kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-31 15:48:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
roles/web-app-nextcloud/docs/IAM.md Normal file
View File

@@ -0,0 +1,72 @@
# Identity and Access Management
IAM(Identity and Access Management) is setup via Keycloak and LDAP.
## OpenID Connect (OIDC) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
### Verify OIDC Configuration
```bash
docker compose exec -u www-data application /var/www/html/occ config:app:get sociallogin custom_providers
```
## LDAP
More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
## Get LDAP Configuration
```bash
docker compose exec -u www-data application php occ ldap:show-config
```
## Get all relevant entries except password
```sql
SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap_agent_password";
```
## Update User with LDAP values
```bash
docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
```
## Update LDAP Sync
```bash
docker compose exec -u www-data application php occ user:sync-account-data
```
### Update Each User
If you want to update **every LDAP user**, run:
```bash
for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
docker compose exec -u www-data application php occ ldap:check-user --update "$user"
done
```
### Unlink All
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Unlinking user from LDAP: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
### Reset LDAP Links for Orphaned Users
Run this **corrected script**:
```bash
for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
echo "Resetting LDAP link for user: $user"
echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
done
```
## Federation
If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid.