From 7e9a7d8099ae1fb975df72f124e2cb34adf8b15d Mon Sep 17 00:00:00 2001
From: Viktor Scharf <scharf.vi@gmail.com>
Date: Wed, 9 Apr 2025 16:31:27 +0200
Subject: [PATCH] example Ldap setup (#569)

* ldap setup

* run ldap in the opencloud full

* set admin user

* feat: use the shared LDAP schema and new phpldapadmin

* chore: change dc to match opencloud domain

---------

Co-authored-by: Michael Barz <michael.barz@zeitgestalten.eu>
---
 deployments/examples/opencloud_full/.env      |   8 +-
 .../config/ldap/docker-entrypoint-override.sh |   9 ++
 .../config/ldap/ldif/10_base.ldif             |  13 ++
 .../config/ldap/ldif/20_users.ldif            | 125 ++++++++++++++++++
 .../config/ldap/ldif/30_groups.ldif           |  88 ++++++++++++
 deployments/examples/opencloud_full/ldap.yml  |  62 +++++++++
 .../shared/config/ldap/docker-compose.yml     |  23 ++++
 7 files changed, 327 insertions(+), 1 deletion(-)
 create mode 100644 deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh
 create mode 100644 deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif
 create mode 100644 deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif
 create mode 100644 deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif
 create mode 100644 deployments/examples/opencloud_full/ldap.yml
 create mode 100644 deployments/examples/shared/config/ldap/docker-compose.yml

diff --git a/deployments/examples/opencloud_full/.env b/deployments/examples/opencloud_full/.env
index dd6893d274..b4ebede784 100644
--- a/deployments/examples/opencloud_full/.env
+++ b/deployments/examples/opencloud_full/.env
@@ -262,8 +262,14 @@ KEYCLOAK_ADMIN_USER=
 # Admin user login password. Defaults to "admin"
 KEYCLOAK_ADMIN_PASSWORD=
 
+### Ldap Settings ###
+# Note: the leading colon is required to enable the service.
+#LDAP=:ldap.yml
+# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_ADMIN_PASSWORD=
+
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}
diff --git a/deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh b/deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh
new file mode 100644
index 0000000000..3d3f27333b
--- /dev/null
+++ b/deployments/examples/opencloud_full/config/ldap/docker-entrypoint-override.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+printenv
+
+if [ ! -f /opt/bitnami/openldap/share/openldap.key ]
+then	
+	openssl req -x509 -newkey rsa:4096 -keyout /opt/bitnami/openldap/share/openldap.key -out /opt/bitnami/openldap/share/openldap.crt -sha256 -days 365 -batch -nodes
+fi
+# run original docker-entrypoint
+/opt/bitnami/scripts/openldap/entrypoint.sh "$@"
diff --git a/deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif b/deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif
new file mode 100644
index 0000000000..dc79f07505
--- /dev/null
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif
@@ -0,0 +1,13 @@
+dn: dc=opencloud,dc=eu
+objectClass: organization
+objectClass: dcObject
+dc: opencloud
+o: openCloud
+
+dn: ou=users,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=groups,dc=opencloud,dc=eu
+objectClass: organizationalUnit
+ou: groups
diff --git a/deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif b/deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif
new file mode 100644
index 0000000000..91d01396be
--- /dev/null
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif
@@ -0,0 +1,125 @@
+# Start dn with uid (user identifier / login), not cn (Firstname + Surname)
+dn: uid=alan,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: alan
+givenName: Alan
+sn: Turing
+cn: alan
+displayName: Alan Turing
+description:  An English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical computer science, providing a formalisation of the concepts of algorithm and computation with the Turing machine.
+mail: alan@example.org
+uidNumber: 20000
+gidNumber: 30000
+homeDirectory: /home/alan
+openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=lynn,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: lynn
+givenName: Lynn
+sn: Conway
+cn: lynn
+displayName: Lynn Conway
+description:  An American computer scientist, electrical engineer, and transgender activist.
+mail: lynn@example.org
+uidNumber: 20001
+gidNumber: 30000
+homeDirectory: /home/lynn
+openCloudUserEnabled: TRUE
+openCloudUUID: 60708dda-e897-11ef-919f-bbb7437d6ec2
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=mary,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: mary
+givenName: Mary
+sn: Kenneth Keller
+cn: mary
+displayName: Mary Kenneth Keller
+description: Mary Kenneth Keller of the Sisters of Charity of the Blessed Virgin Mary was a pioneer in computer science.
+mail: mary@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/mary
+openCloudUserEnabled: TRUE
+openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=margaret,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: margaret
+givenName: Margaret
+sn: Hamilton
+cn: margaret
+displayName: Margaret Hamilton
+description: A director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program.
+mail: margaret@example.org
+uidNumber: 20003
+gidNumber: 30000
+homeDirectory: /home/margaret
+openCloudUserEnabled: TRUE
+openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=dennis,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: dennis
+givenName: Dennis
+sn: Ritchie
+cn: dennis
+displayName: Dennis Ritchie
+description: American computer scientist. He created the C programming language and the Unix operating system and B language with long-time colleague Ken Thompson.
+mail: dennis@example.org
+uidNumber: 20004
+gidNumber: 30000
+homeDirectory: /home/dennis
+openCloudUserEnabled: TRUE
+openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
+userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
+
+dn: uid=admin,ou=users,dc=opencloud,dc=eu
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: openCloudUser
+objectClass: person
+objectClass: posixAccount
+objectClass: top
+uid: admin
+givenName: Admin
+sn: Admin
+cn: admin
+displayName: Admin
+description: An admin for this OpenCloud instance.
+mail: admin@example.org
+uidNumber: 20005
+gidNumber: 30000
+homeDirectory: /home/admin
+openCloudUserEnabled: TRUE
+openCloudUUID: f7fc96f6-ceb4-4387-bd69-07a6d7992973
+userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==
diff --git a/deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif b/deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif
new file mode 100644
index 0000000000..9993b5309f
--- /dev/null
+++ b/deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif
@@ -0,0 +1,88 @@
+dn: cn=users,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: users
+description: Users
+openCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+member: uid=admin,ou=users,dc=opencloud,dc=eu
+
+dn: cn=chess-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: chess-lovers
+description: Chess lovers
+openCloudUUID: 9d31ec04-dd80-11ef-ac47-a38ba68cc36d
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=machine-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: machine-lovers
+description: Machine Lovers
+openCloudUUID: d901562a-dd80-11ef-a510-fba1ed43fb21
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+
+dn: cn=bible-readers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: bible-readers
+description: Bible readers
+openCloudUUID: 2fc6ba22-dd81-11ef-89e6-e3eff494a998
+member: uid=mary,ou=users,dc=opencloud,dc=eu
+
+dn: cn=apollos,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: apollos
+description: Contributors to the Appollo mission
+openCloudUUID: 6f9bab36-dd94-11ef-a252-dbbdd20299dd
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+
+dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: unix-lovers
+description: Unix lovers
+openCloudUUID: 75bc3882-dd94-11ef-ad60-335f3df6cef3
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=basic-haters,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: basic-haters
+description: Haters of the Basic programming language
+openCloudUUID: a4eb2c12-dd94-11ef-9ebe-eb96f938d517
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+
+dn: cn=vlsi-lovers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: vlsi-lovers
+description: Lovers of VLSI microchip design
+openCloudUUID: 914ce3de-e899-11ef-9a4b-732fbb2acc42
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
+
+dn: cn=programmers,ou=groups,dc=opencloud,dc=eu
+objectClass: groupOfNames
+objectClass: openCloudObject
+objectClass: top
+cn: programmers
+description: Computer Programmers
+openCloudUUID: ce4aa240-dd94-11ef-82b8-4f4828849072
+member: uid=alan,ou=users,dc=opencloud,dc=eu
+member: uid=margaret,ou=users,dc=opencloud,dc=eu
+member: uid=dennis,ou=users,dc=opencloud,dc=eu
+member: uid=lynn,ou=users,dc=opencloud,dc=eu
diff --git a/deployments/examples/opencloud_full/ldap.yml b/deployments/examples/opencloud_full/ldap.yml
new file mode 100644
index 0000000000..4949d2b360
--- /dev/null
+++ b/deployments/examples/opencloud_full/ldap.yml
@@ -0,0 +1,62 @@
+---
+services:
+  traefik:
+    networks:
+      opencloud-net:
+
+  opencloud:
+    environment:
+      # Ldap IDP specific configuration
+      OC_LDAP_URI: ldaps://ldap-server:1636
+      OC_LDAP_INSECURE: "true"
+      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
+      OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
+      OC_LDAP_GROUP_FILTER: "(objectclass=opencloudobject)"
+      OC_LDAP_GROUP_OBJECTCLASS: "groupOfNames"
+      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
+      OC_LDAP_USER_FILTER: "(objectclass=openclouduser)"
+      OC_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
+      LDAP_LOGIN_ATTRIBUTES: "uid"
+      OC_ADMIN_USER_ID: "f7fc96f6-ceb4-4387-bd69-07a6d7992973"
+      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
+      IDP_LDAP_UUID_ATTRIBUTE: "openclouduuid"
+      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
+      GRAPH_LDAP_SERVER_WRITE_ENABLED: "true" # assuming the external ldap is writable
+      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
+      # OC_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
+      OC_EXCLUDE_RUN_SERVICES: idm
+
+  ldap-server:
+    image: bitnami/openldap:2.6
+    networks:
+      opencloud-net:
+    entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
+    environment:
+      BITNAMI_DEBUG: true
+      LDAP_TLS_VERIFY_CLIENT: never
+      LDAP_ENABLE_TLS: "yes"
+      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
+      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
+      LDAP_ROOT: "dc=opencloud,dc=eu"
+      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+    ports:
+      - "127.0.0.1:389:1389"
+      - "127.0.0.1:636:1636"
+    volumes:
+      - ./config/ldap/ldif:/ldifs
+      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
+      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
+      - ldap-certs:/opt/bitnami/openldap/share
+      - ldap-data:/bitnami/openldap
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always
+
+volumes:
+  ldap-certs:
+  ldap-data:
+
+networks:
+  opencloud-net:
diff --git a/deployments/examples/shared/config/ldap/docker-compose.yml b/deployments/examples/shared/config/ldap/docker-compose.yml
new file mode 100644
index 0000000000..dc88287827
--- /dev/null
+++ b/deployments/examples/shared/config/ldap/docker-compose.yml
@@ -0,0 +1,23 @@
+---
+# This file can be used to be added to the opencloud_full example
+# to browse the LDAP server with a web interface.
+# This is not a production ready setup.
+services:
+  ldap-manager:
+    image: phpldapadmin/phpldapadmin:latest
+    networks:
+      opencloud-net:
+    environment:
+      LDAP_HOST: ldap-server
+      LDAP_PORT: 1389
+      APP_URL: "https://${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ldap-manager.entrypoints=https"
+      - "traefik.http.routers.ldap-manager.rule=Host(`${LDAP_MANAGER_DOMAIN:-ldap.opencloud.test}`)"
+      - "traefik.http.routers.ldap-manager.tls.certresolver=http"
+      - "traefik.http.routers.ldap-manager.service=ldap-manager"
+      - "traefik.http.services.ldap-manager.loadbalancer.server.port=8080"
+    logging:
+      driver: ${LOG_DRIVER:-local}
+    restart: always