OpenCloud
Replies: 5 comments 11 replies
-
I think so, and I've recently setup OpenCloud to use lldap as the IDM, so it's one less thing that OpenCloud is doing. However, when trying to add people to a space, I found that the LDAP query it runs is unsupported, so I have filed (and am attempting to fix) lldap/lldap#1327. My setup is fairly different from yours, however, in that I'm using traefik and kubernetes. |
Beta Was this translation helpful? Give feedback.
-
|
Hi! I've struggle with the same setup (Opencloud + LLDAP). Would you mind sharing your final config as my LDAP kung fu is far from ideal. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @sprnza , my lldap is the following: lldap:
container_name: lldap
hostname: lldap
image: lldap/lldap:stable
restart: unless-stopped
networks:
<same-caddy-authelia-lldap-network>:
expose:
- 3890 # LDAP
- 17170 # Web UI
env_file:
- ./services/lldap/container-vars.env
volumes:
- ./volumes/lldap/data:/data
- ./volumes/lldap/secrets:/secretscontainer-vars.env is then into LLDAP I've one admin, few users, some groups, everything configured within its web ui. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! And what's on the opencloud side? What After numerous attempts to marry them I get either |
Beta Was this translation helpful? Give feedback.
-
|
Hi, latest config I have is reported into this comment down below, all the OC_LDAP_* are commented, so the correct flow is:
I've the role assignment into proxy.yaml file and it's content mimic what I've found into documentation as the "default role_mapping" . I've "reset" everything yesterday, to check if the last comment procedure still works, and I confirm it's ok. |
Beta Was this translation helpful? Give feedback.
-
|
ah, sorry for hijacking but I wanted to ask @sdwilsh how he managed to configure Opencloud to use LLDAP directly |
Beta Was this translation helpful? Give feedback.
-
|
I've finally configured opencloud as I would, after weeks of try-and-error 😃 I put here the whole configuration, to be used to anyone who needs it. docker-compose.yml opencloud:
image: opencloudeu/opencloud-rolling:3.5.0
# changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
# release notes: https://docs.opencloud.eu/opencloud_release_notes.html
networks:
<same-caddy-authelia-lldap-network>:
entrypoint:
- /bin/sh
container_name: opencloud
command: ["-c", "opencloud init || true; opencloud server"]
ports: # this comes from external proxy docker file
- "9200:9200"
environment:
OC_ADD_RUN_SERVICES: notifications
OC_URL: https://opencloud.<DOMAINN>
OC_LOG_LEVEL: info
OC_LOG_COLOR: "true"
OC_LOG_PRETTY: "true"
# do not use SSL between the reverse proxy and OpenCloud
PROXY_TLS: "false"
PROXY_HTTP_ADDR: "0.0.0.0:9200" # from docker compose externalproxy/opencloud
OC_INSECURE: "true"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "false"
# demo users
IDM_CREATE_DEMO_USERS: "false"
# admin password
IDM_ADMIN_PASSWORD: "<REDACT>" #anyway useless after authelia and ldap setup
# email server (if configured)
NOTIFICATIONS_SMTP_HOST: "submission://smtp.gmail.com"
NOTIFICATIONS_SMTP_PORT: "587"
NOTIFICATIONS_SMTP_SENDER: "OpenCloud notifications <[email protected]>"
NOTIFICATIONS_SMTP_USERNAME: "<real-mail>"
NOTIFICATIONS_SMTP_PASSWORD: /run/secrets/opencloud-smtp-pass
NOTIFICATIONS_SMTP_INSECURE: "false"
NOTIFICATIONS_SMTP_AUTHENTICATION: ""
NOTIFICATIONS_SMTP_ENCRYPTION: "starttls"
FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
# enable to allow using the banned passwords list
OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
# control the password enforcement and policy for public shares
OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: "true"
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: "true"
OC_PASSWORD_POLICY_DISABLED: "false"
OC_PASSWORD_POLICY_MIN_CHARACTERS: "8"
OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: "1"
OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: "1"
OC_PASSWORD_POLICY_MIN_DIGITS: "1"
OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: "1"
COLLABORA_DOMAIN: collabora.<DOMAIN>
NATS_NATS_HOST: 0.0.0.0
GATEWAY_GRPC_ADDR: 0.0.0.0:9142
# make collabora the secure view app
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: eu.opencloud.api.collaboration.CollaboraOnline
GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf"
# NO NEED TO HAVE POSTGRES OR REDIS...
# POSTGRES_HOST: <host>
# POSTGRES_DB: <DB>
# POSTGRES_USER: /run/secrets/opencloud-pg-user
# POSTGRES_PASSWORD: /run/secrets/opencloud-pg-pass
# REDIS_HOST: redis
# REDIS_HOST_PASSWORD: /run/secrets/redis-pass
OC_OIDC_ISSUER: https://login.<DOMAIN>
# OC_OIDC_CLIENT_ID: web << REMOVED
WEB_OIDC_CLIENT_ID: web # long hash generated with authelia
OC_EXCLUDE_RUN_SERVICES: idp # only idp here
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
PROXY_AUTOPROVISION_ACCOUNTS: "true" # from false to true here
OIDC_CLIENT_SECRET: /run/secrets/opencloud-oidc-client
OIDC_REDIRECT_URI: https://opencloud.<DOMAIN>/
# from https://github.com/opencloud-eu/opencloud-compose/issues/111
IDP_DOMAIN: "login.gpmyhome.dedyn.io" # new, missing before
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
PROXY_OIDC_SKIP_VERIFICATION: "false"
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "roles" # no oidc here
WEB_OIDC_SCOPE: "openid profile email groups"
# whole section commented, done in Authelia
#OC_LDAP_SERVER_WRITE_ENABLED: false
#OC_LDAP_URI: ldap://lldap:3890
#OC_LDAP_INSECURE: "true"
#OC_LDAP_BIND_DN: "uid=admin-reader,ou=people,dc=DOMAIN,dc=DOMAIN,dc=DOMAIN"
#OC_LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-admin}
#OC_LDAP_USER_BASE_DN: 'ou=people,dc=DOMAIN,dc=DOMAIN,dc=DOMAIN'
#OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
#OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=dc=DOMAIN,dc=DOMAIN,dc=DOMAIN"
#LDAP_BIND_PASSWORD: /run/secrets/opencloud-ldap-adm-pass
PROXY_ROLE_ASSIGNMENT_DRIVER: "default" # not oidc
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
GRAPH_USERNAME_MATCH: "none"
volumes:
# csp.yaml and banned-password were copied from github repo to config mounted volume
- ./volumes/opencloud/config/:/etc/opencloud
- ./volumes/opencloud/data/:/var/lib/opencloud
- ./volumes/opencloud/apps/:/var/lib/opencloud/web/assets/apps
logging:
driver: local
restart: always
secrets:
- opencloud-pg-user
- opencloud-pg-pass
- redis-pass
- opencloud-oidc-client
- opencloud-ldap-adm-pass
- opencloud-smtp-passAuthelia configuration.yamlauthelia uses postgresql, redis and it has an user with TOTP device registered. default_2fa_method: totp
server:
address: 0.0.0.0:9091
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'info'
ntp:
address: 'udp://time.cloudflare.com:123'
version: 3
max_desync: '3s'
disable_startup_check: false
disable_failure: false
totp:
disable: false
issuer: <DOMAIN>
algorithm: sha512
digits: 6
period: 30
secret_size: 32
webauthn:
disable: true
password_policy:
standard:
enabled: false
min_length: 12
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
# NEW SECTION
definitions:
user_attributes:
opencloud_admin:
expression: '"<an LLDAP group>" in groups ? "opencloudAdmin" : "opencloudUser"'
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
ldap:
address: 'ldap://lldap:3890'
implementation: 'lldap'
base_dn: 'dc=<DOMAIN>,dc=<DOMAIN>,dc=<DOMAIN>'
timeout: 20s
start_tls: false
attributes:
username: uid
display_name: displayName
group_name: cn
mail: mail
additional_users_dn: ou=people
users_filter: '(&({username_attribute}={input})(objectClass=inetOrgPerson))'
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
# admin-reader is an user with read-only capability, but able to retrieve data, tested with ldapsearch
user: 'uid=admin-reader,ou=people,dc=<DOMAIN>,dc=<DOMAIN>,dc=<DOMAIN>'
access_control:
default_policy: deny
rules:
- domain: "*.<DOMAIN>.<DOMAIN>.<DOMAIN>"
policy: two_factor
session:
name: authelia_session
expiration: 3600
inactivity: 300
cookies:
- name: authelia_session
domain: '{{ env "COOKIE_SESSION_DOMAIN" }}'
authelia_url: 'https://login.{{ env "COOKIE_SESSION_DOMAIN" }}'
redis:
host: redis
port: 6379
password: REDACTED
database_index: 0
maximum_active_connections: 10
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
postgres:
address: tcp://postgres:5432
database: REDACT
schema: public
username: REDACT
password: REDACT
notifier:
smtp:
address: 'submission://smtp.gmail.com:587'
username: "<REAL MAIL>"
sender: "Authelia <authelia@DOMAIN>"
subject: "[Authelia] Verification Code"
timeout: 5000
disable_require_tls: false
disable_starttls: false
disable_html_emails: false
identity_providers:
oidc:
lifespans:
access_token: 1h
refresh_token: 90m
authorize_code: 1m
id_token: 1h
# NEW BLOCK
claims_policies:
opencloud_claims_policy:
custom_claims:
## Gives the 'custom_claims_policy' claim policy access to the 'claim_name' and 'extra_claim_name' claims.
oc_group:
attribute: 'opencloud_admin'
# NEW BLOCK
scopes:
## Gives the arbitrary scope 'scope_name` access to the 'oc_group'.
opencloud_scope:
claims:
- 'oc_group'
cors:
endpoints:
- authorization
- pushed-authorization-request
- token
- revocation
- introspection
- userinfo
allowed_origins:
- https://opencloud.<DOMAIN>
allowed_origins_from_client_redirect_uris: true
jwks:
-
algorithm: 'RS256'
use: 'sig'
key: {{ secret "/secrets/IDENTITY_PROVIDERS_OIDC_JWKS" | mindent 10 "|" | msquote }}
clients:
# https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/#web-client
- client_id: ... # long hash generated with authelia
client_name: opencloud-web
public: true
redirect_uris:
- https://opencloud.<DOMAIN>/
- https://opencloud.<DOMAIN>/oidc-callback.html
- https://opencloud.<DOMAIN>/oidc-silent-redirect.html
allow_multiple_auth_methods: true
# from https://gist.github.com/kulmann/78f012cd549e61b146be1473982f6c51
consent_mode: explicit
pre_configured_consent_duration: 1w
scopes:
- openid
- groups
- profile
- email
- opencloud_scope # this is new
response_types:
- code
grant_types:
- authorization_code
response_modes:
- form_post
- query
- fragment
access_token_signed_response_alg: 'none'
# https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/#web-client
Caddyfile(https_header) {
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
}
#
# Forward authentication with optional matcher
#
(auth) {
@Matcher {args[:]}
forward_auth @Matcher authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
...
# Authelia OIDC
opencloud.{$DOMAIN} {
import https_header
tls <real-mail>
reverse_proxy opencloud:9200
# Gestione upload file grandi
request_body {
max_size 2GB
}
# Cache: evita di mettere in cache risposte dinamiche
@nocache {
path /remote.php/* /ocs/* /index.php/* /cron.php /status.php /public.php /core/ajax/* /apps/files/ajax/*
}
header @nocache Cache-Control "no-store"
}
collabora.{$DOMAIN} {
import https_header
tls <real-mail>
encode gzip
@collabora {
path /cool/* /browser/* /hosting/* /loleaflet/* /lool/* /loolws/* /loleaflet/dist/* /favicon.ico
}
reverse_proxy @collabora rpi-ip:9980 {
header_up Host {host}
header_up X-Real-IP {remote}
}
}
wopiserver.{$DOMAIN} {
import https_header
tls <real-mail>
reverse_proxy rpi-ip:9300
}
login.{$DOMAIN} {
reverse_proxy authelia:9091 {
transport http {
read_timeout 180s # Tempo che Caddy aspetta una risposta da Authelia dopo aver inviato la richiesta
write_timeout 180s # Tempo che Caddy aspetta che Authelia riceva l'intera richiesta
dial_timeout 60s # Tempo che Caddy aspetta per stabilire una connessione con Authelia
}
}
tls <reall-mail>
}
lldap.{$DOMAIN} {
import https_header
import auth
reverse_proxy lldap:17170
tls <real-mail>
}
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed information. Are you using andrioid / desktop clients with this configuration? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, I’ve used the browser, the desktop MacOS app and the iOS app correctly with this setup. Android app is not tested yet. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @dmostert , I’ve just tested android application and it works with the above setup. |
Beta Was this translation helpful? Give feedback.
-
|
Great! And the refresh_token is refreshed correctly? I know there are some examples with issues where the apps work initially, but after some time the token refreshes aren't working correctly. |
Beta Was this translation helpful? Give feedback.
-
|
How can I check that? |
Beta Was this translation helpful? Give feedback.
-
|
@dmostert the above configuration seems not work correctly, I've reached a good point with some tricks. What I want obtain: users managed in LLDAP, two factor authentication in Authelia, caddy does only reverse proxy to Opencloud. The big issue I've recently is about recognize an user as opencloud admin; with OIDC and custom claim the solution work only for web client; iOS and desktop app do not work. In my last previous comment the configuration was working but it was related to a opencloud configuration not really cleaned between tests, now I start cleanly every test so I'm more confident of this trick. the issue with Authelia and OIDC is the case described in the NOTE here, seems Authelia cannot add additional claims in the Access Token , but can add new custom claim. here there is what I'm using that are different from previous post: proxy.yamlit's default one, but to be sure I've it locally role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: opencloudRoles
role_mapping:
- role_name: admin
claim_value: opencloudAdmin
- role_name: spaceadmin
claim_value: opencloudSpaceAdmin
- role_name: user
claim_value: opencloudUser
- role_name: guest
claim_value: opencloudGuestAuthelia config for iOS Desk and Android # https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/#web-client
- client_id: OpenCloudDesktop
client_name: opencloud-desktop
claims_policy: 'opencloud_claims_policy' # could be useless, no scope selected
consent_mode: explicit
pre_configured_consent_duration: 1w
allow_multiple_auth_methods: true
public: true
redirect_uris:
- http://localhost
- http://127.0.0.1
scopes:
- openid
- groups
- profile
- email
- offline_access
response_types:
- code
grant_types:
- authorization_code
- refresh_token
response_modes:
- form_post
- query
- fragment
access_token_signed_response_alg: 'none'
- client_id: OpenCloudIOS
client_name: opencloud-ios
claims_policy: 'opencloud_claims_policy' # could be useless, no scope selected
public: true
redirect_uris:
- oc://ios.opencloud.eu
- oc.ios://ios.opencloud.com
allow_multiple_auth_methods: true
scopes:
- openid
- groups
- profile
- email
- offline_access
response_types:
- code
grant_types:
- authorization_code
- refresh_token
response_modes:
- form_post
- query
- fragment
access_token_signed_response_alg: 'none'
- client_id: OpenCloudAndroid
client_name: opencloud-android
claims_policy: 'opencloud_claims_policy' # could be useless, no scope selected
public: true
redirect_uris:
- oc://android.opencloud.eu
allow_multiple_auth_methods: true
scopes:
- openid
- groups
- profile
- email
- offline_access
response_types:
- code
grant_types:
- authorization_code
- refresh_token
response_modes:
- form_post
- query
- fragment
access_token_signed_response_alg: 'none'opencloud docker compose env varthe very first time, those env var should be present PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
WEB_OIDC_SCOPE: "openid profile email groups opencloud_scope"
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"this configuration, after a after that, do a PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
WEB_OIDC_SCOPE: "openid profile email groups"
PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"then for now this trick solves my problem. same issue I've had, just to have track. |
Beta Was this translation helpful? Give feedback.
-
|
anyone seen this particular problem? sorry for hijacking |
Beta Was this translation helpful? Give feedback.
-
|
I saw it, be sure of your LDAP settings (dn, groups) using ldapsearch so what you get from ldap has to be the same of whats configured. consider that even if container is recreated, config.yaml file is not regenerated even changing environment variables, at least this is my impression. After some weeks of try an error, and becoming mad, I’ve started removing config.yaml before start up the container. |
Beta Was this translation helpful? Give feedback.
-
IDP_DOMAIN: "auth.$DOMAIN_NAME"
OC_OIDC_ISSUER: "https://auth.$DOMAIN_NAME"
OC_EXCLUDE_RUN_SERVICES: "idp"
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
PROXY_OIDC_SKIP_VERIFICATION: "false"
WEB_OIDC_CLIENT_ID: "opencloud"
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"
PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
WEB_OIDC_SCOPE: "openid profile email groups"
PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"It can't provision the any user |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
first of all thanks for this software, but I'm trying to run opencloud on my rpi4 in an already existing docker compose stack, integrating with Authelia and behind caddy without any success.
To understand how to correctly use opencloud, I would know which should be the right chain of software:
what I would have is opencloud with Authelia's TOTP authentication, to be used with browser and mobile app, but actually I've no luck; my best result is having opencloud that calls authelia but at the end opencloud returns access-denied with "security disconnection" (I've the italian localized error).
I've obviously read documentation and used this repository as starting working point, when using integrated access management, but became a mess when all other pieces of sw rises; from that repo I've used the docker services, removing env vars for simpler management.
Is it needed to create the user inside opencloud BEFORE setting up authelia?
I saw in ldif files that, when using ldap, those files are used to preload users into it, are they mandatory ? so should I need to create opencloud organization? or is it unnecessary due to the LDAP configuration in authelia (eventually same config into opencloud if needed)?
Here there are all the relevant files, obviously domain and secrets are redacted:
docker-compose.yml
Are Postgresql annd Redis db environment variable useful and used by opencloud? or are they used to store session information, as already Authelia does ?
Considering that Authelia already talk to LLDAP, is it useful to have it configured also in Opencloud?
Authelia configuration.yaml
authelia uses postgresql, redis and it has an user with TOTP device registered.
Caddyfile
With this setup, the opencloud container's log is the following after logged with authelia username&password&totp:
And opencloud shows
please help me to configure correctly and don't hesitate to ask for missing file contents.
thanks to everyone that will help me.
Beta Was this translation helpful? Give feedback.
All reactions