lldap/example_configs/ocis.md

OCIS (OwnCloud Infinite Scale)

This is using version 5 which is currently still in RC.

IMPORTANT: There is a bug/quirk in how the OCIS container handles bind mounts.

If the bind mount locations (eg. /srv/ocis/{app,cfg}) don't exist when the container is started, OCIS creates them with root permissions. It then seems to drop permissions to UID 1000 and gives an error because it can't create files in the {app,cfg}.

So you must create the bind mount locations and manually chown them to uid/gid 1000, eg.

# cd /srv/ocis
# mkdir app cfg
# chown 1000:1000 app cfg
# docker compose up -d && docker compose logs -f 

.env

OCIS_URL="https://ocis.example.nz"
LDAP_BASE_DN="dc=example,dc=nz"
LDAP_BIND_PASSWORD=very-secret-yogurt
# LLDAP UUID to be given admin permissions
LLDAP_ADMIN_UUID=c1c2428a-xxxx-yyyy-zzzz-6cc946bf6809

docker-compose.yml

version: "3.7"

networks:
  caddy:
    external: true

services:
  ocis:
    image: owncloud/ocis:5.0.0-rc.4
    container_name: ocis
    networks:
      - caddy
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_URL: ${OCIS_URL}
      OCIS_LOG_LEVEL: warn
      OCIS_LOG_COLOR: "false"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      OCIS_INSECURE: "false"
      # Basic Auth is required for WebDAV clients that don't support OIDC
      PROXY_ENABLE_BASIC_AUTH: "false"
      #IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD}" # Not needed if admin user is in LDAP (?)
      #OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"

      # Assumes your LLDAP container is named `lldap`
      OCIS_LDAP_URI: ldap://lldap:3890
      OCIS_LDAP_INSECURE: "true"
      OCIS_LDAP_BIND_DN: "uid=admin,ou=people,${LDAP_BASE_DN}"
      OCIS_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD}
      OCIS_ADMIN_USER_ID: ${LLDAP_ADMIN_UUID}

      OCIS_LDAP_USER_ENABLED_ATTRIBUTE: uid
      GRAPH_LDAP_SERVER_WRITE_ENABLED: "false" # Does your LLDAP bind user have write access?
      GRAPH_LDAP_REFINT_ENABLED: "false"
      # Disable the built in LDAP server
      OCIS_EXCLUDE_RUN_SERVICES: idm
      # both text and binary cause errors in LLDAP, seems harmless though (?)
      #IDP_LDAP_UUID_ATTRIBUTE_TYPE: 'text'

      LDAP_LOGIN_ATTRIBUTES: "uid"
      IDP_LDAP_LOGIN_ATTRIBUTE: "uid"
      IDP_LDAP_UUID_ATTRIBUTE: "entryuuid"
      OCIS_LDAP_USER_SCHEMA_ID: "entryuuid"
      OCIS_LDAP_GROUP_SCHEMA_ID: "uid"
      OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "uid"

      OCIS_LDAP_GROUP_BASE_DN: "ou=groups,${LDAP_BASE_DN}"
      OCIS_LDAP_GROUP_OBJECTCLASS: "groupOfUniqueNames"
      # can filter which groups are imported, eg: `(&(objectclass=groupOfUniqueNames)(uid=ocis_*))`
      OCIS_LDAP_GROUP_FILTER: "(objectclass=groupOfUniqueNames)"

      OCIS_LDAP_USER_BASE_DN: "ou=people,${LDAP_BASE_DN}"
      OCIS_LDAP_USER_OBJECTCLASS: "inetOrgPerson"
      # Allows all users
      #OCIS_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
      # Allows users who are in the LLDAP group `ocis_users`
      OCIS_LDAP_USER_FILTER: "(&(objectclass=person)(memberOf=cn=ocis_users,ou=groups,${LDAP_BASE_DN}))"
      # NOT WORKING: Used instead of restricting users with OCIS_LDAP_USER_FILTER
      #OCIS_LDAP_DISABLE_USER_MECHANISM: "group"
      #OCIS_LDAP_DISABLED_USERS_GROUP_DN: "uid=ocis_disabled,ou=groups,${LDAP_BASE_DN}"
    volumes:
      # - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      # IMPORTANT: see note at top about creating/cowning bind mounts
      - ./cfg:/etc/ocis
      - ./app:/var/lib/ocis
    restart: always