Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches
`OCIS_LDAP_USER_FILTER` `USERS_LDAP_USER_FILTER`	string		LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.
`OCIS_LDAP_GROUP_FILTER` `USERS_LDAP_GROUP_FILTER`	string		LDAP filter to add to the default filters for group searches.
`OCIS_LDAP_USER_OBJECTCLASS` `USERS_LDAP_USER_OBJECTCLASS`	string	inetOrgPerson	The object class to use for users in the default user search filter like 'inetOrgPerson'.
`OCIS_LDAP_GROUP_OBJECTCLASS` `USERS_LDAP_GROUP_OBJECTCLASS`	string	groupOfNames	The object class to use for groups in the default group search filter like 'groupOfNames'.
`OCIS_URL` `OCIS_OIDC_ISSUER` `USERS_IDP_URL`	string	https://localhost:9200	The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
`OCIS_LDAP_DISABLE_USER_MECHANISM` `USERS_LDAP_DISABLE_USER_MECHANISM`	string	attribute	An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.
`OCIS_LDAP_USER_SCHEMA_USER_TYPE` `USERS_LDAP_USER_TYPE_ATTRIBUTE`	string	ownCloudUserType	LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
`OCIS_LDAP_DISABLED_USERS_GROUP_DN` `USERS_LDAP_DISABLED_USERS_GROUP_DN`	string	cn=DisabledUsersGroup,ou=groups,o=libregraph-idm	The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.
`OCIS_LDAP_USER_SCHEMA_ID` `USERS_LDAP_USER_SCHEMA_ID`	string	ownclouduuid	LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` `USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID’s.
`OCIS_LDAP_USER_SCHEMA_MAIL` `USERS_LDAP_USER_SCHEMA_MAIL`	string	mail	LDAP Attribute to use for the email address of users.
`OCIS_LDAP_USER_SCHEMA_DISPLAYNAME` `USERS_LDAP_USER_SCHEMA_DISPLAYNAME`	string	displayname	LDAP Attribute to use for the displayname of users.
`OCIS_LDAP_USER_SCHEMA_USERNAME` `USERS_LDAP_USER_SCHEMA_USERNAME`	string	uid	LDAP Attribute to use for username of users.
`OCIS_LDAP_USER_ENABLED_ATTRIBUTE` `USERS_LDAP_USER_ENABLED_ATTRIBUTE`	string	ownCloudUserEnabled	LDAP attribute to use as a flag telling if the user is enabled or disabled.
`OCIS_LDAP_GROUP_SCHEMA_ID` `USERS_LDAP_GROUP_SCHEMA_ID`	string	ownclouduuid	LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.
`OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` `USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`	bool	false	Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s.
`OCIS_LDAP_GROUP_SCHEMA_MAIL` `USERS_LDAP_GROUP_SCHEMA_MAIL`	string	mail	LDAP Attribute to use for the email address of groups (can be empty).
`OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME` `USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`	string	cn	LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
`OCIS_LDAP_GROUP_SCHEMA_GROUPNAME` `USERS_LDAP_GROUP_SCHEMA_GROUPNAME`	string	cn	LDAP Attribute to use for the name of groups.
`OCIS_LDAP_GROUP_SCHEMA_MEMBER` `USERS_LDAP_GROUP_SCHEMA_MEMBER`	string	member	LDAP Attribute that is used for group members.
`USERS_OWNCLOUDSQL_DB_USERNAME`	string	owncloud	Database user to use for authenticating with the owncloud database.
`USERS_OWNCLOUDSQL_DB_PASSWORD`	string	secret	Password for the database user.
`USERS_OWNCLOUDSQL_DB_HOST`	string	mysql	Hostname of the database server.
`USERS_OWNCLOUDSQL_DB_PORT`	int	3306	Network port to use for the database connection.
`USERS_OWNCLOUDSQL_DB_NAME`	string	owncloud	Name of the owncloud database.
`USERS_OWNCLOUDSQL_IDP`	string	https://localhost:9200	The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.
`USERS_OWNCLOUDSQL_NOBODY`	int64	90	Fallback number if no numeric UID and GID properties are provided.
`USERS_OWNCLOUDSQL_JOIN_USERNAME`	bool	false	Join the user properties table to read usernames
`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`	bool	false	Join the user properties table to read user IDs.
`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`	bool	false	Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.

YAML Example

Note that the filename shown below has been chosen on purpose.
See the Configuration File Naming for details when setting up your own configuration.
See the Notes for Environment Variables if you want to use environment variables in the yaml file.

master

# Autogenerated
# Filename: users-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9145
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9144
  tls: null
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
driver: ldap
drivers:
  ldap:
    uri: ldaps://localhost:9235
    ca_cert: /var/lib/ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=reva,ou=sysusers,o=libregraph-idm
    bind_password: ""
    user_base_dn: ou=users,o=libregraph-idm
    group_base_dn: ou=groups,o=libregraph-idm
    user_scope: sub
    group_scope: sub
    user_substring_filter_type: any
    user_filter: ""
    group_filter: ""
    user_object_class: inetOrgPerson
    group_object_class: groupOfNames
    idp: https://localhost:9200
    disable_user_mechanism: attribute
    user_type_attribute: ownCloudUserType
    ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
    user_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: displayname
      user_name: uid
      user_enabled: ownCloudUserEnabled
    group_schema:
      id: ownclouduuid
      id_is_octet_string: false
      mail: mail
      display_name: cn
      group_name: cn
      member: member
  owncloudsql:
    db_username: owncloud
    db_password: secret
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    idp: https://localhost:9200
    nobody: 90
    join_username: false
    join_owncloud_uuid: false
    enable_medial_search: false