Notice
The examples and use cases described here are intended to show the different ways SURF Research Access Management can be used and connected to application. These examples and use cases are not always validated by SURF.
OwnCloud integratie met SRAM gebeurt via 2 lijnen:
- Provisioning van accounts vanuit SRAM naar OwnCloud user store
- Authenticatie van gebruikers via OIDC login bij SRAM
Een gebruiker kan authenticeren via OIDC maar de resulterende identiteit die door de OIDC login is vastgesteld, moet al wel een bestaande account zijn in de OwnCloud user store. Vandaar dat we de SRAM identiteiten via een CRON job synchroniseren.
Op een standaard OwnCloud installatie worden 2 optionele modules geactiveerd:
a) openidconnect
b) user_ldap
Configuratie
De configuratie van OwnCloud wordt geladen met deze settings:
#!/usr/bin/env bash
occ app:enable openidconnect
occ app:enable user_ldap
occ ldap:create-empty-config 'default'
occ ldap:set-config 'default' 'ldapConfigurationActive' "1"
occ ldap:set-config 'default' 'ldapGroupFilterObjectclass' ""
occ ldap:set-config 'default' 'ldapAgentPassword' "${LDAP_PASSWORD}"
occ ldap:set-config 'default' 'ldapLoginFilterUsername' "1"
occ ldap:set-config 'default' 'ldapBaseUsers' "ou=People,${LDAP_BASENAME}"
occ ldap:set-config 'default' 'ldapUserFilterGroups' ""
occ ldap:set-config 'default' 'homeFolderNamingRule' ""
occ ldap:set-config 'default' 'ldapUuidUserAttribute' "auto"
occ ldap:set-config 'default' 'ldapNetworkTimeout' "2"
occ ldap:set-config 'default' 'ldapGroupFilterGroups' ""
occ ldap:set-config 'default' 'ldapDynamicGroupMemberURL' ""
occ ldap:set-config 'default' 'ldapLoginFilterEmail' "0"
occ ldap:set-config 'default' 'ldapNestedGroups' "0"
occ ldap:set-config 'default' 'lastJpegPhotoLookup' "0"
occ ldap:set-config 'default' 'ldapAttributesForGroupSearch' ""
occ ldap:set-config 'default' 'ldapUserFilter' "(|(objectclass=inetOrgPerson))"
occ ldap:set-config 'default' 'ldapBackupPort' ""
occ ldap:set-config 'default' 'ldapOverrideMainServer' ""
occ ldap:set-config 'default' 'ldapUserDisplayName' "displayname"
occ ldap:set-config 'default' 'ldapBaseGroups' "ou=Groups,${LDAP_BASENAME}"
occ ldap:set-config 'default' 'ldapAttributesForUserSearch' "uid"
occ ldap:set-config 'default' 'hasPagedResultSupport' "False"
occ ldap:set-config 'default' 'ldapAgentName' "${LDAP_USERNAME}"
occ ldap:set-config 'default' 'ldapGroupFilterMode' "0"
occ ldap:set-config 'default' 'ldapPort' "636"
occ ldap:set-config 'default' 'ldapCacheTTL' "600"
occ ldap:set-config 'default' 'ldapExpertUUIDUserAttr' "entryuuid"
occ ldap:set-config 'default' 'ldapGroupFilter' "(&(|(objectclass=groupOfMembers)))"
occ ldap:set-config 'default' 'ldapLoginFilterMode' "0"
occ ldap:set-config 'default' 'ldapGroupDisplayName' "cn"
occ ldap:set-config 'default' 'ldapExpertUsernameAttr' "mail"
occ ldap:set-config 'default' 'ldapIgnoreNamingRules' "None"
occ ldap:set-config 'default' 'hasMemberOfFilterSupport' "0"
occ ldap:set-config 'default' 'ldapLoginFilterAttributes' ""
occ ldap:set-config 'default' 'ldapBase' "${LDAP_BASENAME}"
occ ldap:set-config 'default' 'useMemberOfToDetectMembership' "1"
occ ldap:set-config 'default' 'ldapHost' "${LDAP_HOSTNAME}"
occ ldap:set-config 'default' 'ldapUserName' "samaccountname"
occ ldap:set-config 'default' 'ldapPagingSize' "500"
occ ldap:set-config 'default' 'ldapGroupMemberAssocAttr' "uniqueMember"
occ ldap:set-config 'default' 'ldapUserFilterMode' "0"
occ ldap:set-config 'default' 'ldapQuotaAttribute' ""
occ ldap:set-config 'default' 'ldapBackupHost' ""
occ ldap:set-config 'default' 'ldapQuotaDefault' ""
occ ldap:set-config 'default' 'ldapUserDisplayName2' ""
occ ldap:set-config 'default' 'turnOffCertCheck' "0"
occ ldap:set-config 'default' 'ldapUserFilterObjectclass' "inetOrgPerson"
occ ldap:set-config 'default' 'ldapEmailAttribute' "mail"
occ ldap:set-config 'default' 'ldapExperiencedAdmin' "1"
occ ldap:set-config 'default' 'ldapLoginFilter' "(&(|(objectclass=inetOrgPerson))(uid=%uid))"
occ ldap:set-config 'default' 'ldapExpertUUIDGroupAttr' ""
occ ldap:set-config 'default' 'ldapUuidGroupAttribute' "auto"
occ ldap:set-config 'default' 'ldapTLS' ""
true
Provisioning
Het lezen van de SRAM LDAP gebeurt in de OwnCloud server middels een CRON job. Elke 5 minuten vind synchronisatie plaats
*/5 * * * * root occ user:sync 'OCA\User_LDAP\User_Proxy' -m disable -r -c -vvv > /var/log/sync.log 2>&1
Authenticatie
De OwnCloud openidconnect plugin wordt voorzien van noodzakelijke parameters om contact te kunnen leggen met SRAM:
<?php
$CONFIG = [
'http.cookie.samesite' => 'None',
'openid-connect' => [
'provider-url' => $_ENV['OIDC_PROVIDER'],
'client-id' => $_ENV['OIDC_CLIENT_ID'],
'client-secret' => $_ENV['OIDC_CLIENT_SECRET'],
'loginButtonName' => $_ENV['OIDC_BUTTON_TEXT'],
'autoRedirectOnLoginPage' => false,
'search-attribute' => 'email',
'mode' => 'userid',
'scopes' => ['openid','email','uid'],
'post_logout_redirect_uri' => 'https://' . $_ENV['OWNCLOUD_DOMAIN'],
'use-token-introspection-endpoint' => true,
'auto-provision' => [
'enabled' => false,
],
]
];
Docker
De gehele fucntionaliteit van OwnCloud kan via docker containers als volgt worden worden gestart:
file docker-compose.yml:
---
version: '2.1'
volumes:
files:
driver: local
mysql:
driver: local
backup:
driver: local
redis:
driver: local
services:
owncloud:
image: owncloud/server:${OWNCLOUD_VERSION}
restart: always
depends_on:
- db
- redis
hostname: owncloud.${DOMAIN}
container_name: owncloud
environment:
- OWNCLOUD_DOMAIN=owncloud.${DOMAIN}
- OWNCLOUD_DB_TYPE=mysql
- OWNCLOUD_DB_NAME=owncloud
- OWNCLOUD_DB_USERNAME=owncloud
- OWNCLOUD_DB_PASSWORD=owncloud
- OWNCLOUD_DB_HOST=db
- OWNCLOUD_ADMIN_USERNAME=${ADMIN_USERNAME}
- OWNCLOUD_ADMIN_PASSWORD=${ADMIN_PASSWORD}
- OWNCLOUD_MYSQL_UTF8MB4=true
- OWNCLOUD_REDIS_ENABLED=true
- OWNCLOUD_REDIS_HOST=redis
- OWNCLOUD_CROND_ENABLED=true
env_file:
- env/ldap.env
- env/oidc.env
healthcheck:
test: ["CMD", "/usr/bin/healthcheck"]
interval: 30s
timeout: 10s
retries: 5
networks:
- internal
- external
volumes:
- files:/mnt/data
- ./app/openidconnect:/var/www/owncloud/apps/openidconnect:ro
- ./etc/oidc.config.php.sram:/mnt/data/config/oidc.config.php
- ./etc/init.sh:/etc/owncloud.d/60-sram.sh
- ./etc/cron:/etc/cron.d/sram
labels:
- "traefik.enable=true"
- "traefik.http.routers.owncloud.rule=Host(`owncloud.${DOMAIN}`)"
- "traefik.http.routers.owncloud.tls=true"
- "traefik.http.routers.owncloud.tls.certresolver=le"
- "traefik.http.routers.owncloud.entrypoints=https"
- "traefik.http.routers.owncloud.service=owncloud"
- "traefik.http.services.owncloud.loadbalancer.server.port=8080"
db:
image: webhippie/mariadb:latest
restart: always
environment:
- MARIADB_ROOT_PASSWORD=owncloud
- MARIADB_USERNAME=owncloud
- MARIADB_PASSWORD=owncloud
- MARIADB_DATABASE=owncloud
- MARIADB_MAX_ALLOWED_PACKET=128M
- MARIADB_INNODB_LOG_FILE_SIZE=64M
healthcheck:
test: ["CMD", "/usr/bin/healthcheck"]
interval: 30s
timeout: 10s
retries: 5
networks:
- internal
volumes:
- mysql:/var/lib/mysql
- backup:/var/lib/backup
redis:
image: webhippie/redis:latest
restart: always
environment:
- REDIS_DATABASES=1
healthcheck:
test: ["CMD", "/usr/bin/healthcheck"]
interval: 30s
timeout: 10s
retries: 5
networks:
- internal
volumes:
- redis:/var/lib/redis
networks:
internal:
external:
name: localnet
external:
external:
name: proxy
---