Merge pull request #25 from opencloud-eu/add-ldap-keycloak

feat: add keycloak ldap shared directory

.env.example

@@ -20,6 +20,8 @@ INSECURE=true
 # DNS entries and certificates need to be managed by the external environment.
 # The domain names need to be entered into the .env file.
 #COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
+# Keycloak Shared User Directory
+#COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.yml:traefik/collabora.yml:idm/ldap-keycloak.yml:traefik/ldap-keycloak.yml
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
@@ -137,8 +139,6 @@ START_ADDITIONAL_SERVICES="notifications"
 
 ### Apache Tika Content Analysis Toolkit ###
 # Tika (search) is disabled by default due to performance reasons.
-# Note: the leading colon is required to enable the service.
-#TIKA=:tika.yml
 # Set the desired docker image tag or digest.
 # Defaults to "latest"
 TIKA_IMAGE=
@@ -171,17 +171,6 @@ COLLABORA_SSL_ENABLE=false
 COLLABORA_SSL_VERIFICATION=false
 
 
-## Supplemental Configurations ##
-# If you want to use supplemental configurations,
-# you need to uncomment lines containing :path/file.yml
-# and configure the service as required.
-
-
-### Debugging - Monitoring ###
-# Note: the leading colon is required to enable the service.
-#MONITORING=:monitoring_tracing/monitoring.yml
-
-
 ### Virusscanner Settings ###
 # IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
 # envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
@@ -208,3 +197,48 @@ INBUCKET_DOMAIN=
 ### Compose Configuration ###
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:
+
+### Ldap Settings ###
+# LDAP is always needed for OpenCloud to store user data as there is no relational database.
+# The built-in LDAP server should used for testing purposes or small installations only.
+# For production installations, it is recommended to use an external LDAP server.
+# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
+# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
+# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
+#
+# Password of LDAP bind user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_BIND_PASSWORD=
+# The LDAP server also creates an openCloud admin user dn: uid=admin,ou=users,dc=opencloud,dc=eu
+# The initial password for this user is "admin"
+# NOTE: This password can only be set once, if you want to change it later, you have to use the OpenCloud User Settings UI.
+# If you changed the password and lost it, you need to execute the following LDAP query to reset it:
+# enter the ldap-server container with `docker compose exec ldap-server sh`
+# and run the following command to change the password:
+# ldappasswd -H ldap://127.0.0.1:1389 -D "cn=admin,dc=opencloud,dc=eu" -W "uid=admin,ou=users,dc=opencloud,dc=eu"
+# You will be prompted for the LDAP bind password.
+# The output should provide you a new password for the admin user.
+
+
+### Keycloak Settings ###
+# Keycloak is an open-source identity and access management solution.
+# We are using Keycloak as the default identity provider on production installations.
+# It can be used to federate authentication with other identity providers like
+# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
+# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
+# authentication process, the allowed clients and the session management.
+# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
+# Keycloak can be used in two different modes:
+# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
+# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
+# because the LDAP server is connected to both Keycloak and OpenCloud.
+
+# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
+KEYCLOAK_DOMAIN=
+# Admin user login name. Defaults to "kcadmin"
+KEYCLOAK_ADMIN=
+# Admin user login password. Defaults to "admin"
+KEYCLOAK_ADMIN_PASSWORD=
+# Keycloak Database username. Defaults to "keycloak"
+KC_DB_USERNAME=
+# Keycloak Database password. Defaults to "keycloak"
+KC_DB_PASSWORD=

README.md

@@ -9,6 +9,7 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 - **Standard deployment** with Traefik reverse proxy and Let's Encrypt certificates
 - **External proxy** support for environments with existing reverse proxies (like Nginx, Caddy, etc.)
 - **Collabora Online** integration for document editing
+- **Keycloak and LDAP** integration for centralized identity management
 
 ## Quick Start Guide
 
@@ -54,6 +55,7 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
    ```
    127.0.0.1 cloud.opencloud.test
    127.0.0.1 traefik.opencloud.test
+   127.0.0.1 keycloak.opencloud.test
    ```
 
 5. **Access OpenCloud**:
@@ -81,6 +83,30 @@ OpenCloud Compose offers a modular approach to deploying OpenCloud with several
 
 ## Deployment Options
 
+### With Keycloak and LDAP using a Shared User Directory
+
+OpenCloud can be deployed with Keycloak for identity management and LDAP for the shared user directory:
+
+Using `-f` flags:
+```bash
+docker compose -f docker-compose.yml -f idm/ldap-keycloak.yml -f traefik/opencloud.yml -f traefik/ldap-keycloak.yml up -d
+```
+
+Or by setting in `.env`:
+```
+COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
+```
+
+Add to `/etc/hosts` for local development:
+```
+127.0.0.1 keycloak.opencloud.test
+```
+
+This setup includes:
+- Keycloak for authentication and identity management
+- Shared LDAP server as a user directory with demo users and groups
+- Integration with Keycloak using OpenCloud clients (`web`, `OpenCloudDesktop`, `OpenCloudAndroid`, `OpenCloudIOS`)
+
 ### With Collabora Online
 
 Include Collabora for document editing using either method:
@@ -139,7 +165,7 @@ The configuration is managed through environment variables in the `.env` file:
 Key variables:
 
 | Variable                  | Description                                  | Default                   |
-|----------|-------------|---------|
+|---------------------------|----------------------------------------------|---------------------------|
 | `COMPOSE_FILE`            | Colon-separated list of compose files to use | (commented out)           |
 | `OC_DOMAIN`               | OpenCloud domain                             | cloud.opencloud.test      |
 | `OC_DOCKER_TAG`           | OpenCloud image tag                          | latest                    |
@@ -149,6 +175,12 @@ Key variables:
 | `INSECURE`                | Skip certificate validation                  | true                      |
 | `COLLABORA_DOMAIN`        | Collabora domain                             | collabora.opencloud.test  |
 | `WOPISERVER_DOMAIN`       | WOPI server domain                           | wopiserver.opencloud.test |
+| `KEYCLOAK_DOMAIN`         | Keycloak domain                              | keycloak.opencloud.test   |
+| `KEYCLOAK_ADMIN`          | Keycloak admin username                      | kcadmin                   |
+| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak admin password                      | admin                     |
+| `LDAP_BIND_PASSWORD`      | LDAP password for the bind user              | admin                     |
+| `KC_DB_USERNAME`          | Database user for keycloak                   | keycloak                  |
+| `KC_DB_PASSWORD`          | Database password for keycloak               | keycloak                  |
 
 See `.env.example` for all available options and their documentation.
 
@@ -173,9 +205,10 @@ This repository uses a modular approach with multiple compose files:
 
 - `docker-compose.yml` - Core OpenCloud service
 - `docker-compose.collabora.yml` - Collabora Online integration
+- `idm/` - Identity management configurations (Keycloak & LDAP)
 - `traefik/` - Traefik reverse proxy configurations
 - `external-proxy/` - Configuration for external reverse proxies
-- `config/` - Configuration files for OpenCloud
+- `config/` - Configuration files for OpenCloud, Keycloak, and LDAP
 
 ## Advanced Usage
 
@@ -188,11 +221,23 @@ The `COMPOSE_FILE` environment variable is a powerful way to manage complex Dock
 - It allows you to run just `docker compose up -d` without specifying `-f` flags
 - Perfect for automation, CI/CD pipelines, and consistent deployments
 
-Example configuration for production with Collabora:
+Example configurations:
+
+Production with Collabora:
 ```
 COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:traefik/opencloud.yml:traefik/collabora.yml
 ```
 
+Production with Keycloak and LDAP:
+```
+COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
+```
+
+Production with both Collabora and Keycloak/LDAP:
+```
+COMPOSE_FILE=docker-compose.yml:docker-compose.collabora.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/collabora.yml:traefik/ldap-keycloak.yml
+```
+
 ### Automation and GitOps
 
 For automated deployments, using the `COMPOSE_FILE` variable in `.env` is recommended:

config/keycloak/clients/OpenCloudAndroid.json

@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudAndroid",
+  "name": "OpenCloud Android App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://android.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://android.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

config/keycloak/clients/OpenCloudDesktop.json

@@ -0,0 +1,64 @@
+{
+  "clientId": "OpenCloudDesktop",
+  "name": "OpenCloud Desktop Client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "http://127.0.0.1",
+    "http://localhost"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

config/keycloak/clients/OpenCloudIOS.json

@@ -0,0 +1,63 @@
+{
+  "clientId": "OpenCloudIOS",
+  "name": "OpenCloud iOS App",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "oc://ios.opencloud.eu"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "oc://ios.opencloud.eu",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

config/keycloak/clients/cyberduck.json

@@ -0,0 +1,66 @@
+{
+  "clientId": "Cyberduck",
+  "name": "Cyberduck",
+  "description": "File transfer utility client",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "x-cyberduck-action:oauth",
+    "x-mountainduck-action:oauth"
+  ],
+  "webOrigins": [],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

config/keycloak/clients/web.json

@@ -0,0 +1,74 @@
+{
+  "clientId": "web",
+  "name": "OpenCloud Web App",
+  "description": "",
+  "rootUrl": "{{OC_URL}}",
+  "adminUrl": "{{OC_URL}}",
+  "baseUrl": "",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "redirectUris": [
+    "{{OC_URL}}/",
+    "{{OC_URL}}/oidc-callback.html",
+    "{{OC_URL}}/oidc-silent-redirect.html"
+  ],
+  "webOrigins": [
+    "{{OC_URL}}"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": true,
+  "frontchannelLogout": false,
+  "protocol": "openid-connect",
+  "attributes": {
+    "saml.assertion.signature": "false",
+    "saml.force.post.binding": "false",
+    "saml.multivalued.roles": "false",
+    "saml.encrypt": "false",
+    "post.logout.redirect.uris": "+",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.url": "{{OC_URL}}/backchannel_logout",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml_force_name_id_format": "false",
+    "saml.client.signature": "false",
+    "tls.client.certificate.bound.access.tokens": "false",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "profile",
+    "roles",
+    "groups",
+    "basic",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  }
+}

config/keycloak/docker-entrypoint-override.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+printenv
+# replace openCloud domain and LDAP password in keycloak realm import
+mkdir /opt/keycloak/data/import
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+
+# run original docker-entrypoint
+/opt/keycloak/bin/kc.sh "$@"

config/ldap/docker-entrypoint-override.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+echo "Running custom LDAP entrypoint script..."
+
+if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
+then	
+	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
+fi
+# run original docker-entrypoint
+/opt/bitnami/scripts/openldap/entrypoint.sh "$@"

config/ldap/ldif/10_base.ldif

@@ -0,0 +1,24 @@
+dn: dc=opencloud,dc=eu
+objectClass: organization
+objectClass: dcObject
+dc: opencloud
+o: openCloud
+
+dn: ou=users,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=admin,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: person
+cn: admin
+sn: admin
+uid: ldapadmin
+
+dn: ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=custom,ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: custom

config/ldap/ldif/20_admin.ldif

@@ -0,0 +1,20 @@
+dn: uid=admin,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Admin
+cn: admin
+displayName: Admin
+description: An admin for this OpenCloud instance.
+mail: admin@example.org
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
+
+dn: cn=administrators,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: administrators
+description: OpenCloud Administrators
+member: uid=admin,ou=users,dc=opencloud,dc=eu

config/ldap/ldif/30_demo_users.ldif

@@ -0,0 +1,70 @@
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=alan,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: alan
+givenName: Alan
+sn: Turing
+cn: alan
+displayName: Alan Turing
+description:  An English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical computer science, providing a formalisation of the concepts of algorithm and computation with the Turing machine.
+mail: alan@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=lynn,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: lynn
+givenName: Lynn
+sn: Conway
+cn: lynn
+displayName: Lynn Conway
+description:  An American computer scientist, electrical engineer, and transgender activist.
+mail: lynn@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=mary,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: mary
+givenName: Mary
+sn: Kenneth Keller
+cn: mary
+displayName: Mary Kenneth Keller
+description: Mary Kenneth Keller of the Sisters of Charity of the Blessed Virgin Mary was a pioneer in computer science.
+mail: mary@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=margaret,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: margaret
+givenName: Margaret
+sn: Hamilton
+cn: margaret
+displayName: Margaret Hamilton
+description: A director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program.
+mail: margaret@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=dennis,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+uid: dennis
+givenName: Dennis
+sn: Ritchie
+cn: dennis
+displayName: Dennis Ritchie
+description: American computer scientist. He created the C programming language and the Unix operating system and B language with long-time colleague Ken Thompson.
+mail: dennis@example.org
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=

config/ldap/ldif/40_demo_groups.ldif

@@ -0,0 +1,70 @@
+dn: cn=users,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: users
+description: Users
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+member: uid=admin,ou=users,dc=opencloud,dc=eu
+
+dn: cn=chess-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: chess-lovers
+description: Chess lovers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=machine-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: machine-lovers
+description: Machine Lovers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=bible-readers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: bible-readers
+description: Bible readers
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+
+dn: cn=apollos,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: apollos
+description: Contributors to the Apollo mission
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+
+dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: unix-lovers
+description: Unix lovers
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=basic-haters,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: basic-haters
+description: Haters of the Basic programming language
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=vlsi-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: vlsi-lovers
+description: Lovers of VLSI microchip design
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+
+dn: cn=programmers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: top
+cn: programmers
+description: Computer Programmers
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu

config/opencloud/csp.yaml

@@ -7,7 +7,7 @@ directives:
     - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
     - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
-    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
+    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
   default-src:
     - '''none'''
   font-src:

docker-compose.decomposeds3.yml

@@ -12,3 +12,4 @@ services:
       STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY: ${DECOMPOSEDS3_ACCESS_KEY:-opencloud}
       STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY: ${DECOMPOSEDS3_SECRET_KEY:-opencloud-secret-key}
       STORAGE_USERS_DECOMPOSEDS3_BUCKET: ${DECOMPOSEDS3_BUCKET:-opencloud-bucket}
+      STORAGE_USERS_EVENTS_NUM_CONSUMERS: ${DECOMPOSEDS3_EVENTS_NUM_CONSUMERS:-5}

idm/ldap-keycloak.yml

@@ -0,0 +1,110 @@
+---
+services:
+  opencloud:
+    environment:
+      # Ldap IDP specific configuration
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
+      OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
+      OC_LDAP_USER_SCHEMA_ID: "entryUUID"
+      OC_LDAP_DISABLE_USER_MECHANISM: "none"
+      GRAPH_LDAP_SERVER_UUID: "true"
+      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu"
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
+      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
+      OC_LDAP_SERVER_WRITE_ENABLED: "false" # the ldap is managed by Keycloak, so it is not writable by OpenCloud
+      # This specifies to start all services except idm and idp. These are replaced by external services.
+      OC_EXCLUDE_RUN_SERVICES: idm,idp
+      # Keycloak IDP specific configuration
+      PROXY_AUTOPROVISION_ACCOUNTS: "false"
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud
+      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
+      WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
+      PROXY_USER_OIDC_CLAIM: "uuid"
+      PROXY_USER_CS3_CLAIM: "userid"
+      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/openCloud/account"
+      # admin and demo accounts must be created in Keycloak
+      OC_ADMIN_USER_ID: ""
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      GRAPH_USERNAME_MATCH: "none"
+      # This is needed to set the correct CSP rules for OpenCloud
+      IDP_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+
+  ldap-server:
+    image: bitnami/openldap:2.6
+    networks:
+      opencloud-net:
+    entrypoint: [ "/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
+    environment:
+      BITNAMI_DEBUG: true
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_ENABLE_TLS: "yes"
+      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
+      LDAP_ROOT: "dc=opencloud,dc=eu"
+      LDAP_ADMIN_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
+    volumes:
+      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
+      - ./config/ldap/ldif/20_admin.ldif:/ldifs/20_admin.ldif
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ldap-certs:/opt/bitnami/openldap/share
+      - ldap-data:/bitnami/openldap
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+  postgres:
+    image: postgres:alpine
+    networks:
+      opencloud-net:
+    volumes:
+      - keycloak_postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: ${KC_DB_USERNAME:-keycloak}
+      POSTGRES_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:25.0.0
+    networks:
+      opencloud-net:
+    command: [ "start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm" ]
+    entrypoint: [ "/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh" ]
+    volumes:
+      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
+      - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
+      - "./config/keycloak/themes/opencloud:/opt/keycloak/themes/opencloud"
+    environment:
+      OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test}
+      KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"
+      KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
+      KC_FEATURES: impersonation
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+    depends_on:
+      - postgres
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  keycloak_postgres_data:
+  ldap-certs:
+  ldap-data:

traefik/ldap-keycloak.yml

@@ -0,0 +1,15 @@
+---
+services:
+  traefik:
+    networks:
+      opencloud-net:
+        aliases:
+          - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+  keycloak:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.entrypoints=https"
+      - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)"
+      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.keycloak.service=keycloak"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"