Merge pull request #1614 from owncloud/change_secrets_upon_deploy

change default secrets on deploy

accounts/pkg/flagset/flagset.go

@@ -137,7 +137,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"ACCOUNTS_JWT_SECRET"},
+			EnvVars:     []string{"ACCOUNTS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 		&cli.StringFlag{
@@ -172,7 +172,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "storage-cs3-jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET"},
+			EnvVars:     []string{"ACCOUNTS_STORAGE_CS3_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.Repo.CS3.JWTSecret,
 		},
 		&cli.StringFlag{

accounts/pkg/service/v0/service.go

@@ -268,6 +268,12 @@ func (s Service) createDefaultAccounts() (err error) {
 		},
 	}
 	for i := range accounts {
+		a := &proto.Account{}
+		err := s.repo.LoadAccount(context.Background(), accounts[i].Id, a)
+		if !storage.IsNotFoundErr(err) {
+			continue // account already exists -> do not overwrite
+		}
+
 		if err := s.repo.WriteAccount(context.Background(), &accounts[i]); err != nil {
 			return err
 		}
@@ -360,6 +366,12 @@ func (s Service) createDefaultGroups() (err error) {
 		}},
 	}
 	for i := range groups {
+		g := &proto.Group{}
+		err := s.repo.LoadGroup(context.Background(), groups[i].Id, g)
+		if !storage.IsNotFoundErr(err) {
+			continue // group already exists -> do not overwrite
+		}
+
 		if err := s.repo.WriteGroup(context.Background(), &groups[i]); err != nil {
 			return err
 		}

deployments/examples/cs3_users_ocis/.env

@@ -17,6 +17,8 @@ TRAEFIK_ACME_MAIL=
 OCIS_DOCKER_TAG=
 # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
 OCIS_DOMAIN=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=
 
 
 ### LDAP server settings ###

deployments/examples/cs3_users_ocis/docker-compose.yml

@@ -51,14 +51,14 @@ services:
     environment:
       # CS3 users from ldap specific configuration
       PROXY_CONFIG_FILE: "/config/proxy-config.json"
-      LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
-      LDAP_URI: ldap://ldap-server:389
-      LDAP_BINDDN: "cn=admin,dc=owncloud,dc=com"
-      LDAP_BINDPW: ${LDAP_ADMIN_PASSWORD:-admin}
-      LDAP_BASEDN: "dc=owncloud,dc=com"
-      LDAP_LOGIN_ATTRIBUTE: uid
-      LDAP_UUID_ATTRIBUTE: "ownclouduuid"
-      LDAP_UUID_ATTRIBUTE_TYPE: binary
+      IDP_LDAP_FILTER: "(&(objectclass=inetOrgPerson)(objectClass=owncloud))"
+      IDP_LDAP_URI: ldap://ldap-server:389
+      IDP_LDAP_BIND_DN: "cn=admin,dc=owncloud,dc=com"
+      IDP_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
+      IDP_LDAP_BASE_DN: "dc=owncloud,dc=com"
+      IDP_LDAP_LOGIN_ATTRIBUTE: uid
+      IDP_LDAP_UUID_ATTRIBUTE: "ownclouduuid"
+      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
       PROXY_ACCOUNT_BACKEND_TYPE: cs3
       STORAGE_LDAP_HOSTNAME: ldap-server
       STORAGE_LDAP_PORT: 636
@@ -74,6 +74,8 @@ services:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
     volumes:
       - ./config/ocis/proxy-config.json:/config/proxy-config.json
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_keycloak/.env

@@ -19,6 +19,12 @@ OCIS_DOCKER_TAG=
 OCIS_DOMAIN=
 # owncloud Web openid connect client id. Defaults to "web"
 OCIS_OIDC_CLIENT_ID=
+# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+IDP_LDAP_BIND_PASSWORD=
+# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+STORAGE_LDAP_BIND_PASSWORD=
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=
 
 ### Keycloak ###
 # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"

deployments/examples/ocis_keycloak/config/ocis/entrypoint-override.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -evx
+
+ocis server&
+sleep 10
+
+echo "##################################################"
+echo "change default secrets:"
+
+# IDP
+IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  IDP user UUID: $IDP_USER_UUID"
+ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
+
+# REVA
+REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  Reva user UUID: $REVA_USER_UUID"
+ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
+
+killall ocis
+echo "default secrets changed"
+echo "##################################################"
+
+ocis server

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -47,6 +47,9 @@ services:
     image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
     networks:
       ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
     environment:
       # Keycloak IDP specific configuration
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
@@ -60,7 +63,12 @@ services:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
+      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
     volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis
     labels:
       - "traefik.enable=true"

deployments/examples/ocis_traefik/.env

@@ -17,7 +17,12 @@ TRAEFIK_ACME_MAIL=
 OCIS_DOCKER_TAG=
 # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
 OCIS_DOMAIN=
-
+# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+IDP_LDAP_BIND_PASSWORD=foo
+# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+STORAGE_LDAP_BIND_PASSWORD=foo
+# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+OCIS_JWT_SECRET=foo
 
 # If you want to use debugging and tracing with this stack,
 # you need uncomment following line. Please see documentation at

deployments/examples/ocis_traefik/config/ocis/entrypoint-override.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -evx
+
+ocis server&
+sleep 10
+
+echo "##################################################"
+echo "change default secrets:"
+
+# IDP
+IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  IDP user UUID: $IDP_USER_UUID"
+ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID
+
+# REVA
+REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
+echo "  Reva user UUID: $REVA_USER_UUID"
+ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID
+
+killall ocis
+echo "default secrets changed"
+echo "##################################################"
+
+ocis server

deployments/examples/ocis_traefik/docker-compose.yml

@@ -46,11 +46,19 @@ services:
     image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
     networks:
       ocis-net:
+    entrypoint:
+      - /bin/sh
+      - /entrypoint-override.sh
     environment:
       OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       PROXY_OIDC_INSECURE: "${INSECURE:-false}" # needed if Traefik is using self generated certificates
+      # change default secrets
+      IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
+      STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
+      OCIS_JWT_SECRET: ${STORAGE_JWT_SECRET:-Pive-Fumkiu4}
     volumes:
+      - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis
     labels:
       - "traefik.enable=true"

docs/ocis/deployment/_index.md

@@ -26,3 +26,34 @@ You can run ownCloud 10 and oCIS together. This allows you to use new parts of o
 - [ownCloud 10 setup with oCIS serving ownCloud Web and acting as OIDC provider]({{< ref "owncloud10_with_oc_web.md" >}}) - This allows you to switch between the traditional ownCloud 10 frontend and the new ownCloud Web frontend
 - Run ownCloud 10 and oCIS in parallel - together
 - Migrate users from ownCloud 10 to oCIS
+
+
+## Secure an oCIS instance
+
+### Change default secrets
+oCIS uses two system users which are needed for being operational:
+- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57)
+- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf)
+
+Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password <new-password> <id>` for both users.
+
+The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`.
+
+Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user.
+You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string.
+
+### Delete demo users
+
+{{< hint info >}}
+Before deleting the demo users mentioned below, you must create a new account for yourself and assign it to the administrator role.
+{{< /hint >}}
+
+oCIS ships with a few demo users besides the system users:
+- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8)
+- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51)
+- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c)
+- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b)
+- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c)
+
+You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`.
+After adding your own user it is safe to delete the demo users in the web UI or with the command `ocis accounts remove <id>`. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore.

docs/ocis/deployment/basic-remote-setup.md

@@ -21,6 +21,10 @@ Upon first start of the oCIS fullstack server with `./bin/ocis server` it will g
 The `identifier-registration.yml` file will only be generated if does not exist. If you want to change certain environment variables like `OCIS_URL`, please delete this file first before doing so. Otherwise your changes will not be applied correctly and you will run into errors.
 {{< /hint >}}
 
+{{< hint warning >}}
+oCIS is currently in a Tech Preview state and is shipped with demo users. In order to secure your oCIS instances please follow following guide: [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}})
+{{< /hint >}}
+
 For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from.
 
 ### Using automatically generated certificates

docs/ocis/deployment/ocis_keycloak.md

@@ -70,6 +70,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
   OCIS_DOMAIN=
   # ownCloud Web openid connect client id. Defaults to "ocis-web"
   OCIS_OIDC_CLIENT_ID=
+  # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+  IDP_LDAP_BIND_PASSWORD=
+  # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+  STORAGE_LDAP_BIND_PASSWORD=
+  # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+  OCIS_JWT_SECRET=
 
   ### Keycloak ###
   # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"
@@ -97,6 +103,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
 
   If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`.
 
+  You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}).
+
   Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`.
 
   Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users.

docs/ocis/deployment/ocis_traefik.md

@@ -64,6 +64,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
   OCIS_DOCKER_TAG=
   # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
   OCIS_DOMAIN=
+  # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
+  IDP_LDAP_BIND_PASSWORD=
+  # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
+  STORAGE_LDAP_BIND_PASSWORD=
+  # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
+  OCIS_JWT_SECRET=
   ```
 
   You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`.
@@ -78,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
 
   Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`.
 
+  You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}).
+
   Now you have configured everything and can save the file.
 
 * Start the docker stack

docs/ocis/deployment/preparing_server.md

@@ -1,7 +1,7 @@
 ---
 title: "Preparing a server"
 date: 2020-10-12T14:04:00+01:00
-weight: 10
+weight: 100
 geekdocRepo: https://github.com/owncloud/ocis
 geekdocEditPath: edit/master/docs/ocis/deployment
 geekdocFilePath: preparing_server.md

idp/pkg/config/config.go

@@ -28,6 +28,21 @@ type HTTP struct {
 	TLS     bool
 }
 
+// Ldap defines the available LDAP configuration.
+type Ldap struct {
+	URI               string
+	BindDN            string
+	BindPassword      string
+	BaseDN            string
+	Scope             string
+	LoginAttribute    string
+	EmailAttribute    string
+	NameAttribute     string
+	UUIDAttribute     string
+	UUIDAttributeType string
+	Filter            string
+}
+
 // Service defines the available service configuration.
 type Service struct {
 	Name      string
@@ -51,14 +66,15 @@ type Asset struct {
 
 // Config combines all available configuration parts.
 type Config struct {
-	File     string
-	Log      Log
-	Debug    Debug
-	HTTP     HTTP
-	Tracing  Tracing
-	Asset    Asset
-	IDP bootstrap.Config
-	Service  Service
+	File    string
+	Log     Log
+	Debug   Debug
+	HTTP    HTTP
+	Tracing Tracing
+	Asset   Asset
+	IDP     bootstrap.Config
+	Ldap    Ldap
+	Service Service
 }
 
 // New initializes a new configuration with or without defaults.

idp/pkg/flagset/flagset.go

@@ -150,6 +150,83 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"IDP_IDENTITY_MANAGER"},
 			Destination: &cfg.IDP.IdentityManager,
 		},
+		&cli.StringFlag{
+			Name:        "ldap-uri",
+			Value:       "ldap://localhost:9125",
+			Usage:       "URI of the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_URI"},
+			Destination: &cfg.Ldap.URI,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-bind-dn",
+			Value:       "cn=idp,ou=sysusers,dc=example,dc=org",
+			Usage:       "Bind DN for the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_BIND_DN"},
+			Destination: &cfg.Ldap.BindDN,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-bind-password",
+			Value:       "idp",
+			Usage:       "Password for the Bind DN of the LDAP server (glauth)",
+			EnvVars:     []string{"IDP_LDAP_BIND_PASSWORD"},
+			Destination: &cfg.Ldap.BindPassword,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-base-dn",
+			Value:       "ou=users,dc=example,dc=org",
+			Usage:       "LDAP base DN of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_BASE_DN"},
+			Destination: &cfg.Ldap.BaseDN,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-scope",
+			Value:       "sub",
+			Usage:       "LDAP scope of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_SCOPE"},
+			Destination: &cfg.Ldap.Scope,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-login-attribute",
+			Value:       "cn",
+			Usage:       "LDAP login attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_LOGIN_ATTRIBUTE"},
+			Destination: &cfg.Ldap.LoginAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-email-attribute",
+			Value:       "mail",
+			Usage:       "LDAP email attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_EMAIL_ATTRIBUTE"},
+			Destination: &cfg.Ldap.EmailAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-name-attribute",
+			Value:       "sn",
+			Usage:       "LDAP name attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_NAME_ATTRIBUTE"},
+			Destination: &cfg.Ldap.NameAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-uuid-attribute",
+			Value:       "uid",
+			Usage:       "LDAP UUID attribute of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_UUID_ATTRIBUTE"},
+			Destination: &cfg.Ldap.UUIDAttribute,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-uuid-attribute-type",
+			Value:       "text",
+			Usage:       "LDAP UUID attribute type of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_UUID_ATTRIBUTE_TYPE"},
+			Destination: &cfg.Ldap.UUIDAttributeType,
+		},
+		&cli.StringFlag{
+			Name:        "ldap-filter",
+			Value:       "(objectClass=posixaccount)",
+			Usage:       "LDAP filter of the oCIS users",
+			EnvVars:     []string{"IDP_LDAP_FILTER"},
+			Destination: &cfg.Ldap.Filter,
+		},
 		&cli.StringFlag{
 			Name:        "transport-tls-cert",
 			Value:       "",

idp/pkg/service/v0/service.go

@@ -38,7 +38,7 @@ func NewService(opts ...Option) Service {
 		assets.Config(options.Config),
 	)
 
-	if err := initKonnectInternalEnvVars(); err != nil {
+	if err := initKonnectInternalEnvVars(&options.Config.Ldap); err != nil {
 		logger.Fatal().Err(err).Msg("could not initialize env vars")
 	}
 
@@ -110,26 +110,24 @@ func createConfigsIfNotExist(assets http.FileSystem, ocisURL string) error {
 }
 
 // Init vars which are currently not accessible via idp api
-func initKonnectInternalEnvVars() error {
+func initKonnectInternalEnvVars(ldap *config.Ldap) error {
 	var defaults = map[string]string{
-		"LDAP_URI":                 "ldap://localhost:9125",
-		"LDAP_BINDDN":              "cn=idp,ou=sysusers,dc=example,dc=org",
-		"LDAP_BINDPW":              "idp",
-		"LDAP_BASEDN":              "ou=users,dc=example,dc=org",
-		"LDAP_SCOPE":               "sub",
-		"LDAP_LOGIN_ATTRIBUTE":     "cn",
-		"LDAP_EMAIL_ATTRIBUTE":     "mail",
-		"LDAP_NAME_ATTRIBUTE":      "sn",
-		"LDAP_UUID_ATTRIBUTE":      "uid",
-		"LDAP_UUID_ATTRIBUTE_TYPE": "text",
-		"LDAP_FILTER":              "(objectClass=posixaccount)",
+		"LDAP_URI":                 ldap.URI,
+		"LDAP_BINDDN":              ldap.BindDN,
+		"LDAP_BINDPW":              ldap.BindPassword,
+		"LDAP_BASEDN":              ldap.BaseDN,
+		"LDAP_SCOPE":               ldap.Scope,
+		"LDAP_LOGIN_ATTRIBUTE":     ldap.LoginAttribute,
+		"LDAP_EMAIL_ATTRIBUTE":     ldap.EmailAttribute,
+		"LDAP_NAME_ATTRIBUTE":      ldap.NameAttribute,
+		"LDAP_UUID_ATTRIBUTE":      ldap.UUIDAttribute,
+		"LDAP_UUID_ATTRIBUTE_TYPE": ldap.UUIDAttributeType,
+		"LDAP_FILTER":              ldap.Filter,
 	}
 
 	for k, v := range defaults {
-		if _, exists := os.LookupEnv(k); !exists {
-			if err := os.Setenv(k, v); err != nil {
-				return fmt.Errorf("could not set env var %s=%s", k, v)
-			}
+		if err := os.Setenv(k, v); err != nil {
+			return fmt.Errorf("could not set env var %s=%s", k, v)
 		}
 	}
 

ocis/pkg/config/config.go

@@ -75,7 +75,7 @@ type Config struct {
 	Graph         *graph.Config
 	GraphExplorer *graphExplorer.Config
 	Hello         *hello.Config
-	IDP      	  *idp.Config
+	IDP           *idp.Config
 	OCS           *ocs.Config
 	Onlyoffice    *onlyoffice.Config
 	Web           *web.Config
@@ -96,7 +96,7 @@ func New() *Config {
 		Graph:         graph.New(),
 		GraphExplorer: graphExplorer.New(),
 		Hello:         hello.New(),
-		IDP:      	   idp.New(),
+		IDP:           idp.New(),
 		OCS:           ocs.New(),
 		Onlyoffice:    onlyoffice.New(),
 		Web:           web.New(),

ocs/pkg/flagset/flagset.go

@@ -149,7 +149,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to dismantle the access token, should equal reva's jwt-secret",
-			EnvVars:     []string{"OCS_JWT_SECRET"},
+			EnvVars:     []string{"OCS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 	}

proxy/pkg/flagset/flagset.go

@@ -175,7 +175,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"PROXY_JWT_SECRET"},
+			EnvVars:     []string{"PROXY_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 		&cli.StringFlag{

settings/pkg/flagset/flagset.go

@@ -182,7 +182,7 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Used to create JWT to talk to reva, should equal reva's jwt-secret",
-			EnvVars:     []string{"SETTINGS_JWT_SECRET"},
+			EnvVars:     []string{"SETTINGS_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.TokenManager.JWTSecret,
 		},
 	}

storage/pkg/flagset/secret.go

@@ -12,7 +12,7 @@ func SecretWithConfig(cfg *config.Config) []cli.Flag {
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
 			Usage:       "Shared jwt secret for reva service communication",
-			EnvVars:     []string{"STORAGE_JWT_SECRET"},
+			EnvVars:     []string{"STORAGE_JWT_SECRET", "OCIS_JWT_SECRET"},
 			Destination: &cfg.Reva.JWTSecret,
 		},
 	}