Optimized nextcloud keycloak ldap implementation

roles/docker-nextcloud/Applications.md

@@ -2,6 +2,12 @@
 
 Details on specific apps like Cospend, including related SQL queries and debugging tips.
 
+## Recieve Plugin Information
+To recieve the relevant configuration options for a plugin type:
+```bash
+docker compose exec -u www-data application php occ config:list oidc_login
+```
+
 ## App Relevant Tables 🗃️
 
 - `oc_appconfig`

roles/docker-nextcloud/IAM.md

@@ -15,6 +15,12 @@ docker compose exec -u www-data application /var/www/html/occ config:app:get soc
 
 More information: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 
+## Get LDAP Configuration
+
+```bash
+docker compose exec -u www-data application php occ ldap:show-config
+```
+
 ## Get all relevant entries except password
 
 ```sql
@@ -27,6 +33,40 @@ SELECT * FROM `oc_appconfig` WHERE appid LIKE "%ldap%" and configkey != "s01ldap
 docker compose exec -it -u www-data application php occ ldap:check-user --update {{username}}
 ```
 
+## Update LDAP Sync
+
+```bash
+docker compose exec -u www-data application php occ user:sync-account-data
+```
+
+### Update Each User
+If you want to update **every LDAP user**, run:
+
+```bash
+for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
+    docker compose exec -u www-data application php occ ldap:check-user --update "$user"
+done
+```
+
+### Unlink All
+```bash
+for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
+    echo "Unlinking user from LDAP: $user"
+    echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
+done
+```
+
+### Reset LDAP Links for Orphaned Users
+Run this **corrected script**:
+
+```bash
+for user in $(docker compose exec -u www-data application php occ ldap:show-remnants | tail -n +3 | awk -F '|' '{print $2}' | tr -d ' ' | grep -v '^$'); do
+    echo "Resetting LDAP link for user: $user"
+    echo "y" | docker compose exec -T -u www-data application php occ ldap:reset-user "$user"
+done
+```
+
+
 ## Federation
 
 If users are just created via Keycloak and not via LDAP, they have a different username. Due to this reaso concider to use LDAP to guaranty that the username is valid. 

roles/docker-nextcloud/OCC.md

@@ -16,6 +16,11 @@ docker-compose exec -it -u www-data application /var/www/html/occ
 docker compose exec -it -u www-data application php occ user:list
 ```
 
+### Get User Info
+```bash
+docker compose exec -u www-data application php occ user:info {{username}}
+```
+
 ### Sync Users
 ```bash
 docker compose exec -it -u www-data application php occ user:sync
@@ -35,7 +40,18 @@ docker compose exec -it -u www-data application php occ group:adduser admin {{us
 ```bash
 docker compose exec -it -u www-data application php occ user:delete {{username}}
 ```
----
+
+### Delete all User (if no ldap is used)
+```bash 
+for user in $(docker compose exec -u www-data application php occ user:list --output=json | jq -r 'keys[]'); do
+    docker compose exec -u www-data application php occ user:delete "$user"
+done
+```
+
+### Identify users which exist still in nextcloud but not in LDAP anymore
+```bash 
+occ ldap:show-remnants
+```
 
 ## App Administration
 ```bash

roles/docker-nextcloud/templates/config/oidc.config.php.j2

@@ -97,10 +97,10 @@ return array (
     // note: on Keycloak, OIDC name claim = "${given_name} ${family_name}" or one of them if any is missing
     //
     'oidc_login_attributes' => array (
-        'id' => 'username',
+        'id' => '{{ldap.attributes.user_id}}',
         'name' => 'name',
         'mail' => 'email',
-        # 'quota' => 'nextcloudQuota',  # Not implemented yet
+        'quota' => 'nextcloudQuota',
         # 'home' => 'homeDirectory',    # Not implemented yet
         'ldap_uid' => 'preferred_username',
         # 'groups' => 'ownCloudGroups', # Not implemented yet