auth-basic runs by default even when not needed

[michaelstingl]

Is your feature request related to a problem? Please describe.

When configuring OpenCloud with external authentication and excluding the idm service, the auth-basic service still tries to access the IDM's LDAP certificate at /var/lib/opencloud/idm/ldap.crt, causing startup failures:

"CA cert file is not ready yet. Waiting 2 seconds for it to appear."
"Error reading LDAP CA Cert '/var/lib/opencloud/idm/ldap.crt.': open /var/lib/opencloud/idm/ldap.crt: no such file or directory"

This forces users to manually exclude auth-basic from the services list, which is not documented and not intuitive.

Describe the solution you'd like

The auth-basic service should be more intelligent about its dependencies:

1. Check for IDM exclusion: When starting, check if idm is in OC_EXCLUDE_RUN_SERVICES

2. Adapt behavior: If IDM is excluded and no AUTH_BASIC_LDAP_* configuration is provided, either:

   • Skip looking for the IDM certificate
   • Auto-disable itself with a clear log message
   • Use the main OC_LDAP_* configuration if available

3. Better error messages: Replace generic "CA cert file is not ready" with:

   "IDM service is excluded but auth-basic is configured to use IDM's LDAP certificate. 
    Either configure AUTH_BASIC_LDAP_* variables for external LDAP or exclude auth-basic service."
   

Describe alternatives you've considered

1. Documentation only: Document that users need to exclude auth-basic when using external auth (current workaround)
2. Remove auth-basic dependency: Refactor so auth-basic doesn't depend on IDM certificate location

Additional context

This issue was discovered when setting up HA deployments with external Keycloak/LDAP where the current behavior is:

• Users exclude idm,idp as documented
• OpenCloud fails to start due to auth-basic looking for IDM certificate
• Users have to discover through trial and error that auth-basic also needs exclusion

Related discussion: opencloud-eu/helm#102 (comment)

The ideal solution would make OpenCloud "just work" with external authentication without requiring deep knowledge of internal service dependencies.

[micbar]

The auth-basic service is still running and looking for the IDM's LDAP certificate at /var/lib/opencloud/idm/ldap.crt, even though you've excluded IDM. This causes the crash you're seeing.

I think that observation is wrong. Why should auth-basic load something from another service? Services are cleanly separated and have no access to internals of other services.

[michaelstingl]

@micbar You're absolutely right to question this. After extensive research, I need to revise my initial feature request.

My original understanding vs. reality

I initially suggested that auth-basic should "check for IDM exclusion" and "adapt its behavior". But you're correct - services shouldn't know about each other's state.

The real issue is different: auth-basic has hardcoded configuration defaults that assume IDM is present:

• Default LDAP URI: ldaps://localhost:9235 (IDM's LDAP port)
• Default CA certificate: /var/lib/opencloud/idm/ldap.crt

What changed my perspective

After testing with OpenCloud v3.2.0 locally, I discovered:

1. auth-basic starts by default - even when PROXY_ENABLE_BASIC_AUTH=false
2. It's explicitly a legacy feature - the README states "only for tests and development"
3. It runs idle in most deployments - consuming resources without serving requests

This made me realize the feature request was addressing a symptom, not the root cause.

The real question

Instead of making auth-basic "smarter" about IDM, perhaps we should ask: Why does a development/testing service run by default in production?

The current behavior means:

• Production deployments include a service not recommended for production
• Users must know to exclude it when using external authentication
• Resources are wasted on an idle service when basic auth is disabled

Revised proposal

Rather than my original feature request, maybe we should consider:

1. Only start auth-basic when needed - i.e., when PROXY_ENABLE_BASIC_AUTH=true
2. Change the defaults - make auth-basic opt-in rather than opt-out
3. Better documentation - clearly state when auth-basic is needed

What do you think?

[micbar]

Sorry. This is wasting time 😅