diff --git a/deployments/examples/opencloud_full/.env b/deployments/examples/opencloud_full/.env index a934ccbf1e..670d8748a6 100644 --- a/deployments/examples/opencloud_full/.env +++ b/deployments/examples/opencloud_full/.env @@ -251,9 +251,38 @@ INBUCKET_DOMAIN= # Path separator for supplemental compose files specified in COMPOSE_FILE. COMPOSE_PATH_SEPARATOR=: -### Keycloak Settings ### +### Ldap Settings ### +# LDAP is always needed for OpenCloud to store user data as there is no relational database. +# The built-in LDAP server should used for testing purposes or small installations only. +# For production installations, it is recommended to use an external LDAP server. +# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable. +# This LDAP configuration is known to work with OpenCloud and provides a blueprint for +# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers. +# # Note: the leading colon is required to enable the service. -#KEYCLOAK=:keycloak.yml +LDAP=:ldap.yml +# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin" +LDAP_ADMIN_PASSWORD= +# LDAP manager +# login with uid ldapadmin and password +LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml +# LDAP manager domain. Defaults to "ldap.opencloud.test" +LDAP_MANAGER_DOMAIN= + +### Keycloak Settings ### +# Keycloak is an open-source identity and access management solution. +# We are using Keycloak as the default identity provider on production installations. +# It can be used to federate authentication with other identity providers like +# Microsoft Entra ID, ADFS or other SAML/OIDC providers. +# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the +# authentication process, the allowed clients and the session management. +# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud. +# Keycloak can be used in two different modes: +# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time. +# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately +# because the LDAP server is connected to both Keycloak and OpenCloud. +# Note: the leading colon is required to enable the service. +KEYCLOAK=:keycloak.yml # Domain for Keycloak. Defaults to "keycloak.opencloud.test". KEYCLOAK_DOMAIN= # Realm which to be used with OpenCloud. Defaults to "OpenCloud" @@ -262,20 +291,11 @@ KEYCLOAK_REALM= KEYCLOAK_ADMIN_USER= # Admin user login password. Defaults to "admin" KEYCLOAK_ADMIN_PASSWORD= - -### Ldap Settings ### -# Note: the leading colon is required to enable the service. -#LDAP=:ldap.yml -# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin" -LDAP_ADMIN_PASSWORD= -# LDAP manager -# login with uid ldapadmin and password -#LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml -# LDAP manager domain. Defaults to "ldap.opencloud.test" -LDAP_MANAGER_DOMAIN= +# Autoprovisioning mode. Defaults to "true" +KEYCLOAK_AUTOPROVISIONING=:keycloak-autoprovisioning.yml ## IMPORTANT ## # This MUST be the last line as it assembles the supplemental compose files to be used. # ALL supplemental configs must be added here, whether commented or not. # Each var must either be empty or contain :path/file.yml -COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${LDAP_MANAGER:-} +COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}